Skip main navigation

A Comparison of Technologies (Continued)

In this video, you will learn about eXtensible Access Control Mark-up Language (XACML), which will be compared with SAML and OAuth.
6.2
We’ll move forward now and look at extensible access control markup language. We’ve mentioned this earlier in section 3 of the course, XACML. And this is another open standard from OASIS. And we’ve said, when we reference this - it was when we were talking about access control - this is a next generation type of access control. So this uses a markup language to try to manage access control. So this is something that you could typically read, it’s almost like an XML type document, decouples the access decision from the point of use. So here, what we have is something that typically, when implemented, XACML allows for immediate access decisions to be made based on a series of branching logic decisions.
54
So this is very strongly linked to attribute-based access control, ABAC. So the decoupling is helpful in addressing things like logged in users having permissions that have been revoked centrally. So this allows, XACML allows, for dynamically updating of access control lists, and those changes can take place immediately. So effectively, updates to policy can now be instant. Version 1 of the standard was ratified by the OASIS group in 2003. Version 2 was ratified by the OASIS group in 2005, February the 1st of 2005. The first committee specification of XACML version 3 was released in 2010. The components within XACML are the policy administration points, the PAP, and the policy administration point is the point which manages the authorization policies.
110.8
We have the policy decision point - this is the point which evaluates the access requests against authorization policies before issuing access decisions. We have the policy enforcement points here, we’re intercepting the user’s access request to a resource, and making a decision request to the policy decision point to obtain the correct decision. We have the policy information point. This is the system or the entity that acts as a source of attribute values. For example, a resource, a subject, or an environment. And we have the policy retrieval point. This is where the XACML access authorization policies are stored. This is typically some sort of database or file system. Just shown on this slide, what an XACML definition looks like.
162.4
And you can see, this is semi-readable. So this is structured into three areas. We have the policy set, the policy itself, and the rule. And a policy set can contain any number of policy elements, and policy set elements. And a policy can contain any number of rules. So typical rules might be, if somebody belongs to a group called HR, then they are allowed access to a particular resource. But this is semi-readable. The XACML and attributes-based access control, very much next generation, and are something to be aware of because they will continue, they are likely to continue to grow over the coming years. So the JSON profile allows for that integration between the PEP and the PDP.
215.3
XACML, SAML, and OAuth - two of these are OASIS standards. We have SAML and XACML, both produced by OASIS as a group. XACML complements SAML very well, as you’d imagine, in the same way that Open Authorization and Open ID Connect had the same origins, created by the same group. XACML and SAML blend very well together because they were both created by the OASIS group. So it offers the access control beyond the single sign on provided by SAML. So OAuth is authorization, and effectively is an alternative to XACML. You can use OAuth and XACML together to provide enhanced access control, and OAuth version 2 differs from XACML because the origins are very different as well.
274.1
OAuth is typically about the delegated access control, where XACML is about the ongoing enforcement at a transactional level. So OAuth is very much about delegating the permission to log on to a particular service, granting the permission to access the service, where XACML is that very rich ongoing transactional enforcement that we’ve talked about previously.

In this video, you will learn about eXtensible Access Control Mark-up Language (XACML), which will be compared with SAML and OAuth.

Reflect and share: Now that you have learned about the comparison of technologies, what might be most suitable for your context and why? Share with your fellow learners below.

This article is from the free online

Cyber Security Foundations: Reinforcing Identity and Access Management

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education