XACML stands for eXtensible Access Control Markup Language.

The XACML standard defines a declarative access Control policy language implemented in XML and a processing model describing how to evaluate authorization requests according to the rules defined in policies.

As a published standard specification, one of the goals of XACML is to promote common terminology and interoperability between authorization implementations by multiple vendors.

XACML is primarily an Attribute Based Access Control system (ABAC), where attributes associated with a user or action or resource are inputs into the decision of whether a given user may access a given resource in a particular way.

Role-based access control (RBAC) can also be implemented in XACML as a specialization of ABAC.

The XACML model supports and encourages the separation of the authorization decision from the point of use. When authorization decisions are baked into client applications (or based on local machine userids and Access Control Lists (ACLs)), it is very difficult to update the decision criteria when the governing policy changes. When the client is decoupled from the authorization decision, authorization policies can be updated on the fly and affect all clients immediately.

Core RBAC and XACML#

Core RBAC, includes the following five basic data elements:
  • Users - Users are implemented using XACML Subjects. Any of the XACML Subject Category values may be used, as appropriate.
  • Roles - Roles are expressed using one or more XACML Subject Attributes. The set of roles is very application and policy domain-specific, and it is very important that different uses of roles not be confused. For these reasons, XACML is not attempting to define any standard set of roles. It is recommended that each application or policy domain agree on and publish a unique set of AttributeId values, DataType values, and <AttributeValue> values that will be used for the various roles relevant to that domain.
  • Objects - Objects are expressed using XACML Resources.
  • Operations - Operations are expressed using XACML Actions.
  • Permissions - Permissions are expressed using XACML Role <PolicySet> (RPS) and Permission <PolicySet> (PPS) instances as described in previous sections.

Core RBAC requires support for multiple users per role, multiple roles per user, multiple permissions per role, and multiple roles per permission. Each of these requirements can be satisfied by XACML policies based on this Profile as follows. Note, however, that the actual assignment of roles to users is outside the scope of the XACML PDP.


  • version 2.0 was ratified by OASIS standards organization on 1 February 2005. As of 2007,
  • version 3.0 is in preparation and will add generic attribute categories for the evaluation context and policy delegation profile (administrative policy profile).

For the latest information visit the OASIS eXtensible Access Control Markup Language (XACML) TC site and their Wiki.

More Information#

There might be more information for this subject on one of the following:
  • [#1] - XACML - based on information retrieved 2013-09-06

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 18-Aug-2015 15:27 by jim