Databases Reference
In-Depth Information
XACML Architecture.
Figure 4 shows an XACML data-flow diagram.
XACML adds one additional component called a
Context Handler
between
PEP
and
PDP
, which supplies sucient information for any access request using
the
Policy Information Point (PIP)
. The interface from
PIP
to
PDP
is
defined in XACML as a
Request Context
.
PDP
retrieves applicable access
control policies from
Policy Administration Point (PAP)
and makes the
decision using the relevant policies and the request context. The decision is
returned back to
PEP
via
Context Handler
.
Obligations
Service
PEP
Request
Response
Access
Requester
Resource
Context
Handler
PIP
XACML
Policy
Repository
Request
Context
Response
Context
PEP: Policy Enforcement Point
PIP: Policy Information Point
PAP: Policy Administration Point
PDP: Policy Decision Point
PAP
PDP
XACML
Policy
Fig. 4.
XACML Architecture
Policy Syntax and Semantics.
Each XACML policy is basically specified using a
Policy
element which con-
sists of a
Target
element that specifies the conditions when the policy is
applicable, and one or more
Rule
elements that contain Boolean expressions
specifying permit or deny authorization conditions. In addition,
Rule
can be
evaluated in isolation to form a basic unit of management and can be reused
in multiple policies when
PolicySet
is used to specify multiple policies si-
multaneously. XACML also provides a flexible way to extend the semantic
knowledge to support application-specific access control policies with an ex-
tensible Rule-combining (or Policy-combining) algorithm.