Press Release

XACML 2.0 Access Control Markup Language Approved as OASIS Standard

BEA Systems, Booz Allen Hamilton, Computer Associates, Entrust, Gluecode Software, IBM, Sun Microsystems, and Others Advance Open Standard for Information Access Control

BOSTON, MA, USA; 2 MARCH 2005 — OASIS, the international e-business standards consortium, today announced that its members have approved the Extensible Access Control Markup Language (XACML) version 2.0 as an OASIS Standard, a status that signifies the highest level of ratification. XACML is used to represent and evaluate access control policies.

Dan Blum, Senior Vice President and Research Director of the Burton Group, noted, "Access control is a requirement of almost every application. XACML goes beyond simply denying or granting information access, it defines the mechanism for creating the rules and policy sets that enable meaningful authorization decisions."

To meet the needs of a wide range of users across many different environments, XACML 2.0 incorporates new profiles for Role Based Access Control (RBAC) and Privacy. XACML 2.0 profiles also provide integration and hierarchical resources for the Security Assertion Markup Language (SAML) OASIS Standard.

"XACML is designed to standardize the use of declarative policy to control access to resources, which can reduce costs while increasing security," said Hal Lockhart, co-chair of the OASIS XACML Technical Committee. "XACML 2.0 can be of particular interest to those deploying SAML, looking for a practical way to implement RBAC or protecting hierarchical resources, such as portions of XML documents."

Before becoming an OASIS Standard, XACML v2.0 first completed an extensive public review and was approved by the OASIS XACML Technical Committee. Then, the specification demonstrated its readiness through multiple implementations, after which XACML was reviewed and approved by the OASIS membership as a whole.

"The approval of XACML 2.0 as an OASIS Standard builds on a solid base of XACML implementations by major international companies, start-ups, and open source providers," noted Patrick Gannon, president and CEO of OASIS. "Increasingly, XACML is being recognized as an integral part of enterprise security frameworks. Our congratulations go to the members of the OASIS XACML Technical Committee for their hard work in advancing this standard."

XACML is part of the growing portfolio of OASIS Standards for security, which also includes the Application Vulnerability Description Language (AVDL), SAML, Service Provisioning Markup Language (SPML), WS-Security, and XML Common Biometric Format (XCBF). OASIS members also advance specifications such as Digital Signature Services (DSS) and Public Key Infrastructure (PKI).

XACML v2.0 was developed by members of the OASIS XACML Technical Committee, which includes representatives of BEA Systems, Booz Allen Hamilton, Computer Associates, Entrust, Gluecode Software, IBM, Sun Microsystems, and others. Participation remains open to all, and suppliers, end-users and system integrators are invited to join OASIS to advance the continued development and the adoption of XACML. OASIS hosts an open mail list for public comment and the xacml-dev mailing list for exchanging information on implementing the standard.

Industry Support for XACML OASIS Standard

BEA Systems "BEA realizes the importance of a portable description for security policy and the significant benefit it can bring to customers. As a result, BEA supports the release of the XACML 2.0 specification as an OASIS standard and is working to incorporate support for the standard in future releases of BEA’s product family," said Paul Patrick, Chief Security Architect, BEA Systems.

Cordance "By taking the industry standard for policy-based access control to a new level, XACML 2.0 provides even more incentive for enterprises to adopt XML-based resource management infrastructure. The OASIS XRI (Extensible Resource Identifier) and XDI (XRI Data Interchange) Technical Committees look forward to providing other key pieces of this infrastructure that will leverage the power of XACML 2.0," said Drummond Reed, CTO of Cordance Corporation and co-chair, OASIS XRI and XDI Technical Committees.

DataPower "XACML finally enables organizations to move access control policy out of custom spaghetti code and into an interoperable, declarative XML form," said Eugene Kuznetsov, CTO, founder and chairman of DataPower. "Whether driven by new security threats, regulatory mandates or Web services, there is a growing need for fine-grained authorization for heterogeneous systems."

Gluecode Software "We are pleased to contribute to the advancement of the XACML 2.0 standard," said Bill Parducci, security architect for Gluecode Software. "As an open source infrastructure company, participation in these standardization efforts allows us to deliver leading-edge solutions to our customers. We look forward to incorporating XACML 2.0 in our products to facilitate integration with an enterprise’s central security policies."

Nokia "Nokia applauds the accomplishment of the OASIS XACML Technical Committee in producing the XACML v2.0 open standard," said Frederick Hirsch, Senior Architect at Nokia. "Having an open and standard means of expressing and resolving authorization and entitlement policies will aid in building secure systems. Nokia is working to use such open standards to enhance the capabilities of its mobile platforms."

Sun Microsystems "XACML is an important piece of technology for enabling access control for web services and part of the broader solution in providing a policy and security framework for web services," said Ed Julson, director of engineering for Web Technologies & Standards at Sun Microsystems. "Sun’s active participation in the development of OASIS XACML 2.0 and our open source implementation of XACML are further evidence of our commitment to open standards and the interoperability benefits they bring to customers."

Additional Information:

OASIS XACML Technical Committee:

Cover Pages Technology Report:

About OASIS: OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. The consortium produces open standards for Web services, security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 4,000 participants representing over 600 organizations and individual members in 100 countries. Approved OASIS Standards include AVDL, CAP, DocBook, DSML, ebXML, SAML, SPML, UBL, UDDI, WS-Reliability, WSRP, WSS, XACML, and XCBF.

Press contact:

Carol Geyer OASIS Director of Communications +1.978.667.5115 x209