XML Access Control Markup Language (XACML) is a standard used to define and enforceauthorization and access control policies. It provides an XML-based vocabulary for expressing rules that determine whether a subject is allowed or denied access to a specific resource.
XACML focuses on authorization rather than authentication. It defines how access decisions are made based on policies, rules, conditions, and attributes.
What Is XACML Used For
XACML is commonly used in enterprise and security-sensitive environments where fine-grained access control is required.
A simple example is access control within an organization. Employees from different departments often have different permissions. For instance, marketing staff may access campaign data, while HR staff can access employee records. XACML allows such rules to be defined and enforced centrally.
XACML can also support advanced scenarios such as logging access events or triggering notifications when specific resources are accessed.
Key Features of XACML
XACML defines:
- Rules for expressing authorization decisions
- Conditions required to evaluate access rules
- Ways to combine multiple rules and policies
- Methods for evaluating rules during authorization
- Policy and rule statements
- Rules that apply to specific subjects
XACML Concepts and Terminology
XACML policies are built around subjects, resources, and actions. These elements describe who is requesting access, what is being accessed, and what action is being performed.
- Subjects – users, roles, or systems requesting access
- Resources – data, services, or objects being protected
- Actions – operations such as read, write, or delete
XACML often works alongside standards such as Security Assertion Markup Language (SAML), which can define subjects and attributes used in access control decisions.
Rule Structure in XACML
XACML rules define whether access should be allowed or denied. Each rule specifies targets and conditions that must be satisfied.
Below is an outline of a typical XACML Rule structure:
<Rule RuleId="xxx" Effect="xxx">
<Target>
<Subjects>
...
</Subjects>
<Resources>
...
</Resources>
<Actions>
...
</Actions>
</Target>
<Condition>
<Equal>
<AttributeDesignator AttributeName="xxx"/>
...
</Equal>
</Condition>
</Rule>
Understanding Rule Components
The Rule element contains child elements such as Target and Condition.
- The Target element specifies subjects, resources, and actions
- The Subjects element defines who the rule applies to
- The Resources element defines what is being protected
- The Actions element defines allowed or denied operations
Attributes such as AttributeName and AttributeNamespace are used to identify specific characteristics of subjects or resources.
Effect and Conditions
Each rule includes an Effect attribute that determines the authorization outcome. Common values include Permit and Deny.
Conditions further restrict when a rule applies. Conditions may compare attributes using operators such as Equal and evaluate predicates defined by XACML.
Example of a Resource Definition
The following example demonstrates how resources may be defined within a rule:
<Resources>
<saml:Attribute AttributeName="docURI"
AttributeNamespace="//yoursite.com">
<saml:AttributeValue>//yoursite.com/rec.*</saml:AttributeValue>
</saml:Attribute>
</Resources>
Combining Rules and Policies
XACML supports combining multiple rules and policies using defined algorithms. These algorithms determine how conflicting rules are resolved when evaluating
authorization decisions.
Once authorization is evaluated, the system performs the requested action based on the final decision.
Conclusion
XACML provides a powerful and flexible framework for defining access control policies using XML. Its rule-based structure allows organizations to implement fine-grained, attribute-based authorization across complex systems.
By separating policy definition from application logic, XACML improves security, scalability, and maintainability in enterprise environments.