A complete guide to XACML and how it helps you secure your data

XACML stands for “Extensible Access Control Markup Language” and is used as a strategy for fine-grain authentication due to its flexibility.

The XACML standard defines not only a language for access control policy, but also a language for requests and responses, as well as a reference architecture. Access control policies can be expressed through the use of policy language (who can do what when).

The language of the request / response allows for the expression of questions about the permission of specific access (questions) as well as the description of the answers to those questions (responses). A standard reference architecture is proposed for the installation of the necessary software modules within an infrastructure.

The purpose of this standard is to enable effective application of the rules.

The Attribute-Based Access Control (ABAC) protocol is supported by XACML, and the assessment can be done using supplementary data derived from the Policy Information Point (PIP), described by the XACML standard design.

Terminology

PAP – Policy administration points that govern access approval policies
PDP – Policy decision point that evaluates access requests against the approval policy before issuing an access decision
PEP – Policy Enforcement Point Point that prevents a user from requesting access to a resource, requests the PDP to make a decision about access
PIP – Policy information point, system entity that acts as a source of attribute values (such as a resource, subject, environment)
PRP – Policy recovery points The point where XACML access authorization policies are stored, usually a database or file system.

How does XACML work?

Below is an example of how an XACML request usually proceeds:

PEP reads a request sent by a user and rejects it there.
PEP modifies the request so that it is now an XACML request.
The request is communicated to the PDP by PEP.
The PDP compares the permission request with its defined access rules and decides whether the request should be granted.
These guidelines are handled by PAP Attribute values stored in the Policy Information Point can be accessed if required.
In the end, a judgment is made in the PDP, and it returns in PEP in boolean form the value of “permit,” “denial,” “not applicable,” or “indefinite.”

XACML policy language structure and syntax

The language of the XACML policy consists of a number of essential features that enable the implementation of fine-grained authentication across a variety of deployment types, including cloud, on-premises and hosted environments. These elements can be found in the language of the XACML policy.

Rules

A rule is the basic building block of any policy. Consequently, it serves the purpose of the policy, which is either to allow or to reject. A rule can provide a goal, a condition, some advice, or a set of responsibilities.

Policy

One or more rules, an algorithm for rule verification, optional obligations and advice are elements of a policy making. Policies can also be written as advice. The policy serves as the basis on which the XACML PDP can perform its functions.

Policy set

A collection of policies found in different places known as a policy set. The components of a policy set are: the policies themselves, an algorithm for combining policies, optional obligations and guidelines.

Target

A target gives XACML PDP the ability to determine which policies or rules are relevant to a particular request. Target statements serve the purpose of defining relevant attributes for the rules, policies, or policy sets with which they are associated.

Terms

Terms are a component of the rules and are used to compare the values of attributes to determine whether an attribute is “true,” “false,” or “uncertain.” A condition must be used to verify that the username of a subject is the same as the property of the property owner, as shown in the XACML example which can be seen below.