The Role of XACML in Modern Enterprise Access Control

Gal Helemski
March 11, 2020

XACML (eXtensible Access Control Markup Language) is the lingua franca for centralized entitlement management and authorization policy evaluation and enforcement.

XACML was designed specifically for coding authorization logic and defines a declarative fine-grained, attribute-based access control (ABAC) policy language that describes how to evaluate access requests according to the rules defined in policies. 

One of the goals of XACML is to enable the development of effective security policies across the enterprise, rather than implementing different policies for each point of access. All that while promoting a common terminology and interoperability between access control implementations by multiple vendors.

 As web access management has matured dramatically, many enterprises have embraced single sign-on systems with the separation of web-based authentication and coarse-grained authorization logic from applications. However, when it comes to how organizations manage fine-grained authorization policies, significant challenges still remain. To conquer these challenges, organizations must move beyond authentication and coarse-grained authorization towards a model of externalizing application authorization decisions. XACML is a mature standard framework built specifically for this purpose. 

The XACML Process

The XACML framework consists of an architectural reference model, a policy language, and a request/response decision protocol. Its key components are:

  • Policy Administration Point (PAP): The PAP creates a policy or policy set and manages them.
  • Policy Enforcement Point (PEP): The PEP handles access control by passing along decision requests and enforcing authorization decisions.
  • Policy Decision Point (PDP): The PDP evaluates the requests based on the policies set by the PAP and sends back an authorization decision to the PDP.
  • Policy Information Point (PIP): If there are missing attributes in the XACML request sent by the PEP, the PIP finds them for the PDP so it can evaluate the policy.
  • Policy Retrieval Point (PRP): This is where the XACML access policies are stored.

The XACML model supports and encourages the separation of enforcement (PEP) decision making (PDP) and management (PAP) of the authorization. 

The Role of Rules

Rules are a key component in the hierarchy of XACML decision making that determines access. The algorithm determines how rules are combined together to convey the exact meaning of policies.  Role-based access control (RBAC) can also be implemented using XACML. 

The Benefits of XACML

Separating authorization from the application

Many applications today come with a built-in proprietary authorization logic. When access decisions are hard-coded within applications, often driven by sustainable Access Control Lists and RBAC policy models, this logic cannot be reused between applications. 

As a result, it is very difficult to update the decision criteria globally when the governing policy changes, and it is hard to achieve visibility or audit the authorizations. Tracking down exactly what access an entity has at any given point in time across several siloed applications is difficult.

Because of this, development and governance teams are forced to spend measurable time maintaining business authorization rules, instead of focusing on core application development. 

By leveraging XACML, developers can remove the authorization logic from applications. As a result, policies are centrally managed and can be modified based on business needs without any changes to the application code. 

PEP and PDF layers

Another benefit of XACML is that unauthorized requests never get to an application or service because they are stopped by the PEP. Then the PDP determines whether access is granted, and the administrators can specify how the PDP will make decisions. 

In a way, the PDP provides access authorization as a service in the infrastructure, whereas the PEP serves as a gatekeeper.


XACML as a standard has a major advantage in that it can be used in any environment as it is comprised of components that can be standardized.

In addition, XACML supports a wide variety of data types, functions, and rules for combining different policies together into complex rules. Various groups are developing extensions and profiles to link XACML with other standards, which amplifies the ways it can be used.

Easy management

The use of target information in the authorization process provides a way to index policies. In addition, a policy can be written that refers to other policies. XACML will combine the results from these different policies into one decision. As a result, policies and rules written in XACML provide a fine-grained authorization with a higher level of abstraction.  

Is XACML Right for Your Enterprise? 

One of the main objectives of XACML was to help companies develop effective global security policies, rather than have siloed policies implemented for each point of access. Today XACML is the  language of choice for Attribute Based Access Control solutions, and fully supports Policy-Based Access Control (PBAC) as well. 

It's important to remember that XACML is a protocol that was built for development teams and requires technical expertise to manage. For those looking to avoid turning to a developer for every access control change, PlainID combines the logic of XACML with the utility of ease of a graphical interface, a versatile sandbox, distributed architecture, and flexible policy creation. See our beginner's guide to XACML here.

Most Popular Posts