This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Access Control Concepts

Owned by Former user (Deleted)
Last updated: Sept 04, 2014
2 min read

WSO2 Identity Server uses XACML (eXtensible Access Control Markup Language) as a tool for controlling access to applications. The following are the two types of access control supported by XACML.

  • Role-based access control: Role-based access control (RBAC) is an approach used to restrict access to authorized users based on their role. It is used by the majority of enterprises with more than 500 users. 
  • Attribute-based access control: Attribute-based access control (ABAC) defines a new access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together.

XACML is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is very popular as a fine grained authorization method among the community. However, there are plenty of other aspects of XACML other than it being just a fine grained authorization mechanism.

Although XACML was introduced by OASIS way back in 2003, there are very few organisations that have adapted it. This is because most of the organizations have not shown an interest in moving towards a XACML solution for authorization. However, in the current day and age, things are changing and there are more organizations moving towards usage of XACML-based authorization systems. 

For more information on XACML specifications and other related information, see the OASIS website.

To summarize, XACML describes both an access control policy language, request/response language and reference architecture. The policy language is used to express access control policies (who can do what when). The request/response language expresses queries about whether a particular access should be allowed (requests) and describes answers to those queries (responses). The following reference architecture proposes a standard for deployment of necessary software modules within an infrastructure to allow efficient enforcement of policies.

XACML reference architecture

Policy Decision Point (PDP) evaluates policies against access requests provided by Policy Enforcement Points (PEP). To provide the decisions, PDP may also need to query a Policy Information Point (PIP) to gather descriptive attributes about the user or any other missing attribute in the request. Policy Administration Point (PAP) to manage the PDP and PIP functionality.

XACML terminology

The XACML reference architecture illustrated above is comprised of the following four 'building blocks'.

  • Policy Enforcement Point (PEP): The system entity that performs access control by making decision requests and enforcing authorization decisions. Basically this is the entity that sends the XACML request to the Policy Decision Point (PDP) and receives an authorization decision.
  • Policy Decision Point (PDP): The system entity that evaluates an applicable policy and returns an authorization decision.
  • Policy Information Point (PIP): The system entity that acts as a source of attribute values. Basically if there are missing attributes in the XACML request that is sent by PEP, PIP would find them for the PDP to evaluate the policy.
  • Policy Administration Point (PAP): The system entity that creates a policy or policy set and manages them.

Â