XACML enables use of abstract logic to determine whether or not to grant requested access and enables true fine-grained attribute and policy-based access control. But using XACML can be tricky in several aspects. The “honey” of XACML lies in its standardization, dynamic nature, and flexibility. The “sting” lies in its inheritance, complexity and possible runtime issues.
Standardization and Compliance
XACML is an OASIS standard and meets EC-US compliance standards. Standardization ensures enhanced efficiency, with one common language and architecture across developers, enterprises and systems.
XACML is ideal for ABAC. Security policies can be easily updated or reused in multiple enforcement places to accommodate changes in governing policy or user attributes.
XACML is designed to accommodate evolving capabilities, functionality, and growth in an organization or in a system.
XACML is an XML based language. XACML policies are verbose and syntactically sensitive. Managing large sets of XACML policies is a highly complex process and must include fool-proof ways of resolving any possible conflicts between Rules and policies. Making even minor changes can be cumbersome and time consuming. To use XACML effectively, you’ll need a skilled XACML programmer.
Limited access pattern
XACML decisions are Boolean i.e. they can only evaluate to Permit and Deny. This makes the traffic between the PEP and the PDP very “chatty”. Every access request for every session needs to be evaluated. Also, various applications, implementations and use-cases expect other responses from the PDP than a Permit or a Deny.
Management and Governance
Due to the above-mentioned complexity, organizations struggle with the adoption and the implementation of XACML at a wider enterprise scale. Without proper visibility and understanding into authorization controls, it is hard for IT stakeholders to engage and take responsibility for business decisions. Authorization management is a practice and competence that needs adoption across single application deployments and here is where the real challenge hides.
XACML uses real-time policy evaluation. The PDP must fetch and evaluate policies and go back and forth to the PEP for every access request. This traffic may create bottlenecks, system load issues at runtime, and longer response times. These problems may be alleviated by using a high definition PDP, caching, and other methods.
Dead or Alive
XACML is fading in importance. Despite its ambition, XACML never reached the status of becoming a de-facto industry standard. During the last years evolution of Cloud computing, Microservices architecture and API management XACML has failed to prove its value to the market. New standards and protocols such as OAuth, OpenID Connect, and JWT that are not XML based are gaining more and more ground.
PlainID’s Policy Based Access Control (PBAC) solution is the most effective way to leverage all the benefits of XACML and older role- and attribute-based access control solutions (RBAC/ABAC), without the headaches caused by writing and maintaining XACML policies.
The PlainID PBAC solution provides a user-friendly modern PAP that supports the full policy lifecycle including version control and approval workflows. Policies are authored and maintained using a graphical visual editor that allow to construct policies by connecting “policy building blocks” represented in natural language. The PBAC policies are implemented in a graph database that stores and visualizes the relations between identities and resources.
The access decisions are determined dynamically and in real-time, based on the relationships between users and resources plus the contextual characteristics and events that influence the decision at the time access is requested.
The policy engine supports all types of access patterns, not just the Permit/Deny decision. The same policy can support different decisions including; Permit/Deny but also what resources a user can access? Which users can access this resource? Which Rules/Filters apply to this user? This flexibility supports the requirements from both legacy and modern applications.
The PlainID solution also supports advanced analytics that for example includes; a policy test and verification tools that supports impact analysis, SoD controls and policy mining. These more advanced governance capabilities are crucial for enterprise wide deployments in large organizations.
PBAC is truly a “fresh” authorization approach that combines the best of XACML, RBAC and ABAC.