onsdag 27 november 2013

XACML: Dead or Alive


In order to bring clarity of whether XACML is dead, some analysts have claimed, or alive, we need to first understand what XACML is and where it fits in.


First of all XACML stands for eXtensible Access Control Markup Language and is the current de facto standard for a declarative language to define access control policies. Its fully implemented in XML. Its an Oasis standard and XACML 3.0 was released in January 2013, and of course the idea behind a standard is to promote a common terminology and ensure interoperability between access control implementations independently from whatever vendor is behind a particular technology or solution.


A closer look at XACML shows that its primary aimed at attribute based access control systems (ABAC), where the foundation for policy declarations is based on attributes and their values, however Role Based Access Control (RBAC) can also be used in XACML as a specialization of ABAC. Despite the name “eXtensible” does XACML enable externalization and encourages the separation of access decisions via Policy Enforcement Points (PEP).


The primary idea behind externalizing authorization and access policies from applications, is to centralize access policy governance but the benefits can be seen in three different areas according to leading vendor and provider of XACML based solutions, Axiomatics.


  • Software development: Policy Enforcement Points (PEP) are standardized components, intended to be re-used in software development and rather than implementing application specific logic in each application to determine what each user is allowed to do, PEPs make calls to a central Policy Decision Point (PDP). The end result of course is faster development and deployments.


  • In software life-cycle management: Fundamental change requests with regard to entitlements – for instance to meet regulatory compliance requirements – are managed with centralized policies. There is no need to change configurations or functionality in individual applications or services.


  • In operations: Entitlement-carrying attributes are widely managed in day to day line of business activities. Identity & Access Management solutions can to a large extent be embedded in existing business processes rather than demanding a separate administrative effort.



Now, having described the above, it is important to separate the “Externalized Authorization Management (EAM)” from the standard and language XACML.




EAM in the enterprise world is far from anything new and have been implemented in mainframes e.g. via RACF for decades. So just because enterprises are not leveraging XACML doesn’t mean they are not doing EAM.


Some of the arguments to why XACML has been declared dead, highlights poor adoption in a broad sense among large enterprises who written their authorization engines, that is not suitable for the cloud and distributed deployment, that refactoring and rebuilding existing in-house application is not an option.



As we all know, the current trend we are witnessing, is that APIs over the last few years are shifting more and more towards JavaScript Object Notation (JSON) in both responses and requests, which means that the more verbose XML notation is being dropped in favor of the less verbose JSON. Reason for that is of course the easy of use but also that all of the sudden we can reach better scalability when there is no need to parse XML. This would of course throw gasoline on the “XACML is dead” debate, but the community around XACML has been active working on JSON and RESTful bindings for XACML which will lead to increased XACML adoption - also lets not forget the OpenAZ project which moves forward in providing a vendor agnostic PEP API, open to anyone to use.


What about OPENAM and XACML?


  • Import/Export tool for XACML policies
    XACML can be a medium both to transfer and store access control policies. In OpenAM the policies are stored in a proprietary format and its not using XACML per se to store the policies. Therefor policies needs to be converted to a native format for storage. Part of OpenAM, ForgeRock provides an Import/Export tool for XACML policies. More about that can be found in the
    documentation for OpenAM.


  • Java SDK for XACML
OpenAM has an API available over Java to reach out to the XACML service however it currently only support XACML v2.


  • XACML2 SAML profile
OpenAM provides the XACMLv2 query capability in the Fedlets.


When it comes to the management of fine grained entitlements in the form of a GUI, this is something that currently is on the roadmap for OpenAM and i know product management is looking into providing the support for XACML v3. What is known is that there is a business interest implying that XACML is far from dead from big enterprises and governments point of view.


One of the potential issues with XACMLv3 is the amount of traffic generated when having millions of policies that needs to be evaluated. OpenAM is built with performance in mind and clearly there needs to be efforts into making XACML v3 performing to the modern web especially if it should find a good fit inside OpenAM.


To conclude this post, I want to quickly deviate a bit from XACML. Recently I spent a lot of time at a large prospect customer whose entire Identity Management system was built up around SPML and we all know how people have been claiming SPML is dead. A key requirement for this prospect was to serve the current deployment and deliver the provisioning capabilities via SPML but rip out and replace the backend. They had no intention on changing this interface! Clearly SPML is not dead, and neither is XACML and i doubt XML would disappear anytime soon. More likely is the turkey dead going in the oven. Happy Thanksgiving!

1 kommentar: