XACML 2.0 Access Control Markup Language Approved as OASIS Standard

["Carol Geyer" <carol.geyer@oasis-open.org>]

XACML 2.0 Access Control Markup Language Approved as OASIS Standard 

BEA Systems, Booz Allen Hamilton, Computer Associates, Entrust, Gluecode Software, IBM, Sun Microsystems, and Others Advance Open
Standard for Information Access Control 
 
BOSTON, MA, USA; 2 MARCH 2005 -- The OASIS, the international e-business standards consortium, today announced that its members have
approved the Extensible Access Control Markup Language (XACML) version 2.0 as an OASIS Standard, a status that signifies the highest
level of ratification. XACML is used to represent and evaluate access control policies.

Dan Blum, Senior Vice President and Research Director of the Burton Group, noted, "Access control is a requirement of almost every
application. XACML goes beyond simply denying or granting information access, it defines the mechanism for creating the rules and
policy sets that enable meaningful authorization decisions."

To meet the needs of a wide range of users across many different environments, XACML 2.0 incorporates new profiles for Role Based
Access Control (RBAC), Privacy, and Lightweight Directory Access Protocol (LDAP). XACML 2.0 profiles also provide integration and
hierarchical resources for the Security Assertion Markup Language (SAML) OASIS Standard.

"XACML is designed to standardize the use of declarative policy to control access to resources, which can reduce costs while
increasing security," said Hal Lockhart, co-chair of the OASIS XACML Technical Committee. "XACML 2.0 can be of particular interest
to those deploying SAML, looking for a practical way to implement RBAC or protecting hierarchical resources, such as portions of XML
documents." 

Before becoming an OASIS Standard, XACML v2.0 first completed an extensive public review and was approved by the OASIS XACML
Technical Committee. Then, the specification demonstrated its readiness through multiple implementations, after which XACML was
reviewed and approved by the OASIS membership as a whole.

"The approval of XACML 2.0 as an OASIS Standard builds on a solid base of XACML implementations by major international companies,
start-ups, and open source providers," noted Patrick Gannon, president and CEO of OASIS. "Increasingly, XACML is being recognized as
an integral part of enterprise security frameworks. Our congratulations go to the members of the OASIS XACML Technical Committee for
their hard work in advancing this standard."

XACML is part of the growing portfolio of OASIS Standards for security, which also includes the Application Vulnerability
Description Language (AVDL), SAML, Service Provisioning Markup Language (SPML), WS-Security, and XML Common Biometric Format (XCBF).
OASIS members also advance specifications such as Digital Signature Services (DSS) and Public Key Infrastructure (PKI).

XACML v2.0 was developed by members of the OASIS XACML Technical Committee, which includes representatives of BEA Systems, Booz
Allen Hamilton, Computer Associates, Entrust, Gluecode Software, IBM, Sun Microsystems, and others. Participation remains open to
all, and suppliers, end-users and system integrators are invited to join OASIS to advance the continued development and the adoption
of XACML. OASIS hosts an open mail list for public comment and the xacml-dev mailing list for exchanging information on implementing
the standard.

Industry Support for XACML OASIS Standard

BEA Systems
"BEA realizes the importance of a portable description for security policy and the significant benefit it can bring to customers.
As a result, BEA supports the release of the XACML 2.0 specification as an OASIS standard and is working to incorporate support for
the standard in future releases of BEA's product family," said Paul Patrick, Chief Security Architect, BEA Systems.

Cordance
"By taking the industry standard for policy-based access control to a new level, XACML 2.0 provides even more incentive for
enterprises to adopt XML-based resource management infrastructure. The OASIS XRI (Extensible Resource Identifier) and XDI (XRI Data
Interchange) Technical Committees look forward to providing other key pieces of this infrastructure that will leverage the power of
XACML 2.0," said Drummond Reed, CTO of Cordance Corporation and co-chair, OASIS XRI and XDI Technical Committees.

DataPower
"XACML finally enables organizations to move access control policy out of custom spaghetti code and into an interoperable,
declarative XML form," said Eugene Kuznetsov, CTO, founder and chairman of DataPower. "Whether driven by new security threats,
regulatory mandates or Web services, there is a growing need for fine-grained authorization for heterogeneous systems."

Gluecode Software
"We are pleased to contribute to the advancement of the XACML 2.0 standard," said Bill Parducci, security architect for Gluecode
Software. "As an open source infrastructure company, participation in these standardization efforts allows us to deliver
leading-edge solutions to our customers. We look forward to incorporating XACML 2.0 in our products to facilitate integration with
an enterprise's central security policies."

Nokia
"Nokia applauds the accomplishment of the OASIS XACML Technical Committee in producing the XACML v2.0 open standard," said Frederick
Hirsch, Senior Architect at Nokia. "Having an open and standard means of expressing and resolving authorization and entitlement
policies will aid in building secure systems. Nokia is working to use such open standards to enhance the capabilities of its mobile
platforms."

Sun Microsystems
"XACML is an important piece of technology for enabling access control for web services and part of the broader solution in
providing a policy and security framework for web services," said Ed Julson, director of engineering for Web Technologies &
Standards at Sun Microsystems. "Sun's active participation in the development of OASIS XACML 2.0 and our open source implementation
of XACML are further evidence of our commitment to open standards and the interoperability benefits they bring to customers."

Additional Information:
OASIS XACML Technical Committee:
http://www.oasis-open.org/committees/xacml

Cover Pages Technology Report: 
http://xml.coverpages.org/xacml.html


About OASIS:
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that
drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using
a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. The consortium produces
open standards for Web services, security, e-business, and standardization efforts in the public sector and for application-specific
markets. Founded in 1993, OASIS has more than 4,000 participants representing over 600 organizations and individual members in 100
countries. Approved OASIS Standards include AVDL, CAP, DocBook, DSML, ebXML, SAML, SPML, UBL, UDDI, WS-Reliability, WSRP, WSS,
XACML, and XCBF. http://www.oasis-open.org


Press contact:
Carol Geyer
OASIS Director of Communications
carol.geyer@oasis-open.org
+1.978.667.5115 x209