OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Updated XACML references, including product list

XACML Community,

[This is a re-send to xacml-dev and xacml-users with the draft included
as in-line text.  Apparently the attachment did not come through to
these two mailing lists, although it went to xacml and sunxacml

As approved by the OASIS XACML TC, I have updated the XACML Bibliography
currently posted on the TC home page to be a more general "XACML
References" document.  As well as articles, papers, and presentations,
it now includes
- related standards (ebXML and SAML)
- Products and Deployments

Although I am aware of many more products, I listed only those where
there is something that qualifies as a "public announcement" - usually a
URL pointing to a web site where XACML usage is mentioned.  I did not
include mentions of XACML products from developer and open source
mailing lists, as those do not necessarily represent announced products.

A draft is [attached] appended.  If your company has a product or
deployment that
is not listed here but has been publicly announced, and if you want it
listed, please let me know by 31 May 2005 (send a URL).  I will then put
the updated references list into the XACML TC repository and link to it
from the OASIS XACML TC home page.  Corrections and other additions are
also invited, of course!

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692
XACML References, 1.14

Copyright© OASIS Open 2004-2005 All Rights Reserved.

Editor:  Anne Anderson, Sun Microsystems <Anne.Anderson@Sun.COM>
Version: 1.14
Updated: 05/05/27 (yy/mm/dd)

These lists include publications, standards, and products that contain
substantial information about XACML or make use of XACML in a
substantial way. These are listed here solely for the information of
parties interested in XACML. By including these links, neither the XACML
TC, nor OASIS itself, is endorsing, recommending, or guaranteeing the
accuracy of the referenced statements, publications, standards, or
products. in any way. Neither the XACML TC nor OASIS itself guarantees
the completeness or accuracy of the information in this list of
references. This list may be modified at any time as further information
about these or other publications and products becomes known. Additional
submissions for listings and corrections are invited by the editor.

    * Bibliography
    * Standards
    * Products and Deployments


This bibliography includes papers, articles, presentations,
specifications, and other publications that contain substantial
information about XACML or make use of XACML in a substantial way.

    * 2005
    * 2004
    * 2003
    * 2002


    * Extensible Access Control Markup Language (XACML), by Robin Cover,
Cover Pages page on XACML. Updated regularly. Available at
    * Change management: Verification and change-impact analysis of
access-control policies, Kathi Fisler, Shriram Krishnamurthi, Leo A.
Meyerovich, Michael Carl Tschantz; May 2005; Proceedings of the 27th
international conference on Software engineering
    * A comparison of compression techniques for XML-based security
policies in mobile computing environments, by Xuebing Qing, Carlisle
Adams, Ottawa New Challenges for Access Control Workshop, 27 April,
2005. Available at:
    * Using SPML to provision dynamic XACML rules to manage privacy and
access control in Web security infrastructure, by Michel Hétu, Anton
Stiglic, Claude Vigeant, Ottawa New Challenges for Access Control
Workshop, 27 April, 2005. Available at:
    * Administrative policies in XACML, by Erik Rissanen, Ottawa New
Challenges for Access Control Workshop, 27 April, 2005. Available at:
    * The Globus authorization processing framework The Globus
authorization processing framework, by Frank Siebenlist, Takuya Mori,
Rachana Ananthakrishnan, Liang Fang, Tim Freeman, Kate Keahey, Sam
Meder, Olle Mulmo, Thomas Sandholm, Ottawa New Challenges for Access
Control Workshop, 27 April, 2005. Available at:
    * Approaches to generalization of XACML, by Tim Moses, Ottawa New
Challenges for Access Control Workshop, 27 April, 2005. Available at:
    * Attribute based access control (ABAC): a new access control
approach for service oriented architectures, by Eric Yuan, Jin Tong,
Ottawa New Challenges for Access Control Workshop, 27 April, 2005.
Available at: http://lotos.site.uottawa.ca/ncac05
    * Key differences between XACML and EPAL, by Anne Anderson, Ottawa
New Challenges for Access Control Workshop, 27 April, 2005. Available
at: http://lotos.site.uottawa.ca/ncac05/Anderson_KeyDiffsXACMLandEPAL.pdf
    * A Network Access Control Approach Based on the AAA Architecture
and Authorization Attributes, by Lopez, G.; Gomez, A.F.; Marin, R.;
Canovas, O.; Parallel and Distributed Processing Symposium, 2005.
Proceedings. 19th IEEE International 04-08 April 2005 Page(s):287a - 287a
    * Using XACML and SAML for Authorisation messaging and assertions:
XACML and SAML standards overview and usage examples, by Yuri Demchenko,
28 March, 2005. Available at
    * How to Declare Access Control Policies for XML Structured
Information Objects using OASIS' eXtensible Access Control Markup
Language (XACML), by A. Matheus, System Science, 2005, HICSS '05.
Proceedings of the 38th Annual Hawaii International Conference on 03-06
Jan. 2005 Page(s):168a - 168a


    * Meeting central: making distributed meetings more effective, by
Nicole Yankelovich, William Walker, Patricia Roberts, Mike Wessler,
Jonathan Kaplan, Joe Provino; 6-10 November 2004, Proceedings of the
2004 ACM conference on Computer supported cooperative work 2004,
Chicago, Illinois, USA
    * Service applications: An OGSA-based accounting system for
allocation enforcement across HPC centers, Thomas Sandholm, Peter
Gardfjäll, Erik Elmroth, Lennart Johnsson, Olle Mulmo; November 2004;
Proceedings of the 2nd international conference on Service oriented
    * XML Security: Control information access with XACML: The
objectives, architecture, and basic concepts of eXtensible Access
Control Markup Language, by Manish Verma, 18 Oct 2004. Available at
    * Privacy protecting data collection in media spaces, by Jehan
Wickramasuriya, Mahesh Datt, Sharad Mehrotra, Nalini Venkatasubramanian,
10-16 October, 2004; Proceedings of the 12th annual ACM international
conference on Multimedia, 2004, New York, NY, USA
    * Trust, Access Control, and Rights for Web Services, Part 2, by
Sams Publishing, 12 Oct 2004. Available at
    * Security & analysis I: Synthesising verified access control
systems in XACML, by Nan Zhang, Mark Ryan, Dimitar P. Guelev; October
2004; Proceedings of the 2004 ACM workshop on Formal methods in security
    * Experiences with NMI at Michigan: NSF Middleware Initiative, by
Shawn McKee, 1 October 2004, NMI/SURA Testbed Workshop. Available at
    * Collaboration and security in CNL's virtual laboratory, by Andrew
Tokmakoff, Yuri Demchenko and Martin Snijders. WACE 2004, 23 September
2004. Available at
    * Evaluation of XML Technologies as Applied to Access Control, by
David Staggs (SAIC) for Dept. of Veterans Affairs, Veterans Health
Administration, Office of Information, 13 Sept 2004. Available at
    * Administrative Delegation in XACML, by Erik Rissanen, Babak
Sadighi Firozabadi. Swedish Institute of Computer Science. 2 Sept 2004.
Submitted to W3C Workshop on Constraints and Capabilities for Web
Services. Available at http://www.w3.org/2004/08/ws-cc/erbsf-20040902.
    * Constraints and Capabilities for Web Services, Anne Anderson, ed.,
Sun Microsystems, Inc. 27 Aug 2004. Submitted to W3C Workshop on
Constraints and Capabilities for Web Services. Available at
    * Access Control Methods for UDDI in Web Services using XACML,
presented by Dr. Dong-Il Shin, Sejong University, Republic of Korea, 6th
ASTAP Forum. ASTAP04/FR08/EG.IS/04. See
    * A Comparison of EPAL and XACML, by Anne Anderson, Sun
Microsystems, Inc. 12 July 2004. Available at
    * WALDEN: A Scalable Solution for Grid Account Management, by Beth
Kirschner, et al., 5th IEEE/ACM International Workshop on Grid Computing
(Grid 2004), 5 July 2004. Available at
    * eXtensible Access Control Markup Language: XACML im Vergleich mit
P3P und EPAL, by Stefan Berthold, Technische Universitaet Dresden,
Fakultaet Informatik, 28 June 2004. Available at
    * Comparing WSPL and WS-Policy, by Anne Anderson, Sun Microsystems,
Inc. 8 June 2004. IEEE Policy 2004 Workshop. Paper available at
http://research.sun.com/projects/xacml/Policy2004.pdf. Slides available
    * An Introduction to the Web Services Policy Language, by Anne
Anderson, Sun Microsystems, Inc., 8 June 2004. IEEE Policy 2004
Workshop. Available at
    * Using uml to visualize role-based access control constraints, by
Indrakshi Ray, Na Li, Robert France, Dae-Kyoo Kim; 2-4 June 2004;
Symposium on Access Control Models and Technologies; Proceedings of the
ninth ACM symposium on Access control models and technologies, Yorktown
Heights, New York, USA
    * Interactive Protocol Visualization (and a WSPL Case Study), by
Sean Cannella, 7 May 2004; Brown University. Available at
    * LionShare Security Model, by Derek Morr; May 2004 Internet2 Member
Meeting, 19-21 April, Arlington, VA. Available at
    * LionShare Peer-to-Peer Security Model, Security Whitepaper, by
Derek Morr, et al.. Shibboleth, **DRAFT**; 15 April 2004. Available at
    * X.509 Proxy Certificates for dynamic delegation, by Von Welch, et
al., 3rd Annual PKI R&D Workshop, Gaithersburg, MD, USA, 12-14 April
2004. Available at
    * RSVP policy control using XACML, by E. Toktar, E. Jamhour, and G.
Maziero, Policies for Distributed Systems and Networks, 2004. POLICY
2004. Proceedings. Fifth IEEE International Workshop on , 7-9 June 2004,
Pages:87 - 96. Slides available at
Paper available through
    * XACML and Federated Identity, by Hal Lockhart, BEA Systems, NASA
Scientific and Engineering Workstation Procurement (SEWP) Security
Symposium, 1 June 2004. Available at
    * Access management for distributed systems: Role-based cascaded
delegation, by Roberto Tamassia, Danfeng Yao, William H. Winsborough.
June 2004. Proceedings of the ninth ACM symposium on Access control
models and technologies (SACMAT). See
    * Role-Based Access Control (RBAC) Role Engineering Process, Version
3.0, developed for The Healthcare RBAC Task Force by SAIC, 11 May 2004.
Available at
    * CCOW Healthcare Implementation Using OASIS Standards, by Ed Coyne,
Veterans Health Administration, 28-29 April 2004. VHA Health Information
Architecture. Available at
    * Access Control in a Distributed Decentralized Network: An XML
Approach to Network Security using XACML and SAML, by Paul J. Mazzuca,
Dartmouth College TR2004-506, Spring 2004. Available at
ftp://ftp.cs.dartmouth.edu/TR/TR2004-506.pdf or
    * Introduction To XACML, by Phil Griffin, 19 Feb 2004. Available at
    * WSPL: an XACML-based Web Services Policy Language, by Anne
Anderson, Sun Microsystems, Inc., 27 January 2004. Available at
    * Design Document: SweGrid Accounting System Security Design, by
Thomas Sandholm and Olle Mulmo, 22 January 2004. Available at
    * XML Web Services and Security, by Bob Daly. Date uncertain.
Available at
    * Exploring a Multi-Faceted Framework for SOC: How to develop secure
web-service interactions?, by Kees Leune, et al., Tilburg University,
Infolab, The Netherlands. 2004. Available at


    * Modeling Delegation of Rights in a simplified XACML with Haskell,
by Frank Siebenlist, Argonne Nat. Labs/Global Grid Forum, 18 Nov 2003.
Available at
    * An XACML-based Policy Management and Authorization Service for
Globus Resources, by Markus Lorch, Dennis Kafura, Sumit Shah, Virginia
Tech, Fourth International Workshop on Grid Computing, Phoenix, AZ, 17
Nov 2003. Available at
    * The PRIMA System for Privilege Management, Authorization and
Enforcement in Grid Environments, by M. Lorch, et al., 4th Int. Workshop
on Grid Computing - Grid 2003, 17 November 2003. Available at
    * Certificate-based authorization policy in a PKI environment, by
Mary R. Thompson, Abdelilah Essiari, Srilekha Mudumbai. ACM Transactions
on Information and System Security (TISSEC), Volume 6 Issue 4. November
2003. Available at dsd.lbl.gov/security/Akenti/Papers/ACMTISSEC.pdf.
    * First Experiences Using XACML for Access Control in Distributed
Systems, by Markus Lorch, Seth Proctor, Rebekah Lepro, Dennis Kafura and
Sumit Shah. Presented at the ACM Workshop on XML Security 31 October
2003, Fairfax, VA, USA. Slides available at
    * XML security: Certificate validation service using XKMS for
computational grid, by Namje Park, Kiyoung Moon, Sungwon Sohn. 31
October 2003. Proceedings of the 2003 ACM workshop on XML security.
Available through http://cftest.acm.org/portal/citation.cfm?id=968577.
    * Policy Management for OGSA Applications as Grid Services (Work in
Progress), by Lavanya Ramakrishnan, MCNC-RDI Research and Development
Institute. 8 Oct 2003. Available at
    * Access control: An access control framework for business processes
for web services, by Hristo Koshutanski, Fabio Massacci. 31 October
2003. Proceedings of the 2003 ACM workshop on XML security.
    * Enterprise Privacy Authorization Language (EPAL), Matthias
Schunter, ed., IBM Research Report. 1 October 2003. Available at
    * The Formal Semantics of XACML, by Polar Humenn, Syracuse
University, Oct 2003. Available at
    * ebxmlrr 2.1-final1 open source freebXML Registry, 16 September
2003. Available at http://www.freebxml.org/ebxmlrr_final.htm>.
    * Virtual enterprise access control requirements, by M. Coetzee, J.
H. P. Eloff. September 2003. Proceedings of the 2003 annual research
conference of the South African institute of computer scientists and
information technologists on Enablement through technology. Available
through http://portal.acm.org/citation.cfm?id=954045.
    * Web Services Security, by Mark O'Neill with Phillip Hallam-Baker,
Sean Mac Cann, Mike Shema, Ed Simon, Paul A. Watters and Andrew White,
Pages: 312, Publisher: McGraw-Hill Professional, ISBN: 0072224711.
Contains a chapter on XACML. Review available at
    * XACML J2SE[TM] Platform Policy Profile, by Anne Anderson, Sun
Microsystems, Inc. 21 July 2003. Available at
    * XACML: a new standard protects content in the enterprise data
exchange, XMLMania, 7 July 2003. Available at
    * An Introduction to XACML, by Michael Armstrong, SANS Institute, 29
June 2003. Available at
    * XACML: A New Standard Protects Content in Enterprise Data
Exchange, Java.Sun.Com technical article, 24 June 2003. Available at
    * XACML, Quickstudy by Russell Kay, Computerworld, 19 May 2003.
Available at
    * Sun XACML 1.0 Implementation Provides Attribute Management
Techniques, Paragon Pinnacles, 19 May 2003, Article#9821, Volume 63,
Issue 3. Available at
    * An XACML Glossary, by Russell Kay, Computerworld, 19 May 2003.
Available at
    * Securing Web Services for Use as Enterprise-Class Business
Systems, an AmberPoint Whitepaper, May 2003. Available at
    * Digital rights management and fair use by design: Fair use, DRM,
and trusted computing, by John S. Erickson. April 2003. Communications
of the ACM, Volume 46 Issue 4. Available through
    * Multimedia and visualization: Self-manifestation of composite
multimedia objects to satisfy security constraints, by Vijayalakshmi
Atluri, Nabil Adam, Ahmed Gomaa, Igg Adiwijaya. March 2003. Proceedings
of the 2003 ACM symposium on Applied computing. Available at
    * XACML -- A No-Nonsense Developer's Guide, by Vance McCarthy,
Enterprise Developer News, 24 Feb 2003. Available at
    * XACML Will Help Enterprises In Three Areas, by Ray Wagner,
Gartner, 21 February 2003. Available at
    * Getting Started with XML Security: Authorization Rules: XML Access
Control Markup Language (XACML), tutorial, SitePoint, date uncertain.
Available at http://www.sitepoint.com/article/933/8.
    * Constrained delegation in XML-based Access Control and Digital
Rights Management Standards, by Guillermo Navarro (Universitat Autonoma
de Barcelona), Babak Sadighi Firozabadi (Swedish Institute of Computer
Science), Erik Rissanen (Swedish Institute of Computer Science), Joan
Borrell (Universitat Autonoma de Barcelona). Available at
    * Authorization Center Project (authZ), CMU. 2003. Available at


    * Designing a distributed access control processor for network
services on the Web, by Reiner Kraft. Proceedings of the 2002 ACM
workshop on XML security. November 2002. Available at
    * Dynamically authorized role-based access control for secure
distributed computation, by C. Joncheng Kuo, Polar Humenn. November
2002. Proceedings of the 2002 ACM workshop on XML security. Available at
    * Towards securing XML Web services, by Ernesto Damiani, Sabrina De
Capitani di Vimercati, Pierangela Samarati. November 2002. Proceedings
of the 2002 ACM workshop on XML security. Available at


This list includes open standards that reference XACML.

    * OASIS ebXML:
    * OASIS Security Assertion Markup Language (SAML):
          o See also the SAML Profile of XACML 2.0:

Products and Deployments

This list includes products and deployments that make substantial use of
XACML and that have been announced publicly. Readers should keep in mind
that this is an incomplete list of XACML deployments. For security
reasons, enterprises are frequently unwilling to publicize the security
mechanisms they use internally, and many deployments of XACML fall into
this category. In other cases, XACML is used internal to products, but
is not exposed, and the vendor has chosen not to disclose this internal use.

By including these links, neither the XACML TC, nor OASIS itself, is
endorsing, recommending, or guaranteeing the accuracy of these public
announcements or their related products in any way. Neither the XACML TC
nor OASIS itself guarantees the completeness or accuracy of the
information in this list of products. This list may be modified at any
time as further information about these or other products becomes known.
Additional submissions for listings are invited by the editor.

    * BRT, Inc. product CJPD: http://www.beamreachtech.com/
    * Children's Hospital, Boston: Personal Internetworked Notary and
    * ELENA Project: Smart Spaces for LearningTM:
    * Entrust: uses XACML in 3 products:
    * Exigen Group: http://lotos.site.uottawa.ca/ncac05/program.html
    * The Fedora Project: An Open-Source Digital Repository Management
System: http://www.fedora.info/
    * Globus ToolKit for grid applications:
    * Internet2:
    * OASIS ebXML Standard Reference Implementation:
    * Okiok Global Trust identity and access management product:
    * Parthenon Computing: Parthenon XACML Evaluation Engine:
    * Starbourne: http://lists.xml.org/archives/xml-dev/200409/msg00117.html
    * Sun XACML Open Source: http://sunxacml.sourceforge.net/
    * UMU-XACML Editor: http://xacml.dif.um.es/
    * XACML.NET: http://mvpos.sourceforge.net/xacml.htm

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]