OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: [members] XACML 2.0 specification submitted for OASIS Standard

This is just a reminder to all of you to urge your organization representative to vote for XACML 2.0 if they have not yet done so.

Thanks in advance,


-----Original Message-----
From: Mary McRae [mailto:mary.mcrae@oasis-open.org]
Sent: Friday, December 31, 2004 10:40 AM
To: tc-announce@lists.oasis-open.org; members@lists.oasis-open.org
Subject: [members] XACML 2.0 specification submitted for OASIS Standard

OASIS members:

The OASIS Extensible Access Control Markup Language (XACML) TC has submitted
the set of documents collectively referred to as XACML 2.0, an approved
Committee Draft, to be considered as an OASIS Standard. The TC's submission
is attached below.

In accordance with the OASIS Technical Committee Process, the specification
has already gone through a 30 day public review period.
OASIS members now have until the 15th of January to familiarize themselves
with the submission below. OASIS members should give their input on this
question to the voting representative of their organization.

By the 16th of the month we will send out a Call For Vote to the voting
representatives of the OASIS member organizations, who will have until the
end of the month to cast their ballots on whether this Committee Draft
should be approved as an OASIS Standard.

The normative TC Process for approval of Committee Drafts as OASIS Standards
is found at

Any statements related to the IPR of this specification are posted at

Mary P McRae
Manager of TC Administration, OASIS
email: mary.mcrae@oasis-open.org  


On December 9, 2004 the OASIS XACML TC voted to submit the set of documents
collectively referred to as XACML 2.0 to be voted on as an OASIS Standard.
We hereby provide the materials required by the OASIS TC process.

   1. A formal specification that is a valid member of its type, together
with appropriate documentation for the specification, both of which must be
written using approved OASIS templates;

The normative documents are available here:


The individual documents are:

o Core Specification: eXtensible Access Control Markup Language (XACML)
Version 2.0
  + Committee Draft 04, 6 December 2004
    # Specification Document: access_control-xacml-2_0-core-spec-cd-04.pdf
    # Policy Schema: access_control-xacml-2.0-policy-schema-cd-04.xsd
    # Context Schema: access_control-xacml-2.0-context-schema-cd-04.xsd

o SAML 2.0 profile of XACML
  + Committee Draft 02, 11 November 2004
    # Specification Document:
    # SAML 2.0 Assertion Extension Schema:
    # SAML 2.0 Protocol Extension Schema:

o XML Digital Signature profile of XACML
  + Committee Draft 01, 11 November 2004
    # Specification Document:

o Privacy policy profile of XACML
  + Committee Draft 01, 11 November 2004
    # Specification Document:

o Hierarchical Resource profile of XACML
  + Committee Draft 01, 11 November 2004
    # Specification Document:

o Multiple Resource profile of XACML
  + Committee Draft 01, 11 November 2004
    # Specification Document:

o Core and Hierarchical Role Based Access Control (RBAC) profile of XACML,
Version 2.0
  + Committee Draft 01, 11 November 2004
    # Specification Document:

   2. A clear English-language summary of the specification;

The eXtensible Access Control Markup Language (XACML) is an XML vocabulary
for expressing access control policies. Access control consists of deciding
if a requested resource access should be allowed and enforcing that
decision. Access control policies are the criteria for making access control
decisions. The XACML core specification defines the syntax of the language
and the rules for evaluating policies. XACML is designed to operate
efficiently in large-scale environments, which are characterized by
continuous change, and where the information used for access control
purposes may be maintained by autonomous parties who do not closely
coordinate their activities.

XACML policies are able to make use of virtually any available information
to make decisions, including specifically the identities and properties of
any of the parties to the action, the properties and content of the
resources to be acted on, the type of actions requested and environmental
information such as the date and time or location of the request. XACML
specifies an extensive set of Boolean and data manipulation operators for
specifying policy evaluation. XACML allows for multiple policies to apply to
a given access control decision and provides an extensible set of combining
rules for resolving conflicting evaluation results. XACML also provides an
extensible mechanism for specifying additional actions to be taken when
access is granted or denied.

XACML 1.0 became an OASIS Standard on February 18, 2003. New features in
XAML 2.0 include a number of new profiles, described below, Combining
Algorithm parameters, Policy versions as a part of the reference mechanism,
macro capabilities, some new datatypes and functions and a variety of
improvements to the syntax to ease implementation. 

XACML Profiles define capabilities that are specific to a particular
environment or mode of use. XACML 2.0 contains the following Profiles:

o Digital Signature - defines how XML Digital Signatures may be applied to
XACML Policies o Multiple Resource - defines how access control decision
requests can be made on more than one resource at a time o Hierarchical
Resource - defines how access control policies and access control decision
requests can be specified which apply to resources which are arranged in a
hierarchy o Role Based Access Control (RBAC) - defines how XACML can be used
to implement Role Based Access Control o Security Assertion Markup Language
(SAML) - Extends elements of the SAML schema for policy retrieval,
distributed decision requests, attaching of creation metadata to policies
and attribute compatibility between SAML and XACML o Privacy - defines how
XACML may be used to enforce privacy policies.

   3. A statement regarding the relationship of this specification to
similar work of other OASIS TCs or other standards developing organizations;

As far as we are aware XACML is the only language being developed in a
standards body which specifically addresses Access Control. We are aware of
other efforts to develop policy languages for other purposes which may
overlap to some degree with XACML. 

   4. Certification by at least three OASIS member organizations that they
are successfully using the specification consistently with the OASIS IPR

BEA Systems, Entrust and Gluecode have so certified.


   5. An account of each of the comments/issues raised during the public
review period, along with its resolution;

All the comments and responses are available in the archive (see #8 below).

One comment was deemed a request for clarification and responded to on the
list. All other comments were incorporated into the specifications. 

   6. An account of and results of the voting to approve the approve the
specification as a Committee Draft;

The minutes of the meetings where Committee Draft votes were taken as noted
above, are here:

November 11, 2004 -
December 6, 2004 -

All votes were unanimous.

   7. An account of or pointer to votes and comments received in any earlier
attempts to standardize substantially the same specification, together with
the  originating TC's response to each comment;

There were no prior attempts.

   8. A pointer to the publicly visible comments archive for the originating


   9. A statement from the chair of the TC certifying that all members of
the TC have been provided with a copy of the OASIS IPR Policy; and

This was done by email on November 9, 2004.


  10. Optionally, a pointer to any minority reports submitted by one or more
TC members who did not vote in favor of approving the Committee Draft, or
certification by the chair that no minority reports exist.

All votes for Committee Draft were unanimous.

Hal Lockhart
Bill Parducci
Co-Chairs XACML TC

This email list is used solely by OASIS for official consortium
communications. Opt-out requests may be sent to
member_services@oasis-open.org, however, all members are strongly
encouraged to maintain a subscription to this list.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]