The XACML and Fine-Grained Authorization Leader

Support: +1-818-985-4700 (Ext. 2) | Contact Us

• Products
  • Keystone
  • Keystone for SharePoint
  • DB-Wall
• Solutions
  • XACML
  • SharePoint 2010 Security
  • Database Security
  • Cloud Security
• Services
  • Implementation
  • Training
  • Support
• Resources
• News & Events
  • Blog
• Partners
• About BiTKOO
  • Company Overview
  • Management Team
  • Careers
  • Contact Us

Solutions

• XACML
• SharePoint 2010 Security
• Database Security
• Cloud Security

• Schedule
• demo
• Download

XACML

About XACML

XACML stands for “eXtensible Access Control Markup Language” and it is a security policy management standard under the Organization for the Advancement of Structured Information Standards (OASIS). Based on XML, it is both a policy language and a request/response protocol for access control decisions. XACML offers a simple, flexible way to express and enforce authorization policies in complex, dynamic environments.

Here is a typical scenario:

• A user makes a request to access a resource.
• A request is made to a Policy Enforcement Point (PEP), which is protecting the resource.
• The PEP creates and sends an XACML request to the Policy Decision Point (PDP).
• The PDP checks the request against its access control policies to determine whether or not access should be granted to the user.
• The PDP makes an authorization decision and sends a response to the PEP as either: Permit, Deny, Indeterminate (decision cannot be made due to errors or missing info), or Not Applicable (request cannot be answered by this service).
• The PEP enforces the decision made by the PDP.

Key Benefits

XACML offers several key advantages over using existing proprietary and application-specific languages for access control:

• Standardized Method for Authorization
  

  Prior to XACML, application vendors created their own rules and methods for access control. Security and IT administrators managing those applications would have to rewrite access control policies numerous times in different languages. With XACML, administrators need only to write the policy one time which can be used by many different kinds of applications. Furthermore, as XACML becomes more widely adopted, it will facilitate the interoperability of policy between applications by different vendors, and between policy management systems by different vendors.

• Externalization/Centralization of Authorization – Rather than creating and relying on authorization decisions within each application, having these decisions take place at an external PDP allows for policies to be managed centrally, and for policy changes to be implemented immediately and consistently across an organization. Application administrators can focus on business issues instead of the technicalities of implementing authorization policies for their applications.
• Powerful, Robust Standard – XACML 3.0 can accommodate a broad range of access-control policy needs. It supports a wide variety of data types, functions, and rules. These can be extended to support custom domain-specific data types and functions. Policies can refer to other policies maintained in separate locations. In a distributed environment, for instance, it can allow different people or groups to manage pieces of the policies as appropriate, and XACML can combine the results into one decision. In addition, XACML can be extended to interoperate with other standards like SAML and LDAP, which further increases the operational and cost-saving values of using XACML. Finally, the XACML specifications are relatively stateless, allowing for the replication of the same PDP across multiple servers for enterprise-level performance and scalability.

BiTKOO Approach

BiTKOO is an active member of OASIS and participates in the development of the latest XACML standards.

To maximize interoperability and authorization control for our customers, BiTKOO fully supports the XACML 3.0 standard in its fine-grained authorization and entitlement management solutions. The BiTKOO XACML engine uses advanced caching algorithms and compiles XACML policies thereby achieving performance gains of more than 500 times that of other solutions in the market today.

© Copyright 2012 Quest Software, Inc. All Rights Reserved

• Legal |Contact Us