XACML: Extensible Access Control Mark-up Language


Yesterday, I wrote about SPML and a little about SAML. SAML is an XML-based language for exchanging assertions about identity. SPML is an XML-based language for interacting with identity provisioning systems. There's another important piece in the puzzle: a common format for access requests, policies, and responses. XACML provides just that.

XACML is the language of the Policy Decision Point, of PDP. The PDP is the chunk of code that recieves access requests, checks to see whether they should be granted, and returns an appropriate response. The PDP is not necessarily the same as the place where credentials are stored. It merely needs access to that service, ideally via SPML. The PDP could be a module running in the local system or a remote system accessed over the Internet.

There are a number of good resources you should look at on XACML: