XACML
| XACML | |
|---|---|
| Paradigm | Declarative programming |
| Developer | Organization for the Advancement of Structured Information Standards (OASIS) |
| First appeared | April 16, 2001 |
| Stable release | v3.0 Errata 01
/ 12 July 2017 |
| Preview release | v4.0 CSD 01
/ 18 February 2026 |
| License | OASIS |
| Filename extensions | .xml, .alfa |
| Website | www.oasis-open.org |
| Major implementations | |
| Axiomatics, AuthzForce, ViewDS, AT&T XACML, WSO2 Balana, FACPL | |
| Dialects | |
| ALFA (XACML) | |
| Influenced by | |
| XML, SAML | |
| Influenced | |
| ALFA (XACML) | |
The eXtensible Access Control Markup Language (XACML) is an XML-based standard markup language for specifying access control policies. The standard, published by OASIS, defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
XACML is primarily an attribute-based access control policy language, but also defines syntaxes for the requests (resp. responses) sent (resp. received) by the Policy Enforcement Point to (resp. from) the Policy Decision Point, also called authorization decision requests (resp. responses). In XACML, attributes – information about the subject accessing a resource, the resource to be addressed, the action to be performed on the resource, and the environment – act as inputs for the decision of whether access is granted or not. XACML can also be used to implement role-based access control.
In XACML, Rules specify which access control decisions are to be taken, i.e. whether a given request is approved (Permit) or not (Deny), if certain conditions are met. If a Rule is applicable to a request but the conditions within the Rule fail to evaluate, the result is Indeterminate. Rules are grouped together in Policies and combined according to a combining algorithm defined by the parent Policy (e.g. deny-unless-permit, permit-unless-deny). Then Policies may be grouped together in a larger Policy (or PolicySet in XACML 3.0) and combined according to its combining algorithm similarly.
Policies includes a Target, i.e. a condition that determines whether it should be evaluated for a given request. Policies and Rules also include obligations and advice expressions. Obligations specify actions which must be executed during the processing of a request, for example for logging. Advice expressions are similar, but may be ignored.
XACML separates access control functionality into several components. Each operating environment in which access control is used has a Policy Enforcement Point (PEP) which implements the functionality to demand authorization and to grant or deny access to resources. These refer to an environment-independent and central Policy Decision Point (PDP) which actually makes the decision on whether access is granted. The PDP refers to policies stored in the Policy Retrieval Point (PRP). Policies are managed through a Policy Administration Point (PAP).
XACML 4.0 now has an equivalent representation in JSON: JACAL.