OASIS eXtensible Access Control Markup Language (XACML) TC

Representing and evaluating access control policies.

Bill Parducci, Chair
Hal Lockhart, hal.lockhart@oracle.com, Chair
Rich Levinson, rich.levinson@oracle.com, Secretary

Table of Contents

• Announcements
• Overview
• Technical Work Produced by the Committee
• XACML 3.0 and Other Work in Progress
• Expository Work Produced by the Committee
• TC Tools and Approved Publications
• External Resources
• Mailing Lists and Comments
• Additional Information (XACML Implementations)

---

Announcements

We are pleased to announce the publication of eXtensible Access Control Markup Language (XACML) Version 3.0 OASIS Standard. A pdf version is available at the following link:
eXtensible Access Control Markup Language (XACML) Version 3.0
OASIS Standard
22 January 2013
Further info is below in the XACML 3.0 section.

XACML 3.0 received the Influential Standardization Efforts Award at the European Identity Conference in Munich, May 2011.

---

Overview

The XACML Technical Committee defines a core XML schema for representing authorization and entitlement policies.

For more information, see the TC Charter, FAQ, and "A Brief Introduction to XACML".

---

Technical Work Produced by the Committee

• XACML 3.0 and other Work in progress
• XACML 3.0 WIKI
• XACML 2.0 Specification Set
• XACML 2.0 Errata
• XACML 1.1 Specification Set
• XACML 1.0 Specification Set

===============================
XACML 3.0 and other Work in progress:

• XACML 3.0 Issues List

The following committee specification, working drafts, and submissions represent XACML TC work in progress.

• XACML 3.0 Committee Specifications and Profiles
  Note: except where otherwise noted, the links in the following list each point to the pdf versions of the spec (html and doc or other formats are ref'd on cover page within each pdf) and any associated xsd files or other related artifacts:
  • eXtensible Access Control Markup Language (XACML) Version 3.0
    OASIS Standard, 22 January 2013
    • Editable source (Authoritative): http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc
    • HTML: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
    • PDF: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf
    • Schema: http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd
    • Distribution ZIP file: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.zip
  • XACML v3.0 Multiple Decision Profile Version 1.0
    Committee Specification 02, 18 May 2014
    • XACML v3.0: Multiple Decision Profile (pdf)
  • XACML v3.0 Hierarchical Resource Profile Version 1.0
    Committee Specification 02, 18 May 2014
    • XACML v3.0: Hierarchical Resource Profile CS 02 (pdf)
  • XACML v3.0 Core and Hierarchical Role Based Access Control (RBAC) Profile Version 1.0
    Committee Specification 02, 23 October 2014
    • XACML v3.0: RBAC Profile (RBAC-Core, RBAC-Hierarchical) (pdf)
  • XACML v3.0 XML Digital Signature Profile Version 1.0
    Committee Specification 02, 18 May 2014
    • XACML v3.0: XML Digital Signature Profile (pdf)
  • XACML v3.0 Privacy Policy Profile Version 1.0
    Committee Specification 02, 25 January 2015
    • XACML v3.0: Privacy Policy Profile (pdf)
  • XACML SAML Profile Version 2.0
    Committee Specification 02, 19 August 2014
    (covers XACML 1.0, 1.1, 2.0, 3.0)
    • XACML SAML Profile Version 2.0 (pdf) (covers XACML v1.0, v1.1, v2.0, v3.0)
    • XACML 1.0: schema-protocol (xsd)
    • XACML 1.0: schema-assertion (xsd)
    • XACML 1.1: schema-protocol (xsd)
    • XACML 1.1: schema-assertion (xsd)
    • XACML 2.0: schema-protocol (xsd)
    • XACML 2.0: schema-assertion (xsd)
    • XACML 3.0: schema-protocol (xsd)
    • XACML 3.0: schema-assertion (xsd)
  
  
  • XACML Intellectual Property Control (IPC) Profile Version 1.0
    OASIS Standard, 19 January 2015
    • XACML IPC Profile (pdf)
  • XACML 3.0 Export Compliance-US (EC-US) Profile Version 1.0
    OASIS Standard, 19 January 2015
    • XACML v3.0 EC-US Profile (pdf)
  • XACML MAP Authorization Profile Version 1.0
    OASIS Standard, 19 January 2015
    • XACML v3.0: MAP Authorization Profile (pdf)
  
  
  • XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0
    Committee Specification 01 / 16 February 2015
    • XACML 3.0 DLP/NAC Profile (pdf)
  • REST Profile of XACML v3.0 Version 1.0
    Committee Specification 02, 23 November 2014
    • XACML v3.0: REST Profile (pdf)
  • JSON Profile of XACML 3.0 Version 1.0
    Committee Specification 01, 11 December 2014
    • JSON Profile of XACML 3.0 Version 1.0 (pdf)
  • XACML 3.0 Additional Combining Algorithms Profile Version 1.0
    Committee Specification 01, 18 August 2014
    • XACML 3.0 Additional Combining Algorithms Profile (pdf)
  
  
  • XACML v3.0 Administration and Delegation Profile Version 1.0
    Committee Specification 01, 10 August 2010
    • XACML v3.0: Admin and Delegation Profile (pdf)
    Committee Specification Draft 04, 13 November 2014
    • XACML v3.0: Admin and Delegation Profile CSD-04 (pdf)
  
  
  • XACML v3.0 Related and Nested Entities Profile Version 1.0
    Committee Specification 01, 25 October 2015
    • XACML 3.0 Related/Nested Entities Profile (html)
  • Abbreviated Language for Authorization Version 1.0
    Working Draft 01, 10 March 2015
    • ALFA: Abbreviated Language for Authorization Version 1.0 (doc)
• Other XACML 3.0 proposed features - currently not considered ready and not planned to be included in 3.0 release
  • Open Document Format for Office Applications Document Controls Profile, Version 1.0, Working draft 2, August 2009
    • Open Document Format for Office Applications Document Controls Profile
  • Web Services Profile of XACML (WS-XACML) Version 1.0, WD-10, 10-Aug-07
    • all documents and schemas (ZIP)
    • specification only (PDF)
    • 3.0 schema only
  • XACML PDP Metadata Version 1.0, WD-1, 24-Feb-08
    • XACML PDP Metadata Version 1.0, WD 1, 24-Feb-08
    • Proposal for PDP metadata (email)
  • Obligation Families model under consideration
    XACML v3.0 Obligation Families Version 1.0, WD-3, 17-Feb-08 (Note: date not updated in WD-3 spec)
    • Obligation Families Version 1.0, WD 3, 17-Feb-08
    • Description of changes (email)
• XACML 2.0 Profiles currently under review for inclusion in XACML 2.0 (3.0 tbd)
  • Proposed draft for XSPA-XACML Obligations Profile Draft_0.1.doc Details
    Current TC working draft (if need more than default number of documents, then find the number then sort date descending)
    • XSPA-XACML Obligations Profile (Current Working Draft)

===============================
XACML 2.0 Specification Set:
- XACML 2.0 Core and seven associated profiles were approved as OASIS Standards on 1 February 2005.
- An eighth profile, XSPA Profile of XACML 2.0 for Healthcare was approved as OASIS Standard on 1 November 2009

• NORMATIVE XACML 2.0 documents (1-Feb-2005)
• ALL XACML 2.0 documents (1-Feb-2005) (includes separate example files and non-normative document formats)
• Individual XACML 2.0 documents:
  • XACML 2.0 Core: eXtensible Access Control Markup Language (XACML) Version 2.0
    • Specification Document
    • Policy Schema
    • Context Schema
  • Core and hierarchical role based access control (RBAC) profile of XACML v2.0
    • Specification Document
  • Hierarchical resource profile of XACML v2.0
    • Specification Document
  • Multiple resource profile of XACML v2.0
    • Specification Document
  • Privacy policy profile of XACML v2.0
    • Specification Document
  • SAML 2.0 profile of XACML v2.0 (see errata below for corrected version of spec and schemas)
    • Specification Document
    • SAML 2.0 Assertion Extension Schema
    • SAML 2.0 Protocol Extension Schema
  • XML Digital Signature profile of XACML v2.0
    • Specification Document
  • Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0, OASIS Standard, 1 November 2009
    • Specification Document
    • Related Information:
      • XSPA Examples v1.0
      • More info at XSPA TC Home Page
• XACML 2.0 Errata: These are non-normative documents that contain TC-approved corrections for errors found in the specifications above.
  • XACML 2.0 Core: eXtensible Access Control Markup Language (XACML) Version 2.0
    • XACML Core Version 2.0 Errata, 29 Jan 2008 (doc file only)
    • XACML Core Version 2.0 Errata, 5 Jul 2007 (zip file with spec (pdf,doc) and schema(xsd))
  • SAML 2.0 profile of XACML v2.0
    • Corrected assertion schema
    • Corrected protocol schema
    • Original corrected profile specification document, SAML 2.0 profile of XACML v2.0 Errata, WD 1, 17 November 2005 (errata against Version 1 of the profile (Note: this is a zip file containing obsolete schema, use schema links above))
    • Current corrected profile specification document, SAML 2.0 Profile of XACML, Version 2, WD 5, 19 July 2007 (pdf)
    • See the XACML 3.0 and other Work in progress list below for further SAML profile updates and corrections that may be helpful even if not yet approved by the TC.
    ,

===============================
XACML 1.1 Specification Set:

• Core Specification: eXtensible Access Control Markup Language (XACML) Version 1.1
  • Committee Draft 01, 24 July 2003
    • Specification Document
    • Specification Document (non-normative format)
    • Policy Schema
    • Context Schema

===============================
XACML 1.0 Specification Set:

• Core Specification: eXtensible Access Control Markup Language (XACML) Version 1.0
  • OASIS Standard 1.0, 18 February 2003 OASIS Standard as of 6 Feb. 2003
    • Specification document
    • Policy Schema
    • Context Schema
• XACML Profile for Role Based Access Control (RBAC) Version 1.0:
  • Committee Draft 01, 13 February 2004
    • Specification Document
• Other Documents (non-normative)
  • Errata for XACML 1.0
  • Conformance Tests for XACML 1.0 and 1.1 (25 March 2004)

===============================
The following work items are not currently on a standards track

• XACML 2.0 Conformance Tests (1st bullet is current, remaining bullets historical for ref)
  • Current tests in Subversion Repository
  • Draft XACML 2.0 Conformance Tests
  • Description
  • Patches to above set
  • Conformance test changes
  • To-Do List for XACML 2.0 Conformance Tests
• OASIS Naming Guidelines for XACML, Version 1.4, 3 October 2006.
• Policy Examples
• XACML delegation use-cases
• Web-services policy language use-cases and requirements

The following work items are not currently under active development or discussion, but have not officially been withdrawn.

• eXtensible Access Control Markup Language (XACML) Version 3.0 Policy Distribution Protocol Use-cases and Requirements, WD 01, 8 Oct 2004
• XACML v3.0 improved generality (RuleML) Working Draft 03, 17 March 2005
• Proposed post-2.0 XACML TC Charter, version 1.6, 30 Sept 2004
• LDAP profile for distribution of XACML policies

---

Expository Work Produced by the Committee

• A Brief Introduction to XACML
• Implementor's Guide
• Changes Since XACML 1.0, 2005
• Webinar: XACML 3.0: Managing Access Control in the Cloud and Beyond, 2011
• Webinar: WS-XACML, Authorization and Privacy Policies for Web Services, 2007
• XACML References
• Interoperability Demonstrations:
  • XACML 2.0 Interop at RSA 2008, San Francisco. See Interop scenarios (HealthCare) (zip) from the event.
  • XACML Interop at RSA Europe 2008, London
  • SAML/XACML/WS-Trust supporting HITSP TP 20/30 Interop at HIMSS 2009
     (conducted under the OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) TC).
  • XACML 2.0 Interop at Catalyst 2007. See Interop scenarios (Bank Accounts) from the event.

---

TC Tools and Approved Publications

• OASIS Library for Approved Publications
• TC Wiki
• Issues Management (JIRA)
• Version control

External Resources

Although not produced by the OASIS XACML TC, the following information offers useful insights into its work:

• XACML LinkedIn Group

---

Mailing Lists and Comments

xacml: the list used by TC members to conduct Committee work. TC membership required to post. TC members are automatically subscribed; the public may view archives.*

xacml-comment: a public mail list for providing input to the OASIS XACML Technical Committee members. Send a comment or view archives.*

xacml-dev: an unmoderated, public mail list that provides an open forum for developers of XACML policy evaluation engine implementations or supporting components and tools to exchange ideas and information on implementing the XACML OASIS Standard. Subscribe or view archives.*

xacml-users: an unmoderated, public mail list that provides an open forum for users of XACML to exchange ideas and information on expressing policies using the XACML OASIS language. Subscribe or view archives.*

xacml-demo-tech: a mailing list restricted to XACML TC members interested in technical aspects of an interoperability demo; archives are also limited to TC members. Subscribe or view archives.*

xacml-demo-mktg: a mailing list restricted to XACML TC members interested in marketing aspects of an interoperability demo; archives are also limited to TC members. Subscribe or view archives.*

*To minimize spam, you must subscribe to these lists before posting.

---

Additional Information (XACML Implementations)

Available XACML Implementations

It is known that various developers have implemented XACML code and XACML support tools; some of these implementations are publicly available for download. The following are listed here solely for the information of parties interested in XACML. By including these links, neither the XACML TC, nor OASIS itself, is endorsing or recommending these implementations in any way. This list may be modified at any time as further information about these or other implementations becomes known.

• AuthzForce : open source project that provides a XACML 3.0 compliant policy engine, in two forms, depending on your needs:
  • Java API : AuthzForce provides a XACML 3.0 PDP engine as a Java library that enables applications to use an embedded XACML PDP in Java. More info: https://authzforce.ow2.org/
  • RESTful API : AuthzForce provides a multi-tenant RESTful API to PDP(s) and PAP(s) that enables web clients to manage policies, request authorization decisions, etc. Developed in the scope of the FIWARE European project. More info: http://catalogue.fiware.org/enablers/authorization-pdp-authzforce
• University of Florence, IT: FACPL (http://facpl.sf.net), an Eclipse plug-in for the specification and analysis of XACML 3.0 policies. XACML policies can be analysed by automatically translating them into FACPL policies and then by using the FACPL analysis tools. The analysis explicitly addresses missing and additional attributes that could possibly lead to unexpected authorisation decisions. Additional details on the supported properties can be found in the FACPL user's guide.
• OpenAz: Open src project to facilitate the development of a standard XACML-based PDP,PEP Az (AuthoriZation) interface framework (scheduled start: Sep 2009) http://www.openliberty.org/wiki/index.p hp/Main_Page#OpenAz
• XEngine: A Fast and Scalable XACML Policy Evaluation Engine (High Performance Open Source Java PDP) http://xacmlpdp.sourceforge.net/
• Testing and Verification of Security Policies: This project develops novel techniques and tools for testing and verification of security policies including XACML and firewall policies as well as security models https://sites.google.com/site/asergrp/projec ts/policy
• pam_xacml: Enable XACML Az for legacy apps (SS5 Socks Server, su, Apache, ...) using "pluggable 'authorization' modules" (PAM) http://pamxacml.sourceforge.net/
• First beta version of XACML 2.0 policy editor: XACML-Studio (XS): http://xacml-studio.sourceforge.net/
• HERAS-AF: An Open Source Project providing an XACML-based Security Framework: http://www.herasaf.org
• XACMLight Apache Axis2 Web Service XACML 2.0 PDP/PAP Implementation (SourceForge.net Maven2 Project - beta): http://sourceforge.net/projects/xacmllight/
• Enterprise Java XACML 2.0 Implementation (Google Code Project - beta): http://code.google.com/p/enterprise-java- xacml/
• Parthenon Computing (formerly Jiffy Software): Parthenon XACML Evaluation Engine: http://www.parthenoncomputing.com
• Sun Microsystems: Sun's XACML Open Source Implementation: http://sunxacml.sourceforge.net
• Lagash Systems: XACML.NET:http://mvpos.sourceforge.net/
• AXESCON LLC: AX2E - AXESCON XACML 2.0 Engine (Beta version): http://axescon.com/ax2e/
• Swedish Institute of Computer Science: XACML 3.0 Administrative Policy support (Beta version): http://www.sics.se/spot/xacml_3_0.html
• University of Murcia (UMU), Spain:Java-based XACML editor: http://xacml.dif.um.es/
• Brown University, US: Margrave, XACML policy verification and change analysis tool: http://www.cs.brown.edu/research/plt/softw are/margrave/
• UMU NAS-SAML XACML policy infopath templates: http://libra.dif.um.es/~gabilm/designs/nas_saml/< /a>

---

For technical assistance regarding this OASIS TC web page, contact webmaster@oasis-open.org.

---

Providing Feedback: OASIS welcomes feedback on its technical activities from potential users, developers, and others to better assure the interoperability and quality of OASIS work.