For all these reasons, XACML is ideal for access control solutions which form a cornerstone of an organization’s cybersecurity deployment, as well as blocking simple unauthorized access, and meeting compliance requirements.
Authorization is about determining which users can access which data or
Data-flow model (architectural)
XACML has four key entities. These are:
PAP (Policy Administration Point)
PDP (Policy Decision Point)
PEP (Policy Enforcement Point)
PIP (Policy Information Point)
The flow between these entities is described (simplified) below:
Policy Language
The main building blocks of the XACML language are:
Rule
Policy
Policy Set
Targets and Conditions
Obligation and Advice
Standardized request/response format between PEP and PDP
The XACML standard defines the format of the request and the response between the PEP and the PDP.
The request includes attributes that represent the user (subject), a resource, an action, and the environment. The response includes the decision i.e. Permit, Deny, Indeterminate (an error occurred, or some required value was missing, so a decision cannot be made) or Not Applicable (the request can’t be answered by this service).
The response can also include an Obligation and/or an Advice. These include instructions to the PEP how to act. The Obligation is something the PEP “must” perform before acting on the decision.
XACML enables use of abstract logic to determine whether or not to grant requested access and enables true fine-grained attribute and policy-based access control. But using XACML can be tricky in several aspects. The “honey” of XACML lies in its standardization, dynamic nature, and flexibility. The “sting” lies in its inheritance, complexity and possible runtime issues.
The Honey
Standardization and Compliance
XACML is an OASIS standard and meets EC-US compliance standards. Standardization ensures enhanced efficiency, with one common language and architecture across developers, enterprises and systems.
Flexibility
XACML is ideal for ABAC. Security policies can be easily updated or reused in multiple enforcement places to accommodate changes in governing policy or user attributes.
Dynamic
XACML is designed to accommodate evolving capabilities, functionality, and growth in an organization or in a system.
The Sting
Complexity
XACML is an XML based language. XACML policies are verbose and syntactically sensitive. Managing large sets of XACML policies is a highly complex process and must include fool-proof ways of resolving any possible conflicts between Rules and policies. Making even minor changes can be cumbersome and time consuming. To use XACML effectively, you’ll need a skilled XACML programmer.
Limited access pattern
XACML decisions are Boolean i.e. they can only evaluate to Permit and Deny. This makes the traffic between the PEP and the PDP very “chatty”. Every access request for every session needs to be evaluated. Also, various applications, implementations and use-cases expect other responses from the PDP than a Permit or a Deny.
Management and Governance
Due to the above-mentioned complexity, organizations struggle with the adoption and the implementation of XACML at a wider enterprise scale. Without proper visibility and understanding into authorization controls, it is hard for IT stakeholders to engage and take responsibility for business decisions. Authorization management is a practice and competence that needs adoption across single application deployments and here is where the real challenge hides.
Performance Bottlenecks
XACML uses real-time policy evaluation. The PDP must fetch and evaluate policies and go back and forth to the PEP for every access request. This traffic may create bottlenecks, system load issues at runtime, and longer response times. These problems may be alleviated by using a high definition PDP, caching, and other methods.
Dead or Alive
XACML is fading in importance. Despite its ambition, XACML never reached the status of becoming a de-facto industry standard. During the last years evolution of Cloud computing, Microservices architecture and API management XACML has failed to prove its value to the market. New standards and protocols such as OAuth, OpenID Connect, and JWT that are not XML based are gaining more and more ground.
PlainID’s Policy Based Access Control (PBAC) solution is the most effective way to leverage all the benefits of XACML and older role- and attribute-based access control solutions (RBAC/ABAC), without the headaches caused by writing and maintaining XACML policies.
The PlainID PBAC solution provides a user-friendly modern PAP that supports the full policy lifecycle including version control and approval workflows. Policies are authored and maintained using a graphical visual editor that allow to construct policies by connecting “policy building blocks” represented in natural language. The PBAC policies are implemented in a graph database that stores and visualizes the relations between identities and resources.
The access decisions are determined dynamically and in real-time, based on the relationships between users and resources plus the contextual characteristics and events that influence the decision at the time access is requested.
The policy engine supports all types of access patterns, not just the Permit/Deny decision. The same policy can support different decisions including; Permit/Deny but also what resources a user can access? Which users can access this resource? Which Rules/Filters apply to this user? This flexibility supports the requirements from both legacy and modern applications.
The PlainID solution also supports advanced analytics that for example includes; a policy test and verification tools that supports impact analysis, SoD controls and policy mining. These more advanced governance capabilities are crucial for enterprise wide deployments in large organizations.
PBAC is truly a “fresh” authorization approach that combines the best of XACML, RBAC and ABAC.
PlainID’s PBAC solution delivers all the benefits of XACML, RBAC and ABAC, without complex XML coding. It is a dynamic, contextually based and fine-grained authorization solution.
PlainID is the recognized leader of PBAC and has been recognized as one of the fastest growing companies.
Ready to find out more? Click here to schedule a demo with a member of the PlainID team, or check out the PlainID Summary Brief.