- Test Case Groupings
Tests are divided into those that exercise
Mandatory-to-Implement functionality and those that
exercise Optional, but normative functionality. All
implementations that claim conformance to the eXtensible Access
Control Markup Language (XACML) Version 2.0 OASIS Standard
MUST support all Mandatory-to-Implement functionality as
described in the
XACML Version 2.0 specification.
Conforming implementations MAY additionally support
various Optional functionality areas.
Tests are divided into groups based on the primary area of
functionality or schema being exercised.
Each test case consists of three XML documents (or sets of documents):
- An XACML Request
- An XACML Policy or set of Policy documents
- An XACML Response
Each XML document is named according to the section of this
document in which it occurs. For example, the XML
documents for the test in Part II (Mandatory to
implement), Section B (Target Matching), Test Case 8 (Case:
match: multiple actions) are named:
- How to Use the Tests
An implementation of an XACML Policy Decision Point (PDP) should
be able to:
- Accept the given Request, or input consistent with the
given Request, as input.
- Accept the given Policy or Policies (these files may
contain one or more XACML Policies or PolicySets) as input.
- Produce the given Response, or output
consistent with the given Response, as output.
Explanation of consistent with:
The request and response used in executing these tests need not
be instances of the XACML Context Schema. The request and
response should, however, contain exactly the same information as
the given Request and Response file, and should exercise the XACML
policy evaluation functionality that the test is intended to
exercise. It should be possible, at least conceptually, to
mechanically convert the request and response used in the
implementation to the given XACML Request and Response
- Preparing Tests for Execution
In general, for each test,
Some of the tests have special instructions associated
with them. They modify the instructions given above for the
- store the
*Policy.xml file for the given
test in the repository you use for policies, such that the
*Policy.xml is the only policy that will
be retrieved by the PDP, or
- configure the PDP with the
*Policy.xml file as its initial policy.
- Send the
*Request.xml file (or its semantic
equivalent in your system) to the Context Handler component of
the XACML PDP via your access control decision request
- Compare the result returned from the PDP with the specified
*Response.xml file (or its semantic equivalent in
- The test passes if your system's result is semantically
equivalent to the specified
- Contributions of New
Any XACML implementer may contribute additional conformance
tests by submitting them to the
firstname.lastname@example.org mailing list. Such
contributions will be incorporated into the test suite on the next
While this suite of tests is non-normative, we hope the suite
will represent a general consensus as to the intent of the XACML
Version 2.0 Standard. For this reason, contributed tests are
until the tests have undergone successful review and use, defined
- a reasonable review period has elapsed since submission, and
- several implementers have reported successful execution of
these tests to
- no objections to the test have been reported to the
xacml-comment mailing list.
Once the tests have undergone successful review and use, then the
**EXPERIMENTAL** status will be
If an objection is reported on the xacml-comment mailing list to
an **EXPERIMENTAL** test during the review
period, then the test will be removed from the test suite on the
next update unless the XACML TC upholds the objection. It is up
to the test submitter to request review by the TC, and it is up
to the TC to decide whether or not to review a test.
If an objection is reported to a test that is no longer **EXPERIMENTAL**, the objection is treated
as a bug. See Bugs in the
Tests for a
description of how bugs are handled.
- Bugs in the Tests
Following are the known bugs:
- The <Description> in many *Policy.xml files is incorrect:
instead of "read or write Bart Simpson's medical record", the
description should say "perform any action on any
If you believe any test does not correctly interpret the intent
eXtensible Access Control Markup Language (XACML) Version 2.0 OASIS Standard, or if you find any
additional errors in these tests, please submit a report to the
email@example.com mailing list. Absent any
objections to a bug report, minor bugs
may be fixed at the test editor's discretion in the next test
Major or controversial bugs reported against non-**EXPERIMENTAL**
tests will be reviewed by the XACML TC. If the TC agrees that
the test does not conform to the intent of the XACML Version 2.0
Standard, then the test will be modified or removed as
appropriate on the next test suite update.
Major or controversial bugs reported against tests marked **EXPERIMENTAL** will be treated as an
objection to the test. See
Contributions of New Tests
for the handling of such objections.
Periodically, an updated copy of the entire Conformance Test
Suite, containing all corrections to date, will be posted to the
XACML TC Web Site.