XACML: Setting enterprise access rules, policies
06 March, 2014
category: Corporate, Digital ID, Government, Health
Digital identity is becoming increasingly important as enterprises strive to protect and control access to online resources. A series of maturing standards is helping make identity management and single sign-on a reality for organizations deploying systems.
As 2013 came to a close SecureIDNews.co
Ensuring that only properly authorized individuals have access to necessary data is a basic tenet of access control systems. The eXtensible Access Control Markup Language – XACML, pronounced “zak-mil” – is the identity standard that enables enterprises to enforce access rules.
“It enables enterprises to manage and enforce a wide array of access rules in a standardized, policy-based way,” says Gerry Gebel, president at Axiomatics Americas, a provider of attribute-based access control solutions.
Some enterprises can have hundreds, if not thousands, of applications for users, Gebel says. Making sure the user is able to access only the necessary data in the proper application is important.
Look at the health care market. Doctors need to be able to access and change patient records while nurses will have different access rules than technicians or those working in the hospital billing office. “It can be set up so that doctors can update patient records assigned to their clinic,” Gebel explains. “Nurses can update records for patients in their department but not others.”
The standard enables enterprises to have a central access policy definition. Developers don’t have to write their own access logic but instead can call into the policy services for access permissions. “XACML would enable you to codify the rules for what person can access which data and resources,” Gebel says.
XACML has been around for a long time and has no competing standards, Gebel says. It’s hit the early adopters and it about the take off in the mass market. “If you look across the markets – government, manufacturing, etc. – all these groups have the same pain points; they need to share data but it’s difficult to restructure and filter that data, which is why you see exposure and loss,” he explains.
One of the keys to mass adoption is making XACML easy to use, Gebel says. “The tools using XACML have to hide the complexity, but make the functionality easily consumed,” he says. “That’s where you see vendors improving the policy authorization functionality and the developer interfaces.”
A knock against XACML is that is uses XML – Extensible Markup Language – a markup language used for encoding documents on the web. Many developers now like to use JSON, JavaScript Object Notation, a text-based open standard designed for human-readable data interchange, or REST, Representational State Transfer, a style that abstracts the architectural elements within a distributed system.
XACML standards workers are attempting to remedy this issue by creating REST and JSON profiles for the access rules standard, Gebel says. These new profiles will be approved by mid-2014. “Developers will be able to more easily work with lighter weight formats and protocols won’t be stuck with XML,” he adds.