The XACML registry stores XACML policies using JCR/Jackrabbit, which means all backends supported by Jackrabbit can be configured. As default a file based repository is used, but it can be changed to a database-based repository, for more information see Backend configuration.
The XACML registry rest interface is used by:
- The PDP which retrieves the policies needed to evaluate an authorization request.
- The PAP which supports administration of XACML policies.
The XACML registry distinguishes two types of XACML policies:
- Role policies - used to specify roles.
- Permission policies referred to by the role policies used to specify access rules.
The XACML policy registry client used by the PDP loads all role policies into the memory in advance and supports lazy loading of permission policies.