What is the XACML TC?
It is a Technical Committee of the OASIS standards
organization focused on development of a standard
access control policy language. "XACML" stands for
"eXtensible Access Control Markup Language". The full
charter is at
http://www.oasis-open.org/committees/xacml/charter.php.
What is the need for such a standard?
Currently, there are many proprietary or
application-specific access control policy languages.
This means policies can not be shared across different
applications, and provides little incentive to develop
good policy composition tools. Many of the existing
languages do not support distributed policies, are not
extensible, or are not expressive enough to meet new
requirements. XACML enables use of arbitrary attributes
in policies, role based access control, security labels,
time/date-based policies, indexable policies, "deny"
policies, and dynamic policies, all without requiring
changes to the applications that use XACML.
Who will benefit from this work and how?
Every developer, user, or maintainer of applications
that require secure authorization will benefit.
What has the XACML TC produced to date?
In February of 2003, OASIS approved XACML Version 1.0 as an
OASIS Standard. In August of 2003, the XACML TC
approved XACML Version 1.1 as an OASIS Committee
Specification. The TC has not yet determined whether
this should advance to OASIS Standard (not because it
is not good enough :-), but because it contains only
clarifications and minor changes, and does not change
the Version 1.0 schemas).
Links to these documents are available on the XACML TC
public home page at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml .
How does this work compare with related efforts at
other standards organizations?
No other standard access control language written in
XML currently exists. Related efforts include:
The OASIS Security Services Technical Committee
has defined the Security Assertion Markup Language
(SAML). XACML is an outgrowth of work to support
SAML's AuthorizationDecisionQuery protocol, although is
not intended to be limited to use with that protocol.
There is currently a mismatch between the SAML 1.0
syntax and the XACML 1.0 Request syntax, although it is
possible to reconcile them with an XSLT. There are
plans to resolve this mismatch in SAML 2.0.
ISO 10181-3 defines an architecture for access
control, but not a language. In ISO 10181-3 terms,
XACML 1.0 specifies an
"Access Control Decision Function" (ADF), and defines
its interactions with
an "Access Control Enforcement Point" (AEF).
The IETF and Distributed Management Task
Force (DMTF) have specified a framework for policies, but not a
language. In IETF/DMTF terms, XACML 1.0 defines a "Policy
Decision Point" (PDP), and defines its interactions
with a "Policy Enforcement Point" (PEP).
The Open Group has defined an
Authorization (AZN) API , but not a language for
authorization policies themselves. The XACML TC
does not define an API, but is designed to work
well with SAML AuthorizationDecisionQuery and its
related protocols.
ANSI is currently in the process of
standardizing a framework and API
for Role Based
Access Control. See for more
information. The XACML TC is developing an
XACML Profile for Role Based Access Control that
satisfies the requirements of the proposed ANSI
framework.
What are the current activities of the XACML TC?
There are pointers to our current working drafts on
the XACML TC public home page at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml .
These include XACML profiles for web services policy,
XML Digital Signature, and Role Based Access
Control.
In addition, the TC is working on major extensions to
XACML that would go into XACML 2.0. Periodically, a
list of the current work items under consideration is
posted to the XACML TC mailing list.
There is not yet a schedule for completion of these
activities, but all being actively developed.
Where are the archives for the XACML TC mailing
lists?
The archives are located at
http://lists.oasis-open.org/archives/xacml/ . These are
publicly viewable.
There is also a mailing list of comments received,
primarily during the public review period leading up to
the 1.1 standard. This mailing list is archived at
http://lists.oasis-open.org/archives/xacml-comment/
.
Who should be involved in the XACML TC?
Anyone with an interest in access control,
authorization, entitlement and related policy issues,
either willing to propose requirements or contribute
technically should get involved.
Who can join the XACML TC?
Anyone who is an individual member of OASIS or is from
a company that is an OASIS organization member may
join.
What types of XACML TC membership exist?
We have "Prospective Members", "Voting Members", and
"Observer" members. Voting members start out as
"Prospective Members". See
for details .
Voting members must attend 2 out of every 3
bi-weekly meetings in order to retain their voting
status. Observers can participate fully in the XACML mailing
list discussions, but can not vote.
How do I join the XACML TC?
Send e-mail to one or both of the XACML TC
Co-Chairs, requesting to become either a "Prospective
Member" or an "Observer". Please request "Prospective
Member" status only if you intend to attend bi-weekly
XACML TC meetings regularly, since non-participating
members make it hard for us to reach quorum at our
meetings.
The co-chairs and their e-mail addresses are listed
on the XACML TC public home page at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml .
When are the XACML TC meetings?
General Body meetings are held every other week.
Usually there is an informal Focus Group meeting on
alternate weeks at the same time, used to delve into
particular topics in detail. The schedule for meetings
is located at
http://www.oasis-open.org/committees/calendar.php?wg_abbrev=xacml .
What if I want to participate in XACML e-mail
discussions, but can't attend bi-weekly meetings?
Individuals eligible to join the XACML TC may join the
TC as "observers". See How do I
join the XACML TC? .
Anyone may submit e-mail to the XACML comments mailing
list at xacml-comment@lists.oasis-open.org">
xacml-comment@lists.oasis-open.org .