2983:
324:
201:
grouped together in
Policies, and a PolicySet contains Policies and possibly other PolicySets. Each of these also includes a Target, a simple condition that determines whether it should be evaluated for a given request. Combining algorithms can be used to combine Rules and Policies with potentially differing results in various ways. XACML also supports obligations and advice expressions. Obligations specify actions which must be executed during the processing of a request, for example for logging. Advice expressions are similar, but may be ignored.
3020:. Whenever you want to integrate 2 services together, in a traditional, legacy model you have to provide service B with your user credentials on service A so that service B can pretend to be you with Service A. This has many risks of course. Using OAuth eliminates the issues with these patterns and lets the user control what service B can do on behalf of the user with service A.
800:
Access control rules: Allow access to resource with attribute WebService if subject is
Employee and action is read or write. Administration control rules: Allow delegation of access control rule #1 to subjects
440:
Access control rule: Allow access to resource
MedicalJournal with attribute patientID=x if Subject match DesignatedDoctorOfPatient and action is read with obligation on Permit: doLog_Inform(patientID, Subject, time) on
2986:
Example of cross-enterprise federation where two enterprises federate using SAML and two
Security Token Services (STS), establishing a circle of trust. The SAML in this picture is used for identity exchange / virtualization. The XACML is used server-side to determine whether access should be granted
1301:
The way to enable the MDP is to send an array of objects for any of the categories rather than an array of one object (or simply an object). For instance, AccessSubject is an object but
Resource is an array of objects. The latter will trigger the MDP process in PDPs that support the profile. Note as
478:
attribute of the <Policy> or <PolicySet> elements, respectively. The rule-combining algorithm defines a procedure for arriving at an access decision given the individual results of evaluation of a set of rules. Similarly, the policy-combining algorithm defines a procedure for arriving at
419:
Conditions only exist in rules. Conditions are essentially an advanced form of a target which can use a broader range of functions and more importantly can be used to compare two or more attributes together, e.g. subject-id==doctor-id. With conditions, it is possible to implement segregation of duty
2967:
Open Policy Agent (OPA) is an open-source Policy
Decision Point (PDP) implementation, capable of interpreting policy language to render policy decisions. OPA is a general-purpose PDP implementation which can be used for any scenario where a policy decision is required, much like PDP implementations
789:
The implementation of delegation is new in XACML 3.0. The delegation mechanism is used to support decentralized administration of access policies. It allows an authority (delegator) to delegate all or parts of its own authority or someone else's authority to another user (delegate) without any need
407:
In addition to being a way to check applicability, target information also provides a way to index policies, which is useful if you need to store many policies and then quickly sift through them to find which ones apply. When a request to access that service arrives, the PDP will know where to look
403:
XACML provides a target, which is basically a set of simplified conditions for the subject, resource, and action that must be met for a policy set, policy, or rule to apply to a given request. Once a policy or policy set is found to apply to a given request, its rules are evaluated to determine the
200:
In XACML, access control decisions to be taken are expressed as Rules. Each Rule comprises a series of conditions which decide whether a given request is approved or not. If a Rule is applicable to a request but the conditions within the Rule fail to evaluate, the result is
Indeterminate. Rules are
428:
Within XACML, a concept called obligations can be used. An obligation is a directive from the policy decision point (PDP) to the policy enforcement point (PEP) on what must be carried out before or after an access is approved. If the PEP is unable to comply with the directive, the approved access
1292:
By default a PDP processes a single request at a time e.g. "Can Alice view item #1?". The PDP then replies with a single decision. At times, though, it is necessary to send multiple requests in one go e.g. "Can Alice view / edit / delete items #1, #2, #3?". The
Multiple Decision Profile of XACML
444:
The XACML's obligation can be an effective way to meet formal requirements (non-repudiation for example) that can be hard to implement as access control rules. Furthermore, any formal requirements will be part of the access control policy as obligations and not as separate functions, which makes
341:
The PDP evaluates the authorization request against the policies it is configured with. The policies are acquired via the Policy
Retrieval Point (PRP) and managed by the Policy Administration Point (PAP). If needed it also retrieves attribute values from underlying Policy Information Points
204:
XACML separates access control functionality into several components. Each operating environment in which access control is used has a Policy
Enforcement Point (PEP) which implements the functionality to demand authorization and to grant or deny access to resources. These refer to an
205:
environment-independent and central Policy Decision Point (PDP) which actually makes the decision on whether access is granted. The PDP refers to policies stored in the Policy Retrieval Point (PRP). Policies are managed through a Policy Administration Point (PAP).
793:
This is because, in this delegation model, the delegation rights are separated from the access rights. These are instead referred to as administrative control policies. Access control and administrative policies work together as in the following scenario:
192:
system. In XACML, attributes – information about the subject accessing a resource, the resource to be addressed, and the environment – act as inputs for the decision of whether access is granted or not. XACML can also be used to implement
1023:
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#time"
983:
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#time"
3013:
delegated access control: I, the user, delegate another user or service access to the resource I own. For instance via OAuth, I grant Twitter (the service) the ability to post on my Facebook wall (the resource).
915:
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-dateTime" DataType="http://www.w3.org/2001/XMLSchema#dateTime"
1212:
The following contains an Obligation block. Obligations are statements that can be returned along with a decision to enrich the decision flow. In this example, the PEP must log that access was granted.
1302:
well the use of the IncludeInResult attribute which tells the PDP to return the XACML attribute and its value in the response so that decisions can be correlated to the relevant attribute values.
891:
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="com.acme.user.lastLogin" DataType="http://www.w3.org/2001/XMLSchema#dateTime" MustBePresent="false"
801:
with attribute Consultant. Conditions: delegation must expire within 6 months, resource must not have attribute StrictlyInternal.
2803:
All three profiles were showcased at the Cloud Identity Summit 2014 in Monterey, California. Using these profiles, integrating fine-grained authorization into applications becomes much easier.
1293:
allows for this use case. The PDP will typically do the product of all combinations i.e. in the example aforementioned there will be 1 x 3 x 3 = 9 decisions returned in a single response.
516:
The functions and their identifiers are fully described in the standard. Functions are type-specific i.e. there is a function for string equality and a different one for integer equality.
3149:
Ferraiolo, David; Chandramouli, Ramaswamy; Hu, Vincent; Kuhn, Rick (October 2016). A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications (Report).
2998:. SAML and XACML were designed to interoperate where SAML is used to carry identity information / virtual identities and XACML is used to drive the access control logic through policies.
797:
A partnership of companies' many services are protected by an access control system. The system implements the following central rules to protect its resources and to allow delegation:
2994:
is an identity SSO and federation standard used for authentication. SAML is used as a common identity token format between different applications. SAML and XACML are both defined by
408:
for policies that might apply to this request because the policies are indexed based on their target constraints. Note that a target may also specify that it applies to any request.
621:
Description: this function takes in a boolean function and 2 or more attribute values or bags. The higher-order function applies the boolean function to the remaining parameters.
448:
Obligations can be used for "break-the-glass" scenarios or trust elevation ("you cannot transfer $ 1,000 without two-factor authentication - here is the link to the 2FA page").
781:
XACML 3.0 introduces administrative delegation, the JSON Profile of XACML (request/response), the REST Profile of XACML, the Multiple Decision Profile of XACML, and many more.
628:
will return true if (a) role is single-valued, (b) there is at least one value in the attribute bag allowedRoles equal to the value inside the single-valued attribute bag role.
451:
In addition to obligations, XACML supports advice which are identical to obligations with the difference that a PEP is not obligated to enforce the advice (hence its name).
437:
not be realized. The augmentation of obligations eliminates a gap between formal requirements and policy enforcement. An example of an obligation could look like this:
2956:
specification. The XACML specification does not cover the design or implementation of Policy Decision Point (PDP), only the policy language they consume. Many
2811:
ALFA stands for Abbreviated Language for Authorization. It is a lightweight syntax used to implement policy-based access control policies. For examples refer to the
807:
When a consultant enters the corporation, a delegation can be issued locally by the consultant's supervisor, authorizing the consultant access to systems directly.
467:. What if the request is about Alice trying to view a document at 8am? Which rule wins? This is what combining algorithms tell us. They help resolve conflicts.
3037:
a policy language with which to express a wide range of access control policies including policies that can use consents handled / defined via OAuth.
3382:
3200:
185:
policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
3150:
3009:
is considered to be an authorization standard. It differs from XACML though in its origin, its purpose, and its applications. OAuth is about:
3034:
An access control architecture with the notion of a Policy Decision Point (PDP) as previously discussed and a Policy Enforcement Point (PEP).
459:
What happens in XACML if there are two rules (or policies) that contradict each other? Imagine for instance a first rule that would say
2777:
In 2013 and 2014, the XACML Technical Committee focused on designing new profiles to facilitate developer integration. These include:
3266:
3342:
810:
The delegator (the supervisor in this scenario) may only have the right to delegate a limited set of access rights to consultants.
818:
Other new features of XACML 3.0 are listed at http://www.webfarmr.eu/2010/07/enhancements-and-new-features-in-xacml-3-axiomatics/
373:
A policy set can contain any number of policy elements and policy set elements. A policy can contain any number of rule elements.
3175:
De la Rosa AlgarĂn, Alberto; Ziminski, Timoteus B.; Demurjian 1, Steven A.; Kuykendall, Robert; Rivera Sánchez, Yaira K. (2013).
114:
3312:
834:
This rule implements the use-it-lose-it access control paradigm. If a user does not log in for 30 days, then they lose access.
821:
The XACML TC is also publishing a list of changes here: http://wiki.oasis-open.org/xacml/DifferencesBetweenXACML2.0AndXACML3.0
287:
Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision
3453:
3367:
487:
XACML defines a long list of functions (close to 300) to manipulate and compare attributes to other attributes and values:
3407:
3387:
102:
3352:
3317:
2991:
3287:
3422:
3322:
1057:
ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
3417:
2782:
2971:
OPA's policy definition language is (Rego), which is a JSON-based, Turing-incomplete language based on Datalog.
3392:
3357:
189:
3259:
608:
The list of higher order functions is as listed below. For a formal definition, refer to the XACML standard.
391:
An action element defines the type of access requested on the resource. Actions have one or more attributes.
3458:
3056:
2987:
to the application functionality (functional access control) and the data behind it (data access control).
3377:
312:
Point where the XACML access authorization policies are stored, typically a database or the filesystem.
3302:
3292:
3030:
XACML does not handle user approval or delegated access or password management. XACML simply provides:
850:
Use it or lose it: this policy denies access if lastLogin is more than 30 days away from today's date
276:
Point which evaluates access requests against authorization policies before issuing access decisions
194:
2765:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
2601:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
2505:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
2341:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
2177:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
2013:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
1917:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
1821:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
1657:: "http://www.axiomatics.com/automatic-unique-id/5cc13395-20bd-48b3-a56b-68b1c26c3e54",
345:
The PDP reaches a decision (Permit / Deny / NotApplicable / Indeterminate) and returns it to the PEP
301:
The system entity that acts as a source of attribute values (i.e. a resource, subject, environment)
93:
3337:
3297:
3252:
3213:
3194:
3098:
3051:
2982:
388:
The resource element is a data, service or system component. A resource has one or more attributes.
381:
Policies, policy sets, rules and requests all use subjects, resources, environments, and actions.
72:
3463:
30:
3179:. Proceedings of the 9th International Conference on Web Information Systems and Technologies.
220:
3071:
3276:
3041:
XACML and OAuth can be combined to deliver a more comprehensive approach to authorization.
2995:
2961:
2957:
2953:
2799:
profile of XACML written by Pablo Giambiagi, Srijith Nair, and David Brossard of Axiomatics
217:
178:
42:
25:
3177:
Defining and Enforcing XACML Role-based Security Policies within an XML Security Framework
8:
289:(i.e. access to the resource is approved or rejected), and acts on the received decision
385:
A subject element is the entity requesting access. A subject has one or more attributes.
3216:, eXtensible Access Control Markup Language (XACML) V3.0 approved as an OASIS Standard.
2705:: "http://www.w3.org/2001/XMLSchema#string" } }, {
2549:: "http://www.w3.org/2001/XMLSchema#string" } }, {
2445:: "http://www.w3.org/2001/XMLSchema#string" } }, {
2281:: "http://www.w3.org/2001/XMLSchema#string" } }, {
2117:: "http://www.w3.org/2001/XMLSchema#string" } }, {
1961:: "http://www.w3.org/2001/XMLSchema#string" } }, {
1865:: "http://www.w3.org/2001/XMLSchema#string" } }, {
1761:: "http://www.w3.org/2001/XMLSchema#string" } }, {
1597:: "http://www.w3.org/2001/XMLSchema#string" } }, {
79:
37:
3239:
3214:
eXtensible Access Control Markup Language (XACML) V3.0 approved as an OASIS Standard
479:
an access decision given the individual results of evaluation of a set of policies.
3180:
3154:
936:
This rule grants access if the current time is greater than 9am and less than 5pm.
67:
2823:
The JSON profile of XACML simplifies the integration between the PEP and the PDP.
2681:: "http://www.w3.org/2001/XMLSchema#integer" } ] },
2665:: "http://www.w3.org/2001/XMLSchema#integer" }, {
2421:: "http://www.w3.org/2001/XMLSchema#integer" } ] },
2405:: "http://www.w3.org/2001/XMLSchema#integer" }, {
2257:: "http://www.w3.org/2001/XMLSchema#integer" } ] },
2241:: "http://www.w3.org/2001/XMLSchema#integer" }, {
2093:: "http://www.w3.org/2001/XMLSchema#integer" } ] },
2077:: "http://www.w3.org/2001/XMLSchema#integer" }, {
1737:: "http://www.w3.org/2001/XMLSchema#integer" } ] },
1721:: "http://www.w3.org/2001/XMLSchema#integer" }, {
1573:: "http://www.w3.org/2001/XMLSchema#integer" } ] },
1557:: "http://www.w3.org/2001/XMLSchema#integer" }, {
1272:
http://www.axiomatics.com/automatic-unique-id/18a9eae9-c92b-4087-b2ac-c5a33d7ff477
2725:: "http://www.w3.org/2001/XMLSchema#string" } } ],
2649:: "http://www.w3.org/2001/XMLSchema#string" }, {
2569:: "http://www.w3.org/2001/XMLSchema#string" } } ],
2465:: "http://www.w3.org/2001/XMLSchema#string" } } ],
2389:: "http://www.w3.org/2001/XMLSchema#string" }, {
2301:: "http://www.w3.org/2001/XMLSchema#string" } } ],
2225:: "http://www.w3.org/2001/XMLSchema#string" }, {
2137:: "http://www.w3.org/2001/XMLSchema#string" } } ],
2061:: "http://www.w3.org/2001/XMLSchema#string" }, {
1981:: "http://www.w3.org/2001/XMLSchema#string" } } ],
1885:: "http://www.w3.org/2001/XMLSchema#string" } } ],
1781:: "http://www.w3.org/2001/XMLSchema#string" } } ],
1705:: "http://www.w3.org/2001/XMLSchema#string" }, {
1617:: "http://www.w3.org/2001/XMLSchema#string" } } ],
1541:: "http://www.w3.org/2001/XMLSchema#string" }, {
332:
A user sends a request which is intercepted by the Policy Enforcement Point (PEP)
170:
445:
policies consistent and centralization of the IT environment easier to achieve.
3174:
877:
FunctionId="urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration"
182:
174:
3234:
2661:: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
2401:: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
2237:: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
2073:: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
1717:: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
1553:: "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
323:
226:
Version 2.0 was ratified by OASIS standards organization on February 1, 2005.
3447:
3362:
3185:
3076:
2645:: "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
2385:: "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
2221:: "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
2057:: "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
1701:: "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
1537:: "urn:oasis:names:tc:xacml:3.0:attribute-category:environment",
338:
The PEP forwards the authorization request to the Policy Decision Point (PDP)
3159:
3120:
43:
Organization for the Advancement of Structured Information Standards (OASIS)
3412:
3347:
3017:
2812:
2796:
470:
XACML defines a number of combining algorithms that can be identified by a
149:
121:
2677:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
2417:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
2253:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
2089:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
1733:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
1569:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
804:(Attributes can be fetched from an external source, e.g. a LDAP catalog.)
3427:
3372:
1488:
2689:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
2533:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
2429:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
2265:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
2101:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
1945:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
1849:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
1745:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
1581:: "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
1296:
1126:
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
884:
FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-one-and-only"
870:
FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than"
327:
This image shows the XACML architecture and a sample authorization flow.
3229:
2927: : "urn:oasis:names:tc:xacml:1.0:status:ok" } } } }
2709:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
2553:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
2449:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
2285:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
2121:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
1965:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
1869:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
1765:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
1601:: "urn:oasis:names:tc:xacml:3.0:attribute-category:action",
3244:
2974:
Policies written in XACML can be translated to Rego, and vice-versa.
394:
An environment element can optionally provide additional information.
2621:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
2525:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
2361:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
2197:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
2033:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
1937:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
1841:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
1677:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
1513:: "urn:oasis:names:tc:xacml:1.0:status:ok" } },
1095:
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
710:
http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd
519:
3066:
1064:
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
3307:
2867:: "123" }, {
965:
MatchId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than"
837:
In pseudo-code: deny if currentDateTime > lastLogin + 30 days
563:
Refer to the standard for a formal definition of these function.
529:
Refer to the standard for a formal definition of these function.
1219:
xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
1172:
xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
3061:
441:
Deny : doLog_UnauthorizedLogin(patientID, Subject, time)
335:
The PEP converts the request into a XACML authorization request
242:
Non-normative terminology (following RFC 2904, except for PAP)
2875:: "record" } ] },
1005:
MatchId="urn:oasis:names:tc:xacml:1.0:function:time-less-than"
3402:
3327:
3006:
2851:: "Alice" } ] },
1287:
942:
RuleId="c01d7519-be21-4985-88d8-10941f44590a" Effect="Permit"
829:
411:
Policy set, policy and rule can all contain target elements.
3240:
OASIS declaration of issues with two software patents of IBM
2891:: "view" } ] },
1207:
677:
allOfAll (urn:oasis:names:tc:xacml:1.0:function:all-of-all)
666:
anyOfAll (urn:oasis:names:tc:xacml:1.0:function:any-of-all)
655:
allOfAny (urn:oasis:names:tc:xacml:1.0:function:all-of-any)
644:
anyOfAny (urn:oasis:names:tc:xacml:3.0:function:any-of-any)
3332:
3148:
2949:
2789:
901:
DataType="http://www.w3.org/2001/XMLSchema#dayTimeDuration"
843:
RuleId="f6637b3f-3690-4cce-989c-2ce9c053d6fa" Effect="Deny"
137:
3397:
2945:
2641:: "Access denied - insufficient clearance.",
2605:: "1.0" } ] } }, {
2509:: "1.0" } ] } }, {
2381:: "Access denied - insufficient clearance.",
2345:: "1.0" } ] } }, {
2217:: "Access denied - insufficient clearance.",
2181:: "1.0" } ] } }, {
2053:: "Access denied - insufficient clearance.",
2017:: "1.0" } ] } }, {
1921:: "1.0" } ] } }, {
1825:: "1.0" } ] } }, {
1697:: "Access denied - insufficient clearance.",
1661:: "1.0" } ] } }, {
1533:: "Access denied - insufficient clearance.",
863:
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"
166:
133:
2792:
profile of XACML written by David Brossard of Axiomatics
2757:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
2745:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
2737:: "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
2593:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
2497:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
2485:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
2477:: "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
2333:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
2321:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
2313:: "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
2169:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
2157:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
2149:: "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
2005:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
1909:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
1813:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
1801:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
1793:: "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
1649:: "1016337f-f5f8-4ed4-bd4e-9a2be01fa211",
1637:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
1629:: "311a93c0-6e4c-47a0-8e05-76feb39f25e0",
1489:
Sample JSON Response for the Multiple Decision Profile
767:
urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression
181:, defines a declarative fine-grained, attribute-based
1297:
Sample JSON Request for the Multiple Decision Profile
633:
allOf (urn:oasis:names:tc:xacml:3.0:function:all-of)
626:
anyOf(function, allowedRoles, stringOneAndOnly(role))
612:
anyOf (urn:oasis:names:tc:xacml:3.0:function:any-of)
2964:
PDPs use XACML as their policy definition language.
2871:: "com.acme.object.objectType",
2581:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
1993:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
1897:: "c6b75be8-f3cb-4bda-9b63-812a1f7e5fae",
1133:
AttributeId="user.identifier" IncludeInResult="true"
931:
583:
229:Version 3.0 was ratified by OASIS in January 2013.
208:Version 3.0 was ratified by OASIS in January 2013.
2887:: "com.acme.action.actionId",
2863:: "com.acme.record.recordId",
2847:: "com.acme.user.employeeId",
2769:: "1.0" } ] } } ] }
1140:DataType="http://www.w3.org/2001/XMLSchema#string"
1109:DataType="http://www.w3.org/2001/XMLSchema#string"
1078:DataType="http://www.w3.org/2001/XMLSchema#string"
752:http://www.w3.org/2001/XMLSchema#yearMonthDuration
265:Point which manages access authorization policies
755:urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name
520:Equality, inequality and other matching functions
491:Equality, inequality and other matching functions
3445:
2785:profile of XACML written by Remon Sinnema of EMC
2669:: "com.acme.record.classification",
2409:: "com.acme.record.classification",
2245:: "com.acme.record.classification",
2081:: "com.acme.record.classification",
1725:: "com.acme.record.classification",
1561:: "com.acme.record.classification",
1102:AttributeId="resource-id" IncludeInResult="true"
1044:
1012:DataType="http://www.w3.org/2001/XMLSchema#time"
972:DataType="http://www.w3.org/2001/XMLSchema#time"
764:urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
734:http://www.w3.org/2001/XMLSchema#dayTimeDuration
688:map (urn:oasis:names:tc:xacml:1.0:function:map)
758:urn:oasis:names:tc:xacml:1.0:data-type:x500Name
593:
359:XACML is structured into 3 levels of elements:
3207:
3151:National Institute of Standards and Technology
2935:
1239:Value="urn:oasis:names:tc:xacml:1.0:status:ok"
1192:Value="urn:oasis:names:tc:xacml:1.0:status:ok"
761:urn:oasis:names:tc:xacml:2.0:data-type:dnsName
3260:
1071:AttributeId="actionId" IncludeInResult="true"
722:http://www.w3.org/2001/XMLSchema#base64Binary
420:checks or relationship-based access control.
2930:
2818:
2806:
1164:
790:to involve modification of the root policy.
376:
3199:: CS1 maint: numeric names: authors list (
2761:: "1" }, {
2741:: "1" }, {
2597:: "1" }, {
2501:: "1" }, {
2481:: "1" }, {
2337:: "1" }, {
2317:: "1" }, {
2173:: "1" }, {
2153:: "1" }, {
2009:: "1" }, {
1913:: "1" }, {
1817:: "1" }, {
1797:: "1" }, {
1653:: "1" }, {
1633:: "1" }, {
423:
3267:
3253:
3096:
2883:: [ {
2859:: [ {
2843:: [ {
2697:: "com.acme.record.recordId",
2541:: "com.acme.record.recordId",
2437:: "com.acme.record.recordId",
2273:: "com.acme.record.recordId",
2109:: "com.acme.record.recordId",
1953:: "com.acme.record.recordId",
1857:: "com.acme.record.recordId",
1753:: "com.acme.record.recordId",
1589:: "com.acme.record.recordId",
1288:The Multiple Decision Profile of XACML 3.0
830:Date and time-based authorization in XACML
740:http://www.w3.org/2001/XMLSchema#hexBinary
691:parameters: anyAtomicOrBag anyAtomicOrBag*
647:parameters: anyAtomicOrBag anyAtomicOrBag*
636:parameters: anyAtomicOrBag anyAtomicOrBag*
615:parameters: anyAtomicOrBag anyAtomicOrBag*
3230:eXtensible Access Control Markup Language
3184:
3158:
2653:: "com.acme.user.clearance",
2637:: "com.acme.messageContent",
2393:: "com.acme.user.clearance",
2377:: "com.acme.messageContent",
2229:: "com.acme.user.clearance",
2213:: "com.acme.messageContent",
2065:: "com.acme.user.clearance",
2049:: "com.acme.messageContent",
1709:: "com.acme.user.clearance",
1693:: "com.acme.messageContent",
1545:: "com.acme.user.clearance",
1529:: "com.acme.messageContent",
1208:XACML 3.0 sample response with obligation
731:http://www.w3.org/2001/XMLSchema#dateTime
603:
159:eXtensible Access Control Markup Language
16:Extensible Access Control Markup Language
3099:"OASIS TC call for participation: XACML"
2981:
2772:
743:http://www.w3.org/2001/XMLSchema#integer
725:http://www.w3.org/2001/XMLSchema#boolean
588:
322:
2902:
1277:</xacml-ctx:PolicyIdentifierList>
746:http://www.w3.org/2001/XMLSchema#string
737:http://www.w3.org/2001/XMLSchema#double
719:http://www.w3.org/2001/XMLSchema#anyURI
524:
454:
3446:
3274:
3144:
3142:
3140:
2968:that support the XACML specification.
2826:
1409:: "com.acme.record.recordId",
1381:: "com.acme.record.recordId",
1353:: "com.acme.record.recordId",
1263:<xacml-ctx:PolicyIdentifierList>
1159:
354:
3248:
2749:: "1" } ],
2489:: "1" } ],
2325:: "1" } ],
2161:: "1" } ],
1805:: "1" } ],
1641:: "1" } ],
749:http://www.w3.org/2001/XMLSchema#time
728:http://www.w3.org/2001/XMLSchema#date
177:policies. The standard, published by
1329:: "com.acme.user.username",
1274:</xacml-ctx:PolicyIdReference>
1049:
3167:
3137:
771:
558:
13:
3001:
824:
598:
349:
14:
3475:
3223:
2977:
2717:: "com.acme.action",
2561:: "com.acme.action",
2457:: "com.acme.action",
2293:: "com.acme.action",
2129:: "com.acme.action",
1973:: "com.acme.action",
1877:: "com.acme.action",
1773:: "com.acme.action",
1609:: "com.acme.action",
1401:: "com.acme.objectType",
1373:: "com.acme.objectType",
1345:: "com.acme.objectType",
1146:</xacml-ctx:AttributeValue>
1115:</xacml-ctx:AttributeValue>
1084:</xacml-ctx:AttributeValue>
932:Time-based authorization in XACML
813:
463:and a second rule that would say
584:Logical functions (and, or, not)
500:Logical functions (and, or, not)
3023:HTTP-based services / resources
1266:<xacml-ctx:PolicyIdReference
776:
232:
3113:
3090:
3026:managing owner (user) approval
2629:: "com.acme.message",
2369:: "com.acme.message",
2205:: "com.acme.message",
2041:: "com.acme.message",
1685:: "com.acme.message",
1521:: "com.acme.message",
1405:: "record" }, {
1377:: "record" }, {
1349:: "record" }, {
1333:: "Alice" }] },
1260:</xacml-ctx:Obligations>
404:access decision and response.
237:
190:attribute-based access control
1:
3235:OASIS XACML committee website
3083:
1473:: "com.acme.action",
1453:: "com.acme.action",
1433:: "com.acme.action",
1257:</xacml-ctx:Obligation>
1247:<xacml-ctx:Obligations>
1152:</xacml-ctx:Attributes>
1121:</xacml-ctx:Attributes>
1090:</xacml-ctx:Attributes>
1045:Sample requests and responses
949:Allow if time between 9 and 5
784:
713:
539:multiply (double and integer)
536:subtract (double and integer)
414:
3454:Computer security procedures
3097:Best, Karl (16 April 2001).
3057:Discretionary access control
2753:: [ {
2733:: [ {
2633:: [ {
2589:: [ {
2493:: [ {
2473:: [ {
2373:: [ {
2329:: [ {
2309:: [ {
2209:: [ {
2165:: [ {
2145:: [ {
2045:: [ {
2001:: [ {
1905:: [ {
1809:: [ {
1789:: [ {
1689:: [ {
1645:: [ {
1625:: [ {
1525:: [ {
1149:</xacml-ctx:Attribute>
1138:<xacml-ctx:AttributeValue
1118:</xacml-ctx:Attribute>
1107:<xacml-ctx:AttributeValue
1087:</xacml-ctx:Attribute>
1076:<xacml-ctx:AttributeValue
700:
594:Regular expression functions
509:Regular expression functions
482:
262:Policy Administration Point
216:Version 1.0 was ratified by
7:
3044:
2940:XACML is almost entirely a
2936:XACML and Open Policy Agent
1283:</xacml-ctx:Response>
1231:</xacml-ctx:Decision>
1203:</xacml-ctx:Response>
1184:</xacml-ctx:Decision>
542:divide (double and integer)
461:managers can view documents
10:
3480:
2942:policy definition language
1227:<xacml-ctx:Decision>
1180:<xacml-ctx:Decision>
1155:</xacml-ctx:Request>
465:no one can work before 9am
398:
211:
3283:
2931:XACML and other standards
2819:The JSON Profile of XACML
2807:The ALFA Profile of XACML
2585:: "1" },
1997:: "1" },
1901:: "1" },
1280:</xacml-ctx:Result>
1244:</xacml-ctx:Status>
1200:</xacml-ctx:Result>
1197:</xacml-ctx:Status>
1165:XACML 3.0 sample response
705:
377:Attributes and categories
298:Policy Information Point
284:Policy Enforcement Point
195:role-based access control
148:
143:
132:
127:
120:
113:
108:
100:
88:
78:
66:
48:
36:
24:
3186:10.5220/0004366200160025
3052:Mandatory access control
2685:: [ {
2529:: [ {
2461:: "delete",
2425:: [ {
2261:: [ {
2133:: "delete",
2097:: [ {
1977:: "delete",
1941:: [ {
1845:: [ {
1741:: [ {
1577:: [ {
1252:ObligationId="logAccess"
1250:<xacml-ctx:Obligation
1237:<xacml-ctx:StatusCode
1234:<xacml-ctx:Status>
1224:<xacml-ctx:Result>
1190:<xacml-ctx:StatusCode
1187:<xacml-ctx:Status>
1177:<xacml-ctx:Result>
1124:<xacml-ctx:Attributes
1093:<xacml-ctx:Attributes
1062:<xacml-ctx:Attributes
548:abs (double and integer)
545:mod (double and integer)
533:add (double and integer)
424:Obligations & Advice
3160:10.6028/NIST.SP.800-178
1131:<xacml-ctx:Attribute
1100:<xacml-ctx:Attribute
1069:<xacml-ctx:Attribute
1021:<AttributeDesignator
1018:</AttributeValue>
981:<AttributeDesignator
978:</AttributeValue>
913:<AttributeDesignator
907:</AttributeValue>
889:<AttributeDesignator
318:
309:Policy Retrieval Point
31:Declarative programming
3016:handling the password
2988:
2915: : "Permit",
2899:: } } }
2751:"PolicySetIdReference"
2727:"PolicyIdentifierList"
2721:: "edit",
2587:"PolicySetIdReference"
2571:"PolicyIdentifierList"
2565:: "view",
2491:"PolicySetIdReference"
2467:"PolicyIdentifierList"
2327:"PolicySetIdReference"
2303:"PolicyIdentifierList"
2297:: "edit",
2163:"PolicySetIdReference"
2139:"PolicyIdentifierList"
1999:"PolicySetIdReference"
1983:"PolicyIdentifierList"
1903:"PolicySetIdReference"
1887:"PolicyIdentifierList"
1881:: "edit",
1807:"PolicySetIdReference"
1783:"PolicyIdentifierList"
1777:: "view",
1643:"PolicySetIdReference"
1619:"PolicyIdentifierList"
1613:: "view",
1217:<xacml-ctx:Response
1170:<xacml-ctx:Response
604:Higher order functions
506:Higher order functions
328:
273:Policy Decision Point
221:standards organization
188:XACML is primarily an
109:Axiomatics, AuthzForce
54:; 23 years ago
3072:Model-driven security
2985:
2952:, defined by an open
2773:Developer orientation
2701:: "124",
2631:"AttributeAssignment"
2545:: "123",
2441:: "124",
2371:"AttributeAssignment"
2277:: "125",
2207:"AttributeAssignment"
2113:: "125",
2043:"AttributeAssignment"
1957:: "123",
1861:: "123",
1757:: "124",
1687:"AttributeAssignment"
1593:: "125",
1523:"AttributeAssignment"
1055:<xacml-ctx:Request
916:MustBePresent="false"
683:return value: boolean
672:return value: boolean
661:return value: boolean
650:return value: boolean
639:return value: boolean
618:return value: boolean
589:Set and bag functions
503:Set and bag functions
326:
2903:Sample JSON response
1477:: "delete",
1311:"ReturnPolicyIdList"
951:</Description>
852:</Description>
525:Arithmetic functions
494:Arithmetic functions
476:PolicyCombiningAlgId
455:Combining algorithms
3459:XML-based standards
2827:Sample JSON request
2731:"PolicyIdReference"
2673:: "2",
2657:: "1",
2575:"PolicyIdReference"
2471:"PolicyIdReference"
2413:: "2",
2397:: "1",
2307:"PolicyIdReference"
2249:: "3",
2233:: "1",
2143:"PolicyIdReference"
2085:: "3",
2069:: "1",
1987:"PolicyIdReference"
1891:"PolicyIdReference"
1787:"PolicyIdReference"
1729:: "2",
1713:: "1",
1623:"PolicyIdReference"
1565:: "3",
1549:: "1",
1160:XACML 3.0 responses
947:<Description>
848:<Description>
680:parameters: bag bag
669:parameters: bag bag
658:parameters: bag bag
355:Structural elements
80:Filename extensions
52:April 16, 2001
49:First appeared
21:
3125:www.axiomatics.com
2989:
2923: : {
2623:"AssociatedAdvice"
2363:"AssociatedAdvice"
2199:"AssociatedAdvice"
2035:"AssociatedAdvice"
1679:"AssociatedAdvice"
1515:"AssociatedAdvice"
1457:: "edit",
1437:: "view",
1010:<AttributeValue
970:<AttributeValue
924:</Condition>
899:<AttributeValue
570:string-starts-with
567:string-concatenate
472:RuleCombiningAlgId
329:
94:www.oasis-open.org
19:
3441:
3440:
1479:"IncludeInResult"
1465:}] },{
1459:"IncludeInResult"
1445:}] },{
1439:"IncludeInResult"
1415:"IncludeInResult"
1413:: "125",
1393:}] },{
1387:"IncludeInResult"
1385:: "124",
1365:}] },{
1359:"IncludeInResult"
1357:: "123",
1050:XACML 3.0 request
858:<Condition>
694:return value: bag
316:
315:
155:
154:
3471:
3269:
3262:
3255:
3246:
3245:
3217:
3211:
3205:
3204:
3198:
3190:
3188:
3173:See for example
3171:
3165:
3164:
3162:
3146:
3135:
3134:
3132:
3131:
3117:
3111:
3110:
3108:
3106:
3094:
2919: : {
2895:: {
2879:: {
2855:: {
2839:: {
2713:: {
2693:: {
2609:: "Deny",
2557:: {
2537:: {
2513:: "Deny",
2453:: {
2433:: {
2349:: "Deny",
2289:: {
2269:: {
2185:: "Deny",
2125:: {
2105:: {
2021:: "Deny",
1969:: {
1949:: {
1925:: "Deny",
1873:: {
1853:: {
1829:: "Deny",
1769:: {
1749:: {
1665:: "Deny",
1605:: {
1585:: {
1501:: "Deny",
1497:: [ {
1485:}] }] } }
772:New in XACML 3.0
627:
579:string-substring
573:string-ends-with
559:String functions
497:String functions
245:
244:
169:-based standard
96:
62:
60:
55:
22:
18:
3479:
3478:
3474:
3473:
3472:
3470:
3469:
3468:
3444:
3443:
3442:
3437:
3279:
3273:
3226:
3221:
3220:
3212:
3208:
3195:cite conference
3192:
3191:
3172:
3168:
3147:
3138:
3129:
3127:
3119:
3118:
3114:
3104:
3102:
3095:
3091:
3086:
3081:
3047:
3004:
3002:XACML and OAuth
2980:
2938:
2933:
2928:
2905:
2900:
2837:"AccessSubject"
2829:
2821:
2809:
2775:
2770:
1491:
1486:
1421:}] }],
1319:"AccessSubject"
1299:
1290:
1285:
1210:
1205:
1167:
1162:
1157:
1052:
1047:
1042:
1037:</Target>
934:
929:
855:<Target/>
832:
827:
825:Sample policies
816:
802:
787:
779:
774:
716:
708:
703:
625:
606:
601:
599:XPath functions
596:
591:
586:
576:string-contains
561:
527:
522:
512:XPath functions
485:
457:
442:
426:
417:
401:
379:
357:
352:
350:Policy elements
321:
240:
235:
214:
173:for specifying
171:markup language
103:implementations
92:
58:
56:
53:
17:
12:
11:
5:
3477:
3467:
3466:
3464:Access control
3461:
3456:
3439:
3438:
3436:
3435:
3430:
3425:
3420:
3415:
3410:
3405:
3400:
3395:
3390:
3385:
3380:
3375:
3370:
3365:
3360:
3355:
3350:
3345:
3340:
3335:
3330:
3325:
3320:
3315:
3310:
3305:
3300:
3295:
3290:
3284:
3281:
3280:
3272:
3271:
3264:
3257:
3249:
3243:
3242:
3237:
3232:
3225:
3224:External links
3222:
3219:
3218:
3206:
3166:
3136:
3112:
3088:
3087:
3085:
3082:
3080:
3079:
3074:
3069:
3064:
3059:
3054:
3048:
3046:
3043:
3039:
3038:
3035:
3028:
3027:
3024:
3021:
3014:
3003:
3000:
2979:
2978:XACML and SAML
2976:
2937:
2934:
2932:
2929:
2911: : {
2906:
2904:
2901:
2830:
2828:
2825:
2820:
2817:
2808:
2805:
2801:
2800:
2793:
2786:
2774:
2771:
2617:: {
2577:: {
2521:: {
2357:: {
2193:: {
2029:: {
1989:: {
1933:: {
1893:: {
1837:: {
1673:: {
1509:: {
1492:
1490:
1487:
1304:
1298:
1295:
1289:
1286:
1215:
1209:
1206:
1168:
1166:
1163:
1161:
1158:
1053:
1051:
1048:
1046:
1043:
1034:</AnyOf>
1031:</AllOf>
1028:</Match>
994:</AnyOf>
991:</AllOf>
988:</Match>
954:<Target>
938:
933:
930:
921:</Apply>
910:</Apply>
896:</Apply>
839:
831:
828:
826:
823:
815:
814:Other features
812:
799:
786:
783:
778:
775:
773:
770:
769:
768:
765:
762:
759:
756:
753:
750:
747:
744:
741:
738:
735:
732:
729:
726:
723:
720:
715:
712:
707:
704:
702:
699:
698:
697:
696:
695:
692:
686:
685:
684:
681:
675:
674:
673:
670:
664:
663:
662:
659:
653:
652:
651:
648:
642:
641:
640:
637:
631:
630:
629:
622:
619:
616:
605:
602:
600:
597:
595:
592:
590:
587:
585:
582:
581:
580:
577:
574:
571:
568:
560:
557:
556:
555:
552:
549:
546:
543:
540:
537:
534:
526:
523:
521:
518:
514:
513:
510:
507:
504:
501:
498:
495:
492:
484:
481:
456:
453:
439:
425:
422:
416:
413:
400:
397:
396:
395:
392:
389:
386:
378:
375:
371:
370:
367:
364:
356:
353:
351:
348:
347:
346:
343:
339:
336:
333:
320:
317:
314:
313:
310:
307:
303:
302:
299:
296:
292:
291:
285:
282:
278:
277:
274:
271:
267:
266:
263:
260:
256:
255:
252:
249:
239:
236:
234:
231:
213:
210:
183:access control
175:access control
153:
152:
146:
145:
141:
140:
130:
129:
125:
124:
118:
117:
111:
110:
106:
105:
98:
97:
90:
86:
85:
82:
76:
75:
70:
64:
63:
50:
46:
45:
40:
34:
33:
28:
15:
9:
6:
4:
3:
2:
3476:
3465:
3462:
3460:
3457:
3455:
3452:
3451:
3449:
3434:
3431:
3429:
3426:
3424:
3421:
3419:
3416:
3414:
3411:
3409:
3406:
3404:
3401:
3399:
3396:
3394:
3391:
3389:
3386:
3384:
3381:
3379:
3376:
3374:
3371:
3369:
3366:
3364:
3363:SOAP-over-UDP
3361:
3359:
3356:
3354:
3351:
3349:
3346:
3344:
3341:
3339:
3336:
3334:
3331:
3329:
3326:
3324:
3321:
3319:
3316:
3314:
3311:
3309:
3306:
3304:
3301:
3299:
3296:
3294:
3291:
3289:
3286:
3285:
3282:
3278:
3275:Standards of
3270:
3265:
3263:
3258:
3256:
3251:
3250:
3247:
3241:
3238:
3236:
3233:
3231:
3228:
3227:
3215:
3210:
3202:
3196:
3187:
3182:
3178:
3170:
3161:
3156:
3152:
3145:
3143:
3141:
3126:
3122:
3116:
3100:
3093:
3089:
3078:
3077:Authorization
3075:
3073:
3070:
3068:
3065:
3063:
3060:
3058:
3055:
3053:
3050:
3049:
3042:
3036:
3033:
3032:
3031:
3025:
3022:
3019:
3015:
3012:
3011:
3010:
3008:
2999:
2997:
2993:
2984:
2975:
2972:
2969:
2965:
2963:
2959:
2955:
2951:
2947:
2943:
2926:
2922:
2918:
2914:
2910:
2898:
2894:
2893:"Environment"
2890:
2886:
2885:"AttributeId"
2882:
2878:
2874:
2870:
2869:"AttributeId"
2866:
2862:
2861:"AttributeId"
2858:
2854:
2850:
2846:
2845:"AttributeId"
2842:
2838:
2834:
2824:
2816:
2814:
2804:
2798:
2794:
2791:
2787:
2784:
2780:
2779:
2778:
2768:
2764:
2760:
2756:
2752:
2748:
2744:
2740:
2736:
2732:
2728:
2724:
2720:
2716:
2715:"AttributeId"
2712:
2708:
2704:
2700:
2696:
2695:"AttributeId"
2692:
2688:
2684:
2680:
2676:
2672:
2668:
2667:"AttributeId"
2664:
2660:
2656:
2652:
2651:"AttributeId"
2648:
2644:
2640:
2636:
2635:"AttributeId"
2632:
2628:
2624:
2620:
2616:
2612:
2608:
2604:
2600:
2596:
2592:
2588:
2584:
2580:
2576:
2572:
2568:
2564:
2560:
2559:"AttributeId"
2556:
2552:
2548:
2544:
2540:
2539:"AttributeId"
2536:
2532:
2528:
2524:
2520:
2516:
2512:
2508:
2504:
2500:
2496:
2492:
2488:
2484:
2480:
2476:
2472:
2468:
2464:
2460:
2456:
2455:"AttributeId"
2452:
2448:
2444:
2440:
2436:
2435:"AttributeId"
2432:
2428:
2424:
2420:
2416:
2412:
2408:
2407:"AttributeId"
2404:
2400:
2396:
2392:
2391:"AttributeId"
2388:
2384:
2380:
2376:
2375:"AttributeId"
2372:
2368:
2364:
2360:
2356:
2352:
2348:
2344:
2340:
2336:
2332:
2328:
2324:
2320:
2316:
2312:
2308:
2304:
2300:
2296:
2292:
2291:"AttributeId"
2288:
2284:
2280:
2276:
2272:
2271:"AttributeId"
2268:
2264:
2260:
2256:
2252:
2248:
2244:
2243:"AttributeId"
2240:
2236:
2232:
2228:
2227:"AttributeId"
2224:
2220:
2216:
2212:
2211:"AttributeId"
2208:
2204:
2200:
2196:
2192:
2188:
2184:
2180:
2176:
2172:
2168:
2164:
2160:
2156:
2152:
2148:
2144:
2140:
2136:
2132:
2128:
2127:"AttributeId"
2124:
2120:
2116:
2112:
2108:
2107:"AttributeId"
2104:
2100:
2096:
2092:
2088:
2084:
2080:
2079:"AttributeId"
2076:
2072:
2068:
2064:
2063:"AttributeId"
2060:
2056:
2052:
2048:
2047:"AttributeId"
2044:
2040:
2036:
2032:
2028:
2024:
2020:
2016:
2012:
2008:
2004:
2000:
1996:
1992:
1988:
1984:
1980:
1976:
1972:
1971:"AttributeId"
1968:
1964:
1960:
1956:
1952:
1951:"AttributeId"
1948:
1944:
1940:
1936:
1932:
1928:
1924:
1920:
1916:
1912:
1908:
1904:
1900:
1896:
1892:
1888:
1884:
1880:
1876:
1875:"AttributeId"
1872:
1868:
1864:
1860:
1856:
1855:"AttributeId"
1852:
1848:
1844:
1840:
1836:
1832:
1828:
1824:
1820:
1816:
1812:
1808:
1804:
1800:
1796:
1792:
1788:
1784:
1780:
1776:
1772:
1771:"AttributeId"
1768:
1764:
1760:
1756:
1752:
1751:"AttributeId"
1748:
1744:
1740:
1736:
1732:
1728:
1724:
1723:"AttributeId"
1720:
1716:
1712:
1708:
1707:"AttributeId"
1704:
1700:
1696:
1692:
1691:"AttributeId"
1688:
1684:
1680:
1676:
1672:
1668:
1664:
1660:
1656:
1652:
1648:
1644:
1640:
1636:
1632:
1628:
1624:
1620:
1616:
1612:
1608:
1607:"AttributeId"
1604:
1600:
1596:
1592:
1588:
1587:"AttributeId"
1584:
1580:
1576:
1572:
1568:
1564:
1560:
1559:"AttributeId"
1556:
1552:
1548:
1544:
1543:"AttributeId"
1540:
1536:
1532:
1528:
1527:"AttributeId"
1524:
1520:
1516:
1512:
1508:
1504:
1500:
1496:
1484:
1480:
1476:
1472:
1471:"AttributeId"
1469:: [{
1468:
1464:
1460:
1456:
1452:
1451:"AttributeId"
1449:: [{
1448:
1444:
1440:
1436:
1432:
1431:"AttributeId"
1429:: [{
1428:
1424:
1420:
1416:
1412:
1408:
1407:"AttributeId"
1404:
1400:
1399:"AttributeId"
1397:: [{
1396:
1392:
1388:
1384:
1380:
1379:"AttributeId"
1376:
1372:
1371:"AttributeId"
1369:: [{
1368:
1364:
1360:
1356:
1352:
1351:"AttributeId"
1348:
1344:
1343:"AttributeId"
1341:: [{
1340:
1336:
1332:
1328:
1327:"AttributeId"
1325:: [{
1324:
1320:
1316:
1312:
1308:
1303:
1294:
1284:
1281:
1278:
1275:
1271:
1268:Version="1.0"
1267:
1264:
1261:
1258:
1255:
1251:
1248:
1245:
1242:
1238:
1235:
1232:
1228:
1225:
1222:
1218:
1214:
1204:
1201:
1198:
1195:
1191:
1188:
1185:
1182:NotApplicable
1181:
1178:
1175:
1171:
1156:
1153:
1150:
1147:
1143:
1139:
1136:
1132:
1129:
1125:
1122:
1119:
1116:
1112:
1108:
1105:
1101:
1098:
1094:
1091:
1088:
1085:
1081:
1077:
1074:
1070:
1067:
1063:
1060:
1056:
1041:
1040:</Rule>
1038:
1035:
1032:
1029:
1026:
1022:
1019:
1015:
1011:
1008:
1004:
1001:
1000:<AllOf>
998:
997:<AnyOf>
995:
992:
989:
986:
982:
979:
975:
971:
968:
964:
961:
960:<AllOf>
958:
957:<AnyOf>
955:
952:
948:
945:
941:
937:
928:
927:</Rule>
925:
922:
919:
914:
911:
908:
904:
900:
897:
894:
890:
887:
883:
880:
876:
873:
869:
866:
862:
859:
856:
853:
849:
846:
842:
838:
835:
822:
819:
811:
808:
805:
798:
795:
791:
782:
766:
763:
760:
757:
754:
751:
748:
745:
742:
739:
736:
733:
730:
727:
724:
721:
718:
717:
711:
693:
690:
689:
687:
682:
679:
678:
676:
671:
668:
667:
665:
660:
657:
656:
654:
649:
646:
645:
643:
638:
635:
634:
632:
623:
620:
617:
614:
613:
611:
610:
609:
578:
575:
572:
569:
566:
565:
564:
553:
550:
547:
544:
541:
538:
535:
532:
531:
530:
517:
511:
508:
505:
502:
499:
496:
493:
490:
489:
488:
480:
477:
473:
468:
466:
462:
452:
449:
446:
438:
436:
432:
421:
412:
409:
405:
393:
390:
387:
384:
383:
382:
374:
368:
365:
362:
361:
360:
344:
340:
337:
334:
331:
330:
325:
311:
308:
305:
304:
300:
297:
294:
293:
290:
286:
283:
280:
279:
275:
272:
269:
268:
264:
261:
258:
257:
253:
250:
247:
246:
243:
230:
227:
224:
222:
219:
209:
206:
202:
198:
196:
191:
186:
184:
180:
176:
172:
168:
164:
160:
151:
147:
142:
139:
135:
131:
128:Influenced by
126:
123:
119:
116:
112:
107:
104:
99:
95:
91:
87:
83:
81:
77:
74:
71:
69:
65:
51:
47:
44:
41:
39:
35:
32:
29:
27:
23:
3432:
3413:WS-Discovery
3348:OpenDocument
3209:
3176:
3169:
3128:. Retrieved
3124:
3121:"pure-xacml"
3115:
3103:. Retrieved
3092:
3040:
3029:
3018:anti-pattern
3005:
2990:
2973:
2970:
2966:
2941:
2939:
2924:
2921:"StatusCode"
2920:
2916:
2912:
2908:
2896:
2892:
2888:
2884:
2880:
2876:
2872:
2868:
2864:
2860:
2856:
2852:
2848:
2844:
2840:
2836:
2835:: {
2832:
2822:
2813:main article
2810:
2802:
2776:
2766:
2762:
2758:
2754:
2750:
2746:
2742:
2738:
2734:
2730:
2729:: {
2726:
2722:
2718:
2714:
2710:
2707:"CategoryId"
2706:
2702:
2698:
2694:
2690:
2687:"CategoryId"
2686:
2682:
2678:
2674:
2670:
2666:
2662:
2658:
2654:
2650:
2646:
2642:
2638:
2634:
2630:
2626:
2625:: {
2622:
2618:
2615:"StatusCode"
2614:
2613:: {
2610:
2606:
2602:
2598:
2594:
2590:
2586:
2582:
2578:
2574:
2573:: {
2570:
2566:
2562:
2558:
2554:
2551:"CategoryId"
2550:
2546:
2542:
2538:
2534:
2531:"CategoryId"
2530:
2526:
2522:
2519:"StatusCode"
2518:
2517:: {
2514:
2510:
2506:
2502:
2498:
2494:
2490:
2486:
2482:
2478:
2474:
2470:
2469:: {
2466:
2462:
2458:
2454:
2450:
2447:"CategoryId"
2446:
2442:
2438:
2434:
2430:
2427:"CategoryId"
2426:
2422:
2418:
2414:
2410:
2406:
2402:
2398:
2394:
2390:
2386:
2382:
2378:
2374:
2370:
2366:
2365:: {
2362:
2358:
2355:"StatusCode"
2354:
2353:: {
2350:
2346:
2342:
2338:
2334:
2330:
2326:
2322:
2318:
2314:
2310:
2306:
2305:: {
2302:
2298:
2294:
2290:
2286:
2283:"CategoryId"
2282:
2278:
2274:
2270:
2266:
2263:"CategoryId"
2262:
2258:
2254:
2250:
2246:
2242:
2238:
2234:
2230:
2226:
2222:
2218:
2214:
2210:
2206:
2202:
2201:: {
2198:
2194:
2191:"StatusCode"
2190:
2189:: {
2186:
2182:
2178:
2174:
2170:
2166:
2162:
2158:
2154:
2150:
2146:
2142:
2141:: {
2138:
2134:
2130:
2126:
2122:
2119:"CategoryId"
2118:
2114:
2110:
2106:
2102:
2099:"CategoryId"
2098:
2094:
2090:
2086:
2082:
2078:
2074:
2070:
2066:
2062:
2058:
2054:
2050:
2046:
2042:
2038:
2037:: {
2034:
2030:
2027:"StatusCode"
2026:
2025:: {
2022:
2018:
2014:
2010:
2006:
2002:
1998:
1994:
1990:
1986:
1985:: {
1982:
1978:
1974:
1970:
1966:
1963:"CategoryId"
1962:
1958:
1954:
1950:
1946:
1943:"CategoryId"
1942:
1938:
1934:
1931:"StatusCode"
1930:
1929:: {
1926:
1922:
1918:
1914:
1910:
1906:
1902:
1898:
1894:
1890:
1889:: {
1886:
1882:
1878:
1874:
1870:
1867:"CategoryId"
1866:
1862:
1858:
1854:
1850:
1847:"CategoryId"
1846:
1842:
1838:
1835:"StatusCode"
1834:
1833:: {
1830:
1826:
1822:
1818:
1814:
1810:
1806:
1802:
1798:
1794:
1790:
1786:
1785:: {
1782:
1778:
1774:
1770:
1766:
1763:"CategoryId"
1762:
1758:
1754:
1750:
1746:
1743:"CategoryId"
1742:
1738:
1734:
1730:
1726:
1722:
1718:
1714:
1710:
1706:
1702:
1698:
1694:
1690:
1686:
1682:
1681:: {
1678:
1674:
1671:"StatusCode"
1670:
1669:: {
1666:
1662:
1658:
1654:
1650:
1646:
1642:
1638:
1634:
1630:
1626:
1622:
1621:: {
1618:
1614:
1610:
1606:
1602:
1599:"CategoryId"
1598:
1594:
1590:
1586:
1582:
1579:"CategoryId"
1578:
1574:
1570:
1566:
1562:
1558:
1554:
1550:
1546:
1542:
1538:
1534:
1530:
1526:
1522:
1518:
1517:: {
1514:
1510:
1507:"StatusCode"
1506:
1505:: {
1502:
1498:
1494:
1482:
1478:
1474:
1470:
1466:
1462:
1458:
1454:
1450:
1446:
1442:
1438:
1434:
1430:
1426:
1422:
1418:
1414:
1410:
1406:
1402:
1398:
1394:
1390:
1386:
1382:
1378:
1374:
1370:
1366:
1362:
1358:
1354:
1350:
1346:
1342:
1338:
1334:
1330:
1326:
1322:
1318:
1314:
1310:
1306:
1300:
1291:
1282:
1279:
1276:
1273:
1269:
1265:
1262:
1259:
1256:
1253:
1249:
1246:
1243:
1240:
1236:
1233:
1230:
1226:
1223:
1220:
1216:
1211:
1202:
1199:
1196:
1193:
1189:
1186:
1183:
1179:
1176:
1173:
1169:
1154:
1151:
1148:
1145:
1141:
1137:
1134:
1130:
1127:
1123:
1120:
1117:
1114:
1110:
1106:
1103:
1099:
1096:
1092:
1089:
1086:
1083:
1079:
1075:
1072:
1068:
1065:
1061:
1058:
1054:
1039:
1036:
1033:
1030:
1027:
1024:
1020:
1017:
1013:
1009:
1006:
1002:
999:
996:
993:
990:
987:
984:
980:
977:
973:
969:
966:
962:
959:
956:
953:
950:
946:
943:
939:
935:
926:
923:
920:
917:
912:
909:
906:
902:
898:
895:
892:
888:
885:
881:
878:
874:
871:
868:<Function
867:
864:
860:
857:
854:
851:
847:
844:
840:
836:
833:
820:
817:
809:
806:
803:
796:
792:
788:
780:
777:New profiles
709:
607:
562:
528:
515:
486:
475:
471:
469:
464:
460:
458:
450:
447:
443:
434:
430:
427:
418:
410:
406:
402:
380:
372:
358:
288:
254:Description
241:
233:Architecture
228:
225:
215:
207:
203:
199:
187:
162:
158:
156:
150:ALFA (XACML)
122:ALFA (XACML)
2962:open-source
2958:proprietary
2897:"Attribute"
2881:"Attribute"
2857:"Attribute"
2841:"Attribute"
2711:"Attribute"
2691:"Attribute"
2555:"Attribute"
2535:"Attribute"
2451:"Attribute"
2431:"Attribute"
2287:"Attribute"
2267:"Attribute"
2123:"Attribute"
2103:"Attribute"
1967:"Attribute"
1947:"Attribute"
1871:"Attribute"
1851:"Attribute"
1767:"Attribute"
1747:"Attribute"
1603:"Attribute"
1583:"Attribute"
1467:"Attribute"
1447:"Attribute"
1427:"Attribute"
1425:: [{
1395:"Attribute"
1367:"Attribute"
1339:"Attribute"
1337:: [{
1323:"Attribute"
238:Terminology
84:.xml, .alfa
3448:Categories
3130:2016-04-27
3105:31 October
3084:References
2913:"Decision"
2909:"Response"
2853:"Resource"
2723:"DataType"
2703:"DataType"
2683:"Category"
2679:"DataType"
2675:"Category"
2663:"DataType"
2659:"Category"
2647:"DataType"
2643:"Category"
2607:"Decision"
2567:"DataType"
2547:"DataType"
2527:"Category"
2511:"Decision"
2463:"DataType"
2443:"DataType"
2423:"Category"
2419:"DataType"
2415:"Category"
2403:"DataType"
2399:"Category"
2387:"DataType"
2383:"Category"
2347:"Decision"
2299:"DataType"
2279:"DataType"
2259:"Category"
2255:"DataType"
2251:"Category"
2239:"DataType"
2235:"Category"
2223:"DataType"
2219:"Category"
2183:"Decision"
2135:"DataType"
2115:"DataType"
2095:"Category"
2091:"DataType"
2087:"Category"
2075:"DataType"
2071:"Category"
2059:"DataType"
2055:"Category"
2019:"Decision"
1979:"DataType"
1959:"DataType"
1939:"Category"
1923:"Decision"
1883:"DataType"
1863:"DataType"
1843:"Category"
1827:"Decision"
1779:"DataType"
1759:"DataType"
1739:"Category"
1735:"DataType"
1731:"Category"
1719:"DataType"
1715:"Category"
1703:"DataType"
1699:"Category"
1663:"Decision"
1615:"DataType"
1595:"DataType"
1575:"Category"
1571:"DataType"
1567:"Category"
1555:"DataType"
1551:"Category"
1539:"DataType"
1535:"Category"
1499:"Decision"
1495:"Response"
1335:"Resource"
1321:: {
785:Delegation
714:Data types
415:Conditions
363:PolicySet,
144:Influenced
59:2001-04-16
3007:OAuth 2.0
2944:based on
2833:"Request"
2767:"Version"
2759:"Version"
2747:"Version"
2739:"Version"
2603:"Version"
2595:"Version"
2583:"Version"
2507:"Version"
2499:"Version"
2487:"Version"
2479:"Version"
2343:"Version"
2335:"Version"
2323:"Version"
2315:"Version"
2179:"Version"
2171:"Version"
2159:"Version"
2151:"Version"
2015:"Version"
2007:"Version"
1995:"Version"
1919:"Version"
1911:"Version"
1899:"Version"
1823:"Version"
1815:"Version"
1803:"Version"
1795:"Version"
1659:"Version"
1651:"Version"
1639:"Version"
1631:"Version"
1307:"Request"
1003:<Match
963:<Match
882:<Apply
875:<Apply
861:<Apply
701:XACML 3.0
624:Example:
483:Functions
223:in 2003.
38:Developer
3067:GeoXACML
3045:See also
2917:"Status"
2877:"Action"
2611:"Status"
2515:"Status"
2351:"Status"
2187:"Status"
2023:"Status"
1927:"Status"
1831:"Status"
1667:"Status"
1503:"Status"
1423:"Action"
1309:: {
1016:17:00:00
976:09:00:00
940:<Rule
841:<Rule
165:) is an
115:Dialects
26:Paradigm
3408:WS-BPEL
3308:DocBook
3101:. OASIS
2925:"Value"
2889:"Value"
2873:"Value"
2865:"Value"
2849:"Value"
2719:"Value"
2699:"Value"
2671:"Value"
2655:"Value"
2639:"Value"
2619:"Value"
2563:"Value"
2543:"Value"
2523:"Value"
2459:"Value"
2439:"Value"
2411:"Value"
2395:"Value"
2379:"Value"
2359:"Value"
2295:"Value"
2275:"Value"
2247:"Value"
2231:"Value"
2215:"Value"
2195:"Value"
2131:"Value"
2111:"Value"
2083:"Value"
2067:"Value"
2051:"Value"
2031:"Value"
1975:"Value"
1955:"Value"
1935:"Value"
1879:"Value"
1859:"Value"
1839:"Value"
1775:"Value"
1755:"Value"
1727:"Value"
1711:"Value"
1695:"Value"
1675:"Value"
1611:"Value"
1591:"Value"
1563:"Value"
1547:"Value"
1531:"Value"
1511:"Value"
1475:"Value"
1455:"Value"
1435:"Value"
1411:"Value"
1403:"Value"
1383:"Value"
1375:"Value"
1355:"Value"
1347:"Value"
1331:"Value"
1113:doc#123
399:Targets
366:Policy,
212:History
89:Website
68:License
57: (
3062:PERMIS
2831:{
1317:,
1229:Permit
706:Schema
342:(PIP).
248:Abbr.
101:Major
3433:XACML
3403:XLIFF
3373:TOSCA
3328:ebXML
3277:OASIS
2996:OASIS
2954:OASIS
1241:/>
1194:/>
1144:Alice
1025:/>
985:/>
918:/>
893:/>
872:/>
554:floor
551:round
369:Rule.
251:Term
218:OASIS
179:OASIS
163:XACML
73:OASIS
20:XACML
3423:WSRP
3418:WSRF
3388:WSDM
3383:UDDI
3368:SPML
3353:SAML
3343:KMIP
3333:EDXL
3323:DPWS
3318:DSML
3313:DITA
3288:AMQP
3201:link
3107:2016
2992:SAML
2960:and
2950:XSLT
2948:and
2907:{
2797:ALFA
2795:The
2790:JSON
2788:The
2783:REST
2781:The
2763:"Id"
2755:"Id"
2743:"Id"
2735:"Id"
2627:"Id"
2599:"Id"
2591:"Id"
2579:"Id"
2503:"Id"
2495:"Id"
2483:"Id"
2475:"Id"
2367:"Id"
2339:"Id"
2331:"Id"
2319:"Id"
2311:"Id"
2203:"Id"
2175:"Id"
2167:"Id"
2155:"Id"
2147:"Id"
2039:"Id"
2011:"Id"
2003:"Id"
1991:"Id"
1915:"Id"
1907:"Id"
1895:"Id"
1819:"Id"
1811:"Id"
1799:"Id"
1791:"Id"
1683:"Id"
1655:"Id"
1647:"Id"
1635:"Id"
1627:"Id"
1519:"Id"
1493:{
1483:true
1463:true
1443:true
1419:true
1391:true
1363:true
1315:true
1305:{
1270:>
1254:>
1221:>
1174:>
1142:>
1135:>
1128:>
1111:>
1104:>
1097:>
1082:view
1080:>
1073:>
1066:>
1059:>
1014:>
1007:>
974:>
967:>
944:>
905:P30D
903:>
886:>
879:>
865:>
845:>
435:must
319:Flow
306:PRP
295:PIP
281:PEP
270:PDP
259:PAP
157:The
138:SAML
3428:WSS
3398:XDI
3393:XRI
3378:UBL
3358:SDD
3338:EML
3303:DSS
3298:CAP
3293:CAM
3181:doi
3155:doi
2946:XML
474:or
433:or
431:may
167:XML
134:XML
3450::
3197:}}
3193:{{
3153:.
3139:^
3123:.
2815:.
1481::
1461::
1441::
1417::
1389::
1361::
1313::
197:.
136:,
3268:e
3261:t
3254:v
3203:)
3189:.
3183::
3163:.
3157::
3133:.
3109:.
161:(
61:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.