XACML is an XML specification for expressing fine-grained information access
policies in XML documents or any other electronic resource.
At configuration time, XACML expresses and communicates the rules and policies
that an access-control mechanism uses to derive an access decision for a set of
subjects and attributes. By comparison, at run time SAML formulates assertions
about subjects, their attributes, and their access rights. For digital rights
management or workflow processing use cases, an application or medium can
transmit XACML rules together with the content to which access is being regulated.
If necessary, mechanisms outside XACML must but be used to enforce the
integrity of access rules and confidentiality of content.
The XACML specification defines ways to encode rules, bundle rules to policies,
and define selection and combination algorithms in cases where multiple rules and
policies apply.
Access control lists in XACML are 4-tuples—subject, target object, permitted
action, provision. The subject can include user IDs, groups, or role
names. The target object allows granularity down to a single XML document
element. The permitted action primitive can be either read, write, create, or delete.
This represents a major XACML limitation because it does not accommodate
domain-specific permission types. A provision is an action that must execute
upon a rule’s activation (for both deny and grant rules). Such actions may include
initiating log-in, requesting additional credentials, and sending an alert. The
XACML specification defines a language for formulating such provisions.
policies in XML documents or any other electronic resource.
At configuration time, XACML expresses and communicates the rules and policies
that an access-control mechanism uses to derive an access decision for a set of
subjects and attributes. By comparison, at run time SAML formulates assertions
about subjects, their attributes, and their access rights. For digital rights
management or workflow processing use cases, an application or medium can
transmit XACML rules together with the content to which access is being regulated.
If necessary, mechanisms outside XACML must but be used to enforce the
integrity of access rules and confidentiality of content.
The XACML specification defines ways to encode rules, bundle rules to policies,
and define selection and combination algorithms in cases where multiple rules and
policies apply.
Access control lists in XACML are 4-tuples—subject, target object, permitted
action, provision. The subject can include user IDs, groups, or role
names. The target object allows granularity down to a single XML document
element. The permitted action primitive can be either read, write, create, or delete.
This represents a major XACML limitation because it does not accommodate
domain-specific permission types. A provision is an action that must execute
upon a rule’s activation (for both deny and grant rules). Such actions may include
initiating log-in, requesting additional credentials, and sending an alert. The
XACML specification defines a language for formulating such provisions.