The Entitlement Management component of WSO2 Carbon facilitates the management and control of policies defined in XACML. The key functions of this component include:
See also:
- Identity Server as an XACML engine
- Adding Fine-grained Authorization for Proxy Services in ESB
- Writing XACML policies in WSO2 Identity Server
Introducing XACML
XACML (eXtensible Access Control Markup Language) is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is popular as a fine grain authorization method among the community. However, there are aspects of XACML which surpass it being just a fine grain authorization mechanism.
Although XACML was introduced as a strand by OASIS in 2003, not many organisations that have been adapted it yet. This is because most of the organizations have not shown interest in moving towards a XACML solution for authorization. The following may be some reasons for this:
- Many software designer and developers do not have a clear understanding on the importance and advantages of XACML.
- It is a bit hard to implement a XACML solution rather than a typical JDBC or hard coded authorization system.
- Performances of XACML-based authorization system may be less than adequate.
- Complexity of defining and managing XACML policies.
However, current market trends indicate that there are some motivation for XACML-based authorization systems. This section includes some architectural and implementation details on XACML with an existing XACML engine.
If you are interested in going into the depth in XACML, You can find XACML specifications and other information here.
To summarize, XACML describes both an access control policy language, request/response language and reference architecture. The policy language is used to express access control policies (who can do what when). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries(responses). The reference architecture proposes a standard for deployment of necessary software modules within an infrastructure to allow efficient enforcement of policies.
Why XACML
Most of the organizations still use legacy systems with inbuilt authorization logics. Sometimes, one organization contains a large number of information systems and applications that each system or application uses for their own process of authorization. Today, authorization has become more complex because users within organization as well as outside the organization need access to shared data and have the need to collaborate efficiently. Therefore It has been very hard to manage those legacy, custom authorization systems. However, XACML offers a solution to this problem.
When we think about a traditional authorization system, it would mostly look like as follows:
- Authorization logics are hard coded into the programing source code
- Authorization logics are stored in a databases that could be only readable and understandable by the underlying application
The following are the some goals that current organizations are looking at from an authorization system.
- Can business managers (who should determine how access controls would be implemented) define and modify authorization logics?
- Can we find new IT technicians to manage these legacy systems? Especially when people who developed the system, left the organization
- Can authorization logics be modified without any source code changes in an dynamic way?
- Is authorization system capable for evaluating following rule? “X resource can be accessed by the Users who are from example.com domain and whose age is greater than 21 years old”
- If we are going to implement a new information system with the organization, can we re-use the authorization logics of a legacy system?
- Can achieve find-grant authorization without defining large number of static combinations?
- Is authorization systems capable of answering following questions: “Can a user, Bob, transfer X amount from Y current account at 1.00pm?“
As we can understand, the above goals can not be achieved from a traditional authorization system. However XACML (eXtensible Access Control Markup Language) based authorization solution can provide all of these goals. This is because XACML:
- is a standard which is ratified by OASIS standards organization.
- is a policy language implemented using XML.
- supports Attribute Based Access Control (ABAC) and evaluation can be done with the additional data retrieved from Policy Information Point (PIP) which is defined by the XACML reference architecture.
- contains reference architecture which is provided to externalize the authorization system. The Policy Decision Point (PDP) offers authorization as a service in your infrastructure. Authorization algorithms can be removed from the application logic and applications can query the PDP via their own Policy Enforcement Points (PEP).
- provides fine-grained authorization with higher level of abstraction by means of policies and rules.
- supports dynamic evaluation of policies by using the Policy Information Point (PIP).