XACML is a XML based OASIS standard for access control rules called policies. XACML allows a combination of policies and access privileges to be assigned based on attributes assigned to users, roles and other objects. XACML policies are independent from the concrete implementation of the access control. This means, policies can be generated and enforced by different services in a distributed environment. See the below model for a general XACML diagram.
As shown above, the XACML policy consists of policy sets including other policy sets or policy elements. A policy element contains a target and a rule. The target specifies where to apply the policy checking the conditions specified by the rule. Rule elements contain subject, resource and action elements and specify which subject can perform which actions for which resources.
The below diagram further clarifies the interaction between the PEP and the PDP:
Access control based on XACML is specified as follows:
- If access to a resource is required, all related policies are collected and evaluated and based on the result of the evaluation a decision is made whether access is allowed.
- The client requesting the resource interacts only with the PEP, the policy enforcement point. The PEP enriches the client request by additional attributes and forwards it then to the PDP, the policy decision point. The PDP requests the needed policies from a policy store, evaluates the request using the policies and tells the PEP whether access is allowed.