Home

XACML

XACML (eXtensible Access Control Markup Language) is an open standard from OASIS for expressing and enforcing access control policies. It provides a framework and language for describing who may access which resources under which conditions, and for returning standardized access decisions across diverse systems. XACML supports attribute-based access control (ABAC) by evaluating policies with attributes supplied by the access request and external sources.

Core components include the Policy Enforcement Point (PEP), which intercepts access requests; the Policy Decision Point

XACML documents are written in XML and rely on a rich typing system of attributes, functions, and

A key strength of XACML is fine-grained access control across heterogeneous domains, including enterprise applications, cloud

(PDP),
which
evaluates
requests
against
policies;
the
Policy
Administration
Point
(PAP),
which
creates
and
manages
policies;
and
the
Policy
Information
Point
(PIP),
which
supplies
attribute
values.
The
evaluation
process
yields
a
decision
such
as
Permit,
Deny,
NotApplicable,
or
Indeterminate,
and
can
include
obligations
or
advice
to
enforce
additional
actions.
Policies
are
composed
in
a
hierarchical
structure
of
Policy
and
PolicySet
elements,
using
targets,
rules,
conditions,
and
combining
algorithms
to
resolve
multiple
rules.
data
types.
The
standard
defines
profiles
to
support
common
use
cases
such
as
web
services,
but
real-world
deployments
often
extend
with
PEP
and
PAP
tooling
and
integrate
with
identity
and
entitlement
systems.
XACML
3.0,
the
current
widely
implemented
version,
introduces
simplified
profile
support
and
improved
interoperability
with
RESTful
and
SOAP-based
services.
services,
and
healthcare
systems.
Its
long-standing
use
in
access
governance,
coupled
with
its
standardized
decision
format,
supports
centralized
authorization
management
while
enabling
local
policy
enforcement
at
the
data
or
service
boundary.