Enhancements and new features in #XACML 3.0

I recently had a chat with the editor of XACML 3.0, Erik Rissanen – also the CTO of Axiomatics – about the latest news on XACML 3.0: the enhancements the standard has gone through and the new features we can look forward to.

  • Multiple Decision Profile: Multiple resource request (XACML 2.0) was renamed Multiple Decision Profile (XACML 3.0) and enhanced with new variants. This profile lets a requestor –typically the Policy Enforcement Point (PEP) ask several questions in one go to which the Policy Decision Point (PDP) returns one answer with multiple decisions. This profile is particularly useful in web-portal-based scenarios where decisions have to be reached for different parts of a portal within a given page for a given user. It enhances performance as it reduces communication overhead between PEP and PDP.
  • Delegation: the ability to delegate administrative rights in XACML is new as of XACML 3.0. Delegation enables global administrators to delegate constrained administrative rights to local administrators. For instance, a global administrator can define access control (AC) policies for an entire set of resources within an organization. The administrator can also delegate the right to Administrator A to manage a set of resources SA. Administrator A’s rights to define access control rules are constrained by the delegation policy that the global administrator has defined.
    Delegation is most useful in federation scenarios, cloud-based scenarios, and in environments where the domains to secure are so vast that they require local knowledge to define relevant policies.
  • Obligation expressions: this new feature lets administrators define statements that are returned from the PDP to the PEP along with a PERMIT or DENY decision. The receiving PEP has to comply with that statement before it can act on the decision. An example of an obligation is as follows:
    • Request: Can Doctor X access Patient Y’s data?
    • Response: Permit, he can, provided you, the PEP, write in the hospital access log, the fact that Doctor X has had access to Patient Y’s data.
  • Advice expressions: this new feature is similar to obligations with the exception that PEPs do not have to comply with the statement. PEPs can consider or discard the statement.
  • Policy combination algorithms: in XACML, policies are combined together to produce a single decision. Each policy can reach different decisions. These decisions must be combined to return a single result. XACML 3.0 enhances XACML 2.0’s existing combination algorithms.
  • New attribute functions and datatypes: XACML 3.0 brings in new datatypes and new functions that can be used for the attributes and attribute matching. In particular XACML 3.0 utilizes XPath to manipulate attributes.
  • New profiles: XACML 3.0 brings additional profiles. In particular a new profile for export compliance has been produced to help author policies that can cater for export compliance scenarios. Similarly, a new profile for Intellectual Property Control (IPC) has been introduced.
  • Enhanced profiles: the Hierarchical Resource Profile present in XACML 2.0 has been reviewed and enhanced in XACML 3.0.

Erik also told me that Axiomatics‘ latest product release implements XACML 3.0 and therefore contains the aforementioned features & enhancements.