Representing and evaluating access control policies.

Bill Parducci*, bill@parducci.net, Chair
Hal Lockhart, hal.lockhart@oracle.com, Chair
Rich Levinson, rich.levinson@oracle.com, Secretary
Mary McRae, mary.mcrae@oasis-open.org, OASIS Staff Contact

Table of Contents

• Announcements
• Overview
• Technical Work Produced by the Committee
• Expository Work Produced by the Committee (Interops)
• External Resources
• Mailing Lists and Comments
• Additional Information (XACML Implementations)

Announcements

XACML 2.0 InterOp at RSA Conference 2008

OASIS conducted the Second XACML 2.0 Interop at the RSA Conference 2008 from April 7th - 10th, 2008. Nine members of the OASIS open standards consortium, in cooperation with the Health Information Technologies Standards Panel (HITSP), demonstrated interoperability of the eXtensible Access Control Markup Language (XACML) version 2.0. Simulating a real world scenario provided by the U.S. Department of Veterans Affairs, the demo showed how XACML ensures successful authorization decision requests and the exchange of authorization policies. Further details below on this and extended follow-up interops are in the XACML Interop section.

XACML TC Meetings

The XACML TC conference call number is 513-241-0892. The conference call code is 65998#. The XACML TC would like to thank Authentify, Inc. for sponsoring our TC conference calls since 2001.

Overview

The XACML Technical Committee will define a core XML schema for representing authorization and entitlement policies, also called XACML.

For more information, see the TC Charter and FAQ

Technical Work Produced by the Committee

• XACML 2.0 Specification Set
• XACML 2.0 Errata
• XACML 1.1 Specification Set
• XACML 1.0 Specification Set
• Work in progress
• XACML 3.0 WIKI

===============================
XACML 2.0 Specification Set: XACML 2.0 and all the associated profiles were approved as OASIS Standards on 1 February 2005.

• NORMATIVE XACML 2.0 documents
• ALL XACML 2.0 documents (includes separate example files and non-normative document formats)
• Individual XACML 2.0 documents:
  • XACML 2.0 Core: eXtensible Access Control Markup Language (XACML) Version 2.0
    • Specification Document
    • Policy Schema
    • Context Schema
  • Core and hierarchical role based access control (RBAC) profile of XACML v2.0
    • Specification Document
  • Hierarchical resource profile of XACML v2.0
    • Specification Document
  • Multiple resource profile of XACML v2.0
    • Specification Document
  • Privacy policy profile of XACML v2.0
    • Specification Document
  • SAML 2.0 profile of XACML v2.0 (see errata below for corrected version of spec and schemas)
    • Specification Document
    • SAML 2.0 Assertion Extension Schema
    • SAML 2.0 Protocol Extension Schema
  • XML Digital Signature profile of XACML v2.0
    • Specification Document
• XACML 2.0 Errata: These are non-normative documents that contain TC-approved corrections for errors found in the specifications above.
  • XACML 2.0 Core: eXtensible Access Control Markup Language (XACML) Version 2.0
    • XACML Core Version 2.0 Errata, 29 Jan 2008 (doc file only)
    • XACML Core Version 2.0 Errata, 5 Jul 2007 (zip file with spec (pdf,doc) and schema(xsd))
  • SAML 2.0 profile of XACML v2.0
    • Corrected assertion schema
    • Corrected protocol schema
    • Original corrected profile specification document, SAML 2.0 profile of XACML v2.0 Errata, WD 1, 17 November 2005 (errata against Version 1 of the profile (Note: this is a zip file containing obsolete schema, use schema links above))
    • Current corrected profile specification document, SAML 2.0 Profile of XACML, Version 2, WD 5, 19 July 2007 (pdf)
    • See the Work in progress list below for further SAML profile updates and corrections that may be helpful even if not yet approved by the TC.
    ,

===============================
XACML 1.1 Specification Set:

• Core Specification: eXtensible Access Control Markup Language (XACML) Version 1.1
  • Committee Draft 01, 24 July 2003
    • Specification Document
    • Specification Document (non-normative format)
    • Policy Schema
    • Context Schema

===============================
XACML 1.0 Specification Set:

• Core Specification: eXtensible Access Control Markup Language (XACML) Version 1.0
  • OASIS Standard 1.0, 18 February 2003 OASIS Standard as of 6 Feb. 2003
    • Specification document
    • Policy Schema
    • Context Schema
• XACML Profile for Role Based Access Control (RBAC) Version 1.0:
  • Committee Draft 01, 13 February 2004
    • Specification Document
• Other Documents (non-normative)
  • Errata for XACML 1.0
  • Conformance Tests for XACML 1.0 and 1.1 (25 March 2004)

===============================
Work in progress:

The following working drafts and submissions represent XACML TC work in progress.

• XACML 3.0 Issues List
• XACML 3.0 Specifications and Profiles currently under review
  Note: the links in the following list each point to the specific details page and .zip file for that specification, which contains pdf, html etc versions of the spec and any associated xsd files or other related artifacts:
  • eXtensible Access Control Markup Language (XACML) Version 3.0, Committee Draft 04, 1 July 2010
    • XACML v3.0: Core Specification
  • XACML v3.0 Administration and Delegation Profile Version 1.0, Committee Draft 03, 11 March 2010
    • XACML v3.0: Admin and Delegation Profile
  • SAML 2.0 Profile of XACML, Version 2.0, Committee Draft 03, 11 March 2010
    • XACML v3.0: SAML 2.0 Profile of XACML, Version 2
  • XACML v3.0 Hierarchical Resource Profile Version 1.0, Committee Draft 03, 11 March 2010
    • XACML v3.0: Hierarchical Resource Profile
  • XACML v3.0 Multiple Decision Profile, Version 1.0, Committee Draft 03, 11 March 2010
    • XACML v3.0: Multiple Decision Profile
  • XACML v3.0 Core and Hierarchical Role Based Access Control (RBAC) Profile, Version 1.0, Committee Draft 03, 11 March 2010
    • XACML v3.0: RBAC Profile (Role Based Access Control: Core, Hierarchical)
  • XACML v3.0 Privacy Policy Profile Version 1.0, Committee Draft 03, 11 March 2010
    • XACML v3.0: Privacy Policy Profile
  • XACML v3.0 XML Digital Signature Profile Version 1.0, Committee Draft 03, 11 March 2010
    • XACML v3.0: XML Digital Signature Profile
• XACML 3.0 Specifications and Profiles being reviewed and considered for inclusion in 3.0
  • XACML Intellectual Property Control (IPC) profile, Version 1.0, Committee Draft 2, 17 June 2010
    • XACML Intellectual Property Control (IPC) profile
  • XACML 3.0 Export Compliance-US (EC-US) Profile Version 1.0, Committee Draft 03, 17 June 2010
    • XACML v3.0 Export Compliance- US (EC-US) profile
• Other XACML 3.0 proposed features - currently not considered ready and not planned to be included in 3.0 release
  • Open Document Format for Office Applications Document Controls Profile, Version 1.0, Working draft 2, August 2009
    • Open Document Format for Office Applications Document Controls Profile
  • Web Services Profile of XACML (WS-XACML) Version 1.0, WD-10, 10-Aug-07
    • all documents and schemas (ZIP)
    • specification only (PDF)
    • 3.0 schema only
  • XACML PDP Metadata Version 1.0, WD-1, 24-Feb-08
    • XACML PDP Metadata Version 1.0, WD 1, 24-Feb-08
    • Proposal for PDP metadata (email)
  • Obligation Families model under consideration
    XACML v3.0 Obligation Families Version 1.0, WD-3, 17-Feb-08 (Note: date not updated in WD-3 spec)
    • Obligation Families Version 1.0, WD 3, 17-Feb-08
    • Description of changes (email)
• XACML 2.0 Profiles currently under review for inclusion in XACML 2.0 (3.0 tbd)
  • Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0, Committee Specification 01, 27-Aug-09
    • XSPA Profile of XACML v2.0 for Healthcare Version 1.0
    • XSPA Profile of XACML v2.0 for Healthcare: Current and Historical Version and Status Change Log
    • XSPA Examples v1.0
    • More info at XSPA TC Site

The following work items are not on a standards track

• XACML 2.0 Conformance Tests
  • Draft XACML 2.0 Conformance Tests
  • Description
  • Patches to above set
  • Conformance test changes
  • To-Do List for XACML 2.0 Conformance Tests
• OASIS Naming Guidelines for XACML, Version 1.4, 3 October 2006.
• Policy Examples
• XACML delegation use-cases
• Web-services policy language use-cases and requirements

The following work items are not currently under active development or discussion, but have not officially been withdrawn.

• eXtensible Access Control Markup Language (XACML) Version 3.0 Policy Distribution Protocol Use-cases and Requirements, WD 01, 8 Oct 2004
• XACML v3.0 improved generality (RuleML) Working Draft 03, 17 March 2005
• Proposed post-2.0 XACML TC Charter, version 1.6, 30 Sept 2004
• LDAP profile for distribution of XACML policies

Expository Work Produced by the Committee

• A Brief Introduction to XACML
• The Formal Semantics of XACML by Polar Humenn, Syracuse Univ.; DRAFT
• Implementor's Guide
• Changes Since XACML 1.0, 24 May 2005
• WS-XACML: Authorization and Privacy Policies for Web Services
  Slides presented as part of the OASIS XACML Webinar on 12 July 2007

===============================
Interops:

The following is a brief description of the XACML Interops that have been conducted under the guidance of the XACML Technical Committee.

Second XACML 2.0 InterOp at RSA Conference 2008
OASIS conducted the Second XACML 2.0 Interop at the RSA Conference 2008 from April 7th - 10th, 2008. Nine organizations participated, which included eight vendor companies that demonstrated interoperability between their PDPs and an "embedded vendor PEP SDK" customized by U.S. Department of Veterans Affairs (VA) to demonstrate the use of XACML within the VA HL7 healthcare application infrastructure to support healthcare scenarios standardized using HL7 vocabulary detailed in the RSA Conference 2008 XACML 2.0 Healthcare Interop scenarios document collection.

• There have been additional interops that have extended the scenarios above (RSA London Oct 2008) and incorporated them within a broader end-to-end demonstration of OASIS SAML/XACML/WS-Trust supporting HITSP TP 20/30 at HIMSS April 2009. The HIMSS demo was conducted under the guidance of the OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) TC.

First XACML 2.0 InterOp at Catalyst 2007
OASIS conducted the First XACML 2.0 Interop at the Catalyst Conference on June 28th, 2007. Several companies participated and demonstrated the use of XACML to solve business problems by implementing a set of interop scenarios.

External Resources

The following is a frequently updated listing of external papers, presentations, related standards, publicly announced products and deployments that use XACML in a significant way. It also includes XACML Attribute identifiers defined in documents other than core XACML. This list is maintained by the XACML TC.

XACML References

The following articles, while not produced by the XACML TC, provide additional insight into its work

OASIS Members Demonstrate Interoperability of XACML Access Control Standard in HITSP Health Care Scenario
OASIS News, 7 Apr 2008
Muradora GUI for Fedora Repository Uses SAML and XACML for Federated Identity
CoverPages, 26 Oct 2007
Eight Companies Demonstrate Interoperability of XACML OASIS Standard at Catalyst Conference
OASIS News, 28 Jun 2007
OGC Public Review for GeoXACML and OpenGIS Image Geopositioning Service (IGS)
CoverPages, 21 May 2007
XACML 2.0 Access Control Markup Language Approved as OASIS Standard
OASIS News, 2 Mar 2005
OASIS Extensible Access Control Markup Language TC Approves XACML 2.0 Specifications
CoverPages, 5 Oct 2004
"Extensible Access Control Markup Language (XACML)"
Cover Pages, 23 March 2004
"Draft XACML Profile for Web-Services Addresses Web Services Policy Expression"
Cover Pages, 30 Sept 2003
"XACML XML DSig Profile Supports Authentication of XACML Schema Instances"
Cover Pages, 28 March 2003
"Sun Microsystems Releases Open Source XACML Implementation for Access Control and Security"
Cover Pages, 18 Feb 2003
OASIS XACML Announcement
OASIS News, 24 April 2001
Public Review for OASIS Extensible Access Control Markup Language (XACML) Specification
Cover Pages, 8 Nov 2002

Mailing Lists and Comments

xacml: the list used by TC members to conduct Committee work. TC membership required to post. TC members are automatically subscribed; the public may view archives.*

xacml-comment: a public mail list for providing input to the OASIS XACML Technical Committee members. Send a comment or view archives.*

xacml-dev: an unmoderated, public mail list that provides an open forum for developers of XACML policy evaluation engine implementations or supporting components and tools to exchange ideas and information on implementing the XACML OASIS Standard. Subscribe or view archives.*

xacml-users: an unmoderated, public mail list that provides an open forum for users of XACML to exchange ideas and information on expressing policies using the XACML OASIS language. Subscribe or view archives.*

xacml-demo-tech: a mailing list restricted to XACML TC members interested in technical aspects of an interoperability demo; archives are also limited to TC members. Subscribe or view archives.*

xacml-demo-mktg: a mailing list restricted to XACML TC members interested in marketing aspects of an interoperability demo; archives are also limited to TC members. Subscribe or view archives.*

*To minimize spam, you must subscribe to these lists before posting.

Additional Information (XACML Implementations)

Available XACML Implementations

It is known that various developers have implemented XACML code and XACML support tools; some of these implementations are publicly available for download. The following are listed here solely for the information of parties interested in XACML. By including these links, neither the XACML TC, nor OASIS itself, is endorsing or recommending these implementations in any way. This list may be modified at any time as further information about these or other implementations becomes known.

• OpenAz: Open src project to facilitate the development of a standard XACML-based PDP,PEP Az (AuthoriZation) interface framework (scheduled start: Sep 2009) http://www.openliberty.org/wiki/index.php/Main_Page#OpenAz
• XEngine: A Fast and Scalable XACML Policy Evaluation Engine (High Performance Open Source Java PDP) http://xacmlpdp.sourceforge.net/
• Testing and Verification of Security Policies: This project develops novel techniques and tools for testing and verification of security policies including XACML and firewall policies as well as security models https://sites.google.com/site/asergrp/projects/policy
• pam_xacml: Enable XACML Az for legacy apps (SS5 Socks Server, su, Apache, ...) using "pluggable 'authorization' modules" (PAM) http://pamxacml.sourceforge.net/
• First beta version of XACML 2.0 policy editor: XACML-Studio (XS): http://xacml-studio.sourceforge.net/
• HERAS-AF: An Open Source Project providing an XACML-based Security Framework: http://www.herasaf.org
• XACMLight Apache Axis2 Web Service XACML 2.0 PDP/PAP Implementation (SourceForge.net Maven2 Project - beta): http://sourceforge.net/projects/xacmllight/
• Enterprise Java XACML 2.0 Implementation (Google Code Project - beta): http://code.google.com/p/enterprise-java-xacml/
• Parthenon Computing (formerly Jiffy Software): Parthenon XACML Evaluation Engine: http://www.parthenoncomputing.com
• Sun Microsystems: Sun's XACML Open Source Implementation: http://sunxacml.sourceforge.net
• Lagash Systems: XACML.NET:http://mvpos.sourceforge.net/
• AXESCON LLC: AX2E - AXESCON XACML 2.0 Engine (Beta version): http://axescon.com/ax2e/
• Swedish Institute of Computer Science: XACML 3.0 Administrative Policy support (Beta version): http://www.sics.se/spot/xacml_3_0.html
• University of Murcia (UMU), Spain:Java-based XACML editor: http://xacml.dif.um.es/
• Brown University, US: Margrave, XACML policy verification and change analysis tool: http://www.cs.brown.edu/research/plt/software/margrave/
• UMU NAS-SAML XACML policy infopath templates: http://libra.dif.um.es/~gabilm/designs/nas_saml/

For technical assistance regarding this OASIS TC web page, contact webmaster@oasis-open.org.

To send a comment regarding this work, click the "Send A Comment" button above.