A Comparison of Technologies (Continued)

We’ll move forward now and look at extensible access control markup language. We’ve mentioned this earlier in section 3 of the course, XACML. And this is another open standard from OASIS. And we’ve said, when we reference this - it was when we were talking about access control - this is a next generation type of access control. So this uses a markup language to try to manage access control. So this is something that you could typically read, it’s almost like an XML type document, decouples the access decision from the point of use. So here, what we have is something that typically, when implemented, XACML allows for immediate access decisions to be made based on a series of branching logic decisions.

So this is very strongly linked to attribute-based access control, ABAC. So the decoupling is helpful in addressing things like logged in users having permissions that have been revoked centrally. So this allows, XACML allows, for dynamically updating of access control lists, and those changes can take place immediately. So effectively, updates to policy can now be instant. Version 1 of the standard was ratified by the OASIS group in 2003. Version 2 was ratified by the OASIS group in 2005, February the 1st of 2005. The first committee specification of XACML version 3 was released in 2010. The components within XACML are the policy administration points, the PAP, and the policy administration point is the point which manages the authorization policies.

We have the policy decision point - this is the point which evaluates the access requests against authorization policies before issuing access decisions. We have the policy enforcement points here, we’re intercepting the user’s access request to a resource, and making a decision request to the policy decision point to obtain the correct decision. We have the policy information point. This is the system or the entity that acts as a source of attribute values. For example, a resource, a subject, or an environment. And we have the policy retrieval point. This is where the XACML access authorization policies are stored. This is typically some sort of database or file system. Just shown on this slide, what an XACML definition looks like.

And you can see, this is semi-readable. So this is structured into three areas. We have the policy set, the policy itself, and the rule. And a policy set can contain any number of policy elements, and policy set elements. And a policy can contain any number of rules. So typical rules might be, if somebody belongs to a group called HR, then they are allowed access to a particular resource. But this is semi-readable. The XACML and attributes-based access control, very much next generation, and are something to be aware of because they will continue, they are likely to continue to grow over the coming years. So the JSON profile allows for that integration between the PEP and the PDP.

XACML, SAML, and OAuth - two of these are OASIS standards. We have SAML and XACML, both produced by OASIS as a group. XACML complements SAML very well, as you’d imagine, in the same way that Open Authorization and Open ID Connect had the same origins, created by the same group. XACML and SAML blend very well together because they were both created by the OASIS group. So it offers the access control beyond the single sign on provided by SAML. So OAuth is authorization, and effectively is an alternative to XACML. You can use OAuth and XACML together to provide enhanced access control, and OAuth version 2 differs from XACML because the origins are very different as well.

OAuth is typically about the delegated access control, where XACML is about the ongoing enforcement at a transactional level. So OAuth is very much about delegating the permission to log on to a particular service, granting the permission to access the service, where XACML is that very rich ongoing transactional enforcement that we’ve talked about previously.