A Beginner’s Guide to XACML

Oren Harel
April 24, 2019

What is XACML?

Extensible Access Control Markup Language (XACML) is an XML-based language designed specifically for Attribute-Based Access Control (ABAC) Authorization solutions.

XACML was first approved by OASIS in 2003, with version 3.0 in use since 2013. XACML was created to be a standard language for businesses’ network Authorization procedures. One of its main objectives was to help companies develop effective across-the-board security policies, rather than have different policies implemented for each point of access (email, Internet, etc.). Today XACML is fully supported by Policy-Based Access Control (PBAC) as well as being the language of choice for ABAC solutions. It’s important to remember that XACML is a protocol that was built for development teams. Unfortunately, it’s not something that the business owners or compliance teams can work with or even understand.

WATCH PlainID Explained in 2 Minutes

How Policies Are Created in XACML

XACML is a “vendor-neutral” policy language. It has a number of components, including a decision-making component, the Policy Decision Point (PDP), and a Policy Enforcement Point (PEP), which is the access point to the network. Separating decision-making from enforcement is a distinguishing feature of XACML-based architecture.

In a nutshell, XACML makes use of:

  • Rules
  • Policies
  • Attributes
  • Policy Sets

A rule is a single statement using Boolean logic. A policy is a set of rules and procedures for making decisions based on these rules. For example, a policy about accessing a file might include one rule about salespeople accessing it and another about programmers accessing it.

A policy can include attributes, pieces of information such as time of day, that are meant to be considered in Authorization decisions. A policy set is a group of policies or policy sets.

Authorization decisions are made in XACML by determining which policy applies to the request and then applying that policy’s rules.  

Common XACML Challenges

Despite its benefits, using XACML poses some challenges.

First, actual policy sets are complicated, involving turning every possible access request into XML. In addition, using XACML is complex because you have to make sure your code includes a fool-proof way of resolving any possible contradictions in any of your rules or policies. And then there’s the matter of making changes to your policy set or any of its policies, rules, or attributes: it won’t be quick, and it won’t be easy.

Second, it’s hard to judge the impact of any changes in an XACML environment. Changing even a single rule might have an effect on other policies and XACML by itself has no way to provide users with visibility. So, you can’t confidently predict the effect that changing one section of code will have on others.

Finally, XACML appears to have some performance issues due to its decision-making processes. Each and every access request must be evaluated by the PDP. That is, every time a user wants to open a folder in the same directory, the PEP must query the PDP which must decide again. This involves a great deal of “back and forth” between system elements.  

Watch the Webinar  What are the Right Authorization Questions for your Organization?

The Most Effective Way to Use XACML

Fortunately, there are solutions to these problems. First, using a graphical interface solves the complexity issue from the user’s perspective. By making users and resources fully visible on a “point-and-click” interface, authorized personnel can design Authorization policies quickly and easily, with no need to write any code. This allows management to treat Authorization as the business decision it is, rather than delegate to IT because it is too complex.

Secondly, adding a sandbox, a replica of your production environment, will enable you to test out various changes to your Authorization policy to see how they would really affect your network. This, along with the added visibility a graphical interface would provide, will make it easier for you to judge the impact of any changes to your Authorization process.

Caching, or better still, distributed caching, can increase the performance of an XACML-based solution by supporting faster retrieval of attributes as well as distributing evaluation of Authorization logic throughout the solution.

See How XACML Can Work For You

PlainID’s Policy Manager combines the logic of XACML with the utility of an easy to use graphical interface, a versatile sandbox, a distributed architecture, and flexible policy creation. Contact us today to schedule a demo.

Most Popular Posts