Subject: XACML TC FAQ
Attached is an HTML file for the initial XACML TC FAQ. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692Title: OASIS XACML TC FAQ
currently under review by the XACML TC as of 21 August 2003
What is the XACML TC?
It is a Technical Committee of the OASIS standards organization focused on development of a standard access control policy language. "XACML" stands for "eXtensible Access Control Markup Language". The full charter is at http://www.oasis-open.org/committees/xacml/charter.php.
What is the need for such a standard?
Currently, there are many proprietary or application-specific access control policy languages. This means policies can not be shared across different applications, and provides little incentive to develop good policy composition tools. Many of the existing languages do not support distributed policies, are not extensible, or are not expressive enough to meet new requirements. XACML enables use of arbitrary attributes in policies, role based access control, security labels, time/date-based policies, indexable policies, "deny" policies, and dynamic policies, all without requiring changes to the applications that use XACML. Adoption of XACML across vendor and product platform should provide the opportunity for organizations to perform access and access policy audits directly across such system.
Who will benefit from this work and how?
Every developer, user, or maintainer of applications that require secure authorization will benefit.
What has the XACML TC produced to date?
In February of 2003, OASIS approved XACML Version 1.0 as an OASIS Standard. In August of 2003, the XACML TC approved XACML Version 1.1 as an OASIS Committee Specification. The TC has not yet determined whether this should advance to OASIS Standard (not because it is not good enough :-), but because it contains only clarifications and minor changes, and does not change the Version 1.0 schemas).
Links to these documents are available on the XACML TC public home page at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml .
How does this work compare with related efforts at other standards organizations?
No other standard access control language written in XML currently exists. Related efforts include:
The OASIS Security Services Technical Committee has defined the Security Assertion Markup Language (SAML). XACML is an outgrowth of work to support SAML's AuthorizationDecisionQuery protocol, although is not intended to be limited to use with that protocol. There is currently a mismatch between the SAML 1.0 syntax and the XACML 1.0 Request syntax, although it is possible to reconcile them with an XSLT. There are plans to resolve this mismatch in SAML 2.0.
ISO 10181-3 defines an architecture for access control, but not a language. In ISO 10181-3 terms, XACML 1.0 specifies an "Access Control Decision Function" (ADF), and defines its interactions with an "Access Control Enforcement Point" (AEF).
The IETF and Distributed Management Task Force (DMTF) have specified a framework for policies, but not a language. In IETF/DMTF terms, XACML 1.0 defines a "Policy Decision Point" (PDP), and defines its interactions with a "Policy Enforcement Point" (PEP).
The Open Group has defined an Authorization (AZN) API , but not a language for authorization policies themselves. The XACML TC does not define an API, but is designed to work well with SAML AuthorizationDecisionQuery and its related protocols.
ANSI is currently in the process of standardizing a framework and API for Role Based Access Control. The XACML TC is developing an XACML Profile for Role Based Access Control that satisfies the requirements of the proposed ANSI framework, although XACML does not map easily onto the proposed API.
The OASIS Rights Language TC is currently discussing use cases and requirements that overlap with both XACML and SAML. That group is attempting to standardize ContentGuard's XrML language.
What are the current activities of the XACML TC?
There are pointers to our current working drafts on the XACML TC public home page at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml . These include XACML profiles for web services policy, XML Digital Signature, and Role Based Access Control.
In addition, the TC is working on major extensions to XACML that would go into XACML 2.0. Periodically, a list of the current work items under consideration is posted to the XACML TC mailing list.
There is not yet a schedule for completion of these activities, but all being actively developed.
Where are the archives for the XACML TC mailing lists?
The archives are located at http://lists.oasis-open.org/archives/xacml/ . These are publicly viewable.
There is also a mailing list of comments received, primarily during the public review period leading up to the 1.1 standard. This mailing list is archived at http://lists.oasis-open.org/archives/xacml-comment/ .
Who should be involved in the XACML TC?
Anyone with an interest in access control, authorization, entitlement and related policy issues, either willing to propose requirements or contribute technically should get involved.
Who can join the XACML TC?
Anyone who is an individual member of OASIS or is from a company that is an OASIS organization member may join.
What types of XACML TC membership exist?
We have "Prospective Members", "Voting Members", and "Observer" members. Voting members start out as "Prospective Members". See for details . Voting members must attend 2 out of every 3 bi-weekly meetings in order to retain their voting status. Observers can participate fully in the XACML mailing list discussions, but can not vote.
How do I join the XACML TC?
Send e-mail to one or both of the XACML TC Co-Chairs, requesting to become either a "Prospective Member" or an "Observer". Please request "Prospective Member" status only if you intend to attend bi-weekly XACML TC meetings regularly, since non-participating members make it hard for us to reach quorum at our meetings.
The co-chairs and their e-mail addresses are listed on the XACML TC public home page at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml .
When are the XACML TC meetings?
General Body meetings are held every other week. Usually there is an informal Focus Group meeting on alternate weeks at the same time, used to delve into particular topics in detail. The schedule for meetings is located at http://www.oasis-open.org/committees/calendar.php?wg_abbrev=xacml .
What if I want to participate in XACML e-mail discussions, but can't attend bi-weekly meetings?
Individuals eligible to join the XACML TC may join the TC as "observers". See How do I join the XACML TC? .
Anyone may submit e-mail to the XACML comments mailing list at firstname.lastname@example.org .