What is a XACML profile?
https://stackoverflow.com/questions/10013114
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm new to XACML (the eXtensible Access Control Markup Language), and I'm a bit confused. I don't get what a profile is. For example the RBAC or SAML profiles.
What's the difference among them? Isn't the structure and elements always the same?
Thank you for you help
Solution
There are two things that XACML profiles specify: which AttributeId should be used for certain pieces of information, and a specific structure the policy should take.
XACML is powerful, mainly due to it's flexibility, but this flexibility comes at cost when you want to exchange policies between organizations. For example, one organization might use the identifier "login-id" to specify a user's account name whereas another might use "username". Profiles can define well-known identifiers for this attribute.
Specifying the structure can be useful when higher-level management interfaces are built on top of some policy. It's often necessary to extract information from the policy and present it to the user, and limiting the structure in a profile can be a way to document what is expected.
Profiles can also be used as a "here's a way to do this use case in XACML" type of document, which saves customers and vendors re-implementing the wheel.
OTHER TIPS
There are two types of profiles to consider in XACML:
- Profiles that define best practices on how to use XACML to express well-defined scenarios such as export control, intellectual property protection, and role-based access control. These are the profiles Craig mentions. Those profiles do not require any particular technical implementation on behalf of a XACML engine other than the core XACML 2.0/3.0 language. They define a set of common attributes, their identifies, their possible values, and their use in possible policies. See, as an example, the IP Protection profile here: http://docs.oasis-open.org/xacml/3.0/ipc/xacml-3.0-ipc-v1-spec-cs-01-en.pdf. These profiles aim at defining interoperable ways of expressing common requirements.
- Profiles that extend the technical use/scope of XACML 2.0/3.0. Such profiles require a technical implementation on behalf of the engine used. Such profiles include the SAML profile of XACML, the Multiple Decision Profile, and the Administrative Delegation Profile. The Multiple Decision Profile, for instance, defines how a policy enforcement point can send multiple authorization requests within a single overall XACML request. These profiles aim at extending the technical range of XACML.
I hope this helps, David.
