ITU-T X.1144 PDF

This Recommendation defines the eXtensible Access Control Markup Language (XACML) Version 3.0. It defines a common language for expressing security policy. The motivation behind XACML is to develop an XML based policy language that can be used:

- To provide a method for flexible definition of the procedure by which rules and policies are combined.

- To provide a method for dealing with multiple subjects acting in different capacities.

- To provide a method for basing an authorization decision on attributes of the subject and resource.

- To provide a method for dealing with multi-valued attributes.

- To provide a method for basing an authorization decision on the contents of an information resource.

- To provide a set of logical and mathematical operators on attributes of the subject, resource and environment.

- To provide a method for handling a distributed set of policy components, while abstracting the method for locating, retrieving and authenticating the policy components.

- To provide a method for rapidly identifying the policy that applies to a given action, based upon the values of attributes of the subject, resource and action.

- To provide an abstraction-layer that insulates the policy-writer from the details of the application environment.

- To provide a method for specifying a set of actions that must be performed in conjunction with policy enforcement.

The core XACML solutions are included in this Recommendation. Clause 7 develops XACML models. Clause 8 develops policy language. Clause 10 develops policy processing rules. Clause 11 develops guidelines for implementers.