Merry XACML and Happy Access Control!

What’s Access Control?

  • The protected resource is the chimney.
  • The subject that is going to access this protected resource is Santa.
  • The action that the subject is granted is sliding through the chimney.
  • The attributes related to this permission are the date and time during which Santa can use the chimney.

Access Control Models

  • Mandatory Access Control: This enables the administrator to create certain access levels and link each user to a specific access level so that a user can access all the resources that are not beyond the user’s access level.
  • Discretionary Access Control: In this model, the administrator maintains a list of users who can access a resource. Discretionary Access Control provides access based on the user’s identity (not by permission level).
  • Role-Based Access Control: In this model, authorization decisions are made based on the user’s role.
  • Attribute-Based Access Control: This model also known as fine-grained access control considers user attributes, the attributes associated with the application, and environmental conditions when making the authorization decisions.

What’s XACML?

  • XACML facilitates a standard way to write access control rules and evaluate access requests according to the rules defined in policies.
  • As XACML is a request/response language, it enables a standard mechanism of querying authorization requests and responding with the authorization decisions.
  • XACML lets you compose a query to ask whether the given action should be allowed or not, and interprets the result.
  • XACML supports standard extension points for defining new functions, data types, combining logic, etc.

Reference Architecture of XACML

  1. The PEP then communicates that access request to the Policy Decision Point (PDP).
  2. The PDP in turn requests for the attributes that are relevant to verify the legitimacy of the access request from the Policy Information Point (PIP).
  3. Next, PIP forwards this access request to the Attribute Store.
  4. The Attribute Store sends the relevant attributes back to the PIP.
  5. PIP then forwards these attributes to the PDP.
  6. Next, the PDP requests for the policies that are relevant to verify the legitimacy of this access request from the PAP.
  7. PAP forwards this request to the Policy Store.
  8. The Policy Store then sends the relevant policies back to the PAP.
  9. PAP forwards these policies to the PDP.
  10. Finally, the PDP after considering the received attributes and policies decides whether to grant permission to access the requested resources or not and sends this decision back to the PEP.

Pros and Cons

  • XACML has a standard way of processing authorization requests, defining authorization policies, and sending standard requests and responses. This leads to interoperability and easy integration.
  • The components of the XACML reference architecture are loosely coupled. So, each component needs to be aware of each others’ internals. This gives the freedom to have these components from different vendors, which makes the solution vendor-neutral.
  • Writing XACML policies is not an easy task.
  • As the policies can be bulky, there could be a negative impact on the performance.




Business Analyst | Product Manager | Tech Writer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to use the ALTER TABLE RENAME COLUMN statement

Bridging the physical and digital world

The Android Dev Summit 2018 app (instant app takeaways + open source)

Epam Interview Experience(12/27/2021)

Case by Case: A Critical Take on Competitive Programming (StackLeague)

Event Recap — Hack n Code

Lean Skill Learning: What is your MVT (Minimal Viable Toolset)?

Fault Tolerant Redis Architecture

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yvonne Wickramasinghe

Yvonne Wickramasinghe

Business Analyst | Product Manager | Tech Writer

More from Medium

Basics of Python, variables and data types:

CS373 Spring 2022: Matthew Kozlowski — Week 14

How I Got Here: From Zero Coding Experience to Data Analyst