Header Image

Policy-Based Access Control Using XACML

The Problem: Fine-Grained Access Control

Historically, access control solutions for information sharing projects have been implemented on a project by project basis using point solutions, such as Role Based Access Control (RBAC) or Access Control Lists (ACL). Unfortunately, these approaches are neither interoperable with each other, nor flexible enough to handle the complex requirements of modern information sharing initiatives that cross traditionally isolated branches of government.

For this reason, “Policy Based Access Control” (or PBAC) approaches are starting to become the best practice for projects that require access control. PBAC allows access rules can be defined in a flexible, policy-oriented fashion, with policies being easily updated as rules change.


The Solution: XACML-Compliant XML Gateway

The most noteworthy recent PBAC effort centers on eXtensible Access Control Markup Language (XACML).  While XACML is not a policy model in its own right, it is an extremely flexible policy expression language that allows for an XML standard specification of access control policies in terms of entity attributes.

An XACML PBAC solution consists of a number of architectural components, including a Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Administration Point (PAP), Policy Information Point (PIP), Obligation Service (OS) and Context Handler (CH).  The most critical components in support of XACML are the PEP, PDP, and PAP:

  • The PEP must be capable of creating and enforcing an XACML Authorization Query Request/Response
  • The PDP must provide an XACML Authorization Query Web Service for PEP invocation, and must utilize XACML as an authorization policy (either natively or through a mediation to its native policy language)
  • The PAP must administer, share, and federate XACML policies across the enterprise

Unfortunately, at this point in time, support for XACML among the major Identity and Access Control vendors is not widespread. Moreover, those vendors that do provide XACML support usually fail to meet the loose-coupling and policy-based configuration goals required for PBAC.


The Layer 7 Value: XACML PEP & PDP in One Product

The Layer 7 SecureSpan and CloudSpan product lines provide wide support for XACML, allowing it to be used directly within the appliance as an authorization policy language, or indirectly by supporting integration to third-party XACML-compliant enterprise products.  Not only does this allow for high speed, XACML-based policy decision within the Layer 7 appliance for in-line authorizations as part of a PEP, but it additionally allows Layer 7 to be utilized as a central Policy Decision Point (PDP). 

When deployed as a centralized PDS, Layer 7 can:

  • Receive standards-based authorization queries from a variety of PEPs
  • Retrieve attributes from a variety of authoritative sources within or external to the enterprise
  • Evaluate any information collected based on the rules expressed within the given XACML policy for the resource being invoked

These PDS capabilities, combined with Layer 7's ability to provide SAML-based Attribute Services and authentication token services through its integrated Secure Token Service (STS) means customers can implement all aspects of policy decision, attribute collection, and identity federation in a single product.