XACML stands for eXtensible Access Control Markup Language.

XACML is a Policy Based Management System that defines a declarative Access Control policy language implemented in XML and a processing model describing how to evaluate authorization requests according to the rules defined in policies.

As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between authorization implementations by multiple vendors.

XACML is primarily an Attribute Based Access Control (ABAC) system, where attributes associated with an Entity or Resource Action or resource are inputs into the decision of whether a given Entity may access a given resource and perform a particular Resource Action.

Role Based Access Control (RBAC) can also be implemented in XACML as a specialization of ABAC.

The XACML model supports and encourages the separation of the authorization decision from the point of use. When authorization decisions are baked into client applications (or based on local machine users and Access Control Lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes. When the client is decoupled from the authorization decision, authorization policies can be updated on the fly and affect all clients immediately.

Core RBAC and XACML#

Core RBAC, includes the following five basic data elements:
  • Users - Users are implemented using XACML Subjects. Any of the XACML Subject Category values may be used, as appropriate.
  • Roles - Roles are expressed using one or more XACML Subject Attributes. The set of roles is very application and policy domain-specific, and it is very important that different uses of roles not be confused. For these reasons, XACML is not attempting to define any standard set of roles. It is recommended that each application or policy domain agree on and publish a unique set of AttributeId values, DataType values, and <AttributeValue> values that will be used for the various roles relevant to that domain.
  • Objects - Objects are expressed using XACML Resources.
  • Operations - Operations are expressed using XACML Actions.
  • Permissions - Permissions are expressed using XACML Role <PolicySet> (RPS) and Permission <PolicySet> (PPS) instances as described in previous sections.

Core RBAC requires support for multiple users per role, multiple roles per user, multiple permissions per role, and multiple roles per permission. Each of these requirements can be satisfied by XACML policies based on this Profile as follows. Note, however, that the actual assignment of roles to users is outside the scope of the XACML PDP.

XACML Versions#

  • version 2.0 was ratified by OASIS standards organization on 1 February 2005. As of 2007,
  • version 3.0 adds generic attribute categories for the evaluation context and policy delegation profile (administrative policy profile) was standardized in January 2013

For the latest information visit the OASIS eXtensible Access Control Markup Language (XACML) TC site and their Wiki.


REST Profile of XACML defines details of RESTful services that conforming XACML implementations must support.

More Information#

There might be more information for this subject on one of the following:
  • [#1] - XACML - based on information retrieved 2013-09-06