IAM Concept of the Week: XACML

Concept of the Week blog series – Every week we define and explain the significance of a concept in the world of Identity and Access Management (IAM).

Last week we talked about the importance of context and how it describes the sum of all information or attributes that we can gather about an access request. This week we’ll cover how attributes are related to access policies, and also the attributed-based XACML (Extensible Access Control Markup Language) model.

As we mentioned previously, attributes offer a multi-dimensional way to express, in detail, the relationship between the subject, the action, the resource and the environment. By themselves however, attributes are not enough. We need rules to resolve these attributes against. This is where access policies come in and with them we have the ability to create policies as simplistic or as fine-grained as we want. For example, a simple policy could be only hospital administrators can access all patient records. A more complex policy might be that only an administrator, with a speciality in oncology, physically located in a certain hospital department, on a certain device can update a specific patient record.

The XACML model offers a mechanism to write and implement these policies. It was originally developed by OASIS back in 2003. A key advantage of the XACML approach is that it separates the access decision from the point of use. This means that policies are managed externally and can be updated independent of the application that is being secured.

The model architecture is comprised of the following components:

Policy Enforcement Point (PEP): Intercepts the business flow to verify that the user is authorized. Sends the authorization request to the PDP which then grants or denies the request.

Policy Decision Point (PDP): Processes the authorization request and evaluates it against the organization’s access policies. It produces a decision that it sends back to the PEP.  Queries the Policy Information Point (PIP) to retrieve information or attributes.

Policy Admin Point (PAP): Creates and manages the access policies. The policies are then deployed to the PDP.

Policy Information Points (PIP): Connects the PDP to sources of attributes.

Finally, let’s end with a simple example that shows the XACML model in action:

  1. A user attempts to access a protected resource
  2. The Policy Enforcement Point (PEP) intercepts the request sending it to the Policy Decision Point (PDP) to verify that the user is authorized
  3. The Policy Decision Point (PDP) evaluates the access policies related to this request
  4. The Policy Decision Point (PDP)  retrieves attributes related to the request from the Policy Information Points (PIP)
  5. Based on the policy and the underlying attributes the user is granted access to the protected resource

Further Reading

Other blogs in the IAM Concept of the Week series: