XACML (eXtensible Access Control Markup Language)

A declarative access control policy language implemented in XML and a processing model, describing how to interpret the policies.

Get started

What is XACML in cloud computing?

XACML, or eXtensible Access Control Markup Language, is a declarative access control policy language implemented in XML. In cloud computing, XACML is used to define security policies that control access to resources.

  • XACML provides a standardized way to define and enforce access control policies, improving security and compliance.
  • It's also flexible and extensible, allowing for complex access control policies that can adapt to changing business needs.

How does XACML work?

XACML works by providing a syntax for defining access control policies in XML. These policies can then be enforced by an XACML-compliant access control system.

  • XACML policies can define who can access what resources, under what conditions.
  • The policies can be enforced at runtime, providing dynamic access control that can adapt to changing conditions.

XACML Example

In cloud security, the eXtensible Access Control Markup Language (XACML) provides a robust mechanism for fine-grained access control. Here's a brief example of how XACML can be used to enforce policy enforcement points (PEPs):

XACML, PEP, Cloud Security, IAM, Policy, Access, Control
  1. A user sends a request to access a particular cloud resource.
  2. The request is intercepted by the XACML PEP filter configured within the Enterprise Gateway.
  3. The PEP filter temporarily holds the original request and constructs an XACML request based on the user's credentials and the action they want to perform.
  4. This XACML request is then passed on for message-level security checks as defined in the policies on the XACML tab.
  5. The PEP filter forwards the XACML request to the Policy Decision Point (PDP) using the connection details specified in the Routing tab.
  6. The PDP evaluates the request against its set of policies and returns an XACML response indicating whether the request is permitted or denied. Other possible responses include Not Applicable or Indeterminate, for cases where the policy doesn't apply or the decision cannot be made, respectively.
  7. Upon receiving the response, the PEP filter verifies its validity.
  8. If the response is 'Permit', the PEP filter authorizes the original client request, allowing the user to access the requested resource, and the policy execution proceeds along the success path.

The outcome is a secure, compliant, and efficient system that upholds the principles of least privilege and need-to-know basis—cornerstones of modern access control strategies.

Check out related terms