Glossary
A
Access control
Control that determines whether an actor is allowed to perform a requested action on a given information asset in accordance with a policy or policy set.
ALFA
The Abbreviated Language for Authorization (ALFA) is a domain-specific language for XACML policies. It has a syntax similar to programming languages which makes it easy to work with for developers. It presents domain specific information such as attribute identifiers in compact form and can be compiled into XACML 3.0.
Attribute
Attributes define the actor (subject), the information asset to which the actor want access (resource), what the actor wants to do with it (action) and under what circumstances (environment). Attributes are used in Targets and Conditions.
Attribute Connector
An object in the Axiomatics Services Manager that represents an attribute source. An Attribute Connector contains information about the type of attribute source (LDAP, SQL), the XACML attributes it provides, and how to obtain them (query strings specific to the PIP type and instance).
Authorization decision
The result of a policy evaluation returned by the Authorization Service, such as a PDP, to the requesting client, a PEP. For a PDP, the decision returned should conform with the XACML standard - policies evaluate to "Permit", "Deny", "Indeterminate" or "NotApplicable", and (optionally) a set of obligations and advice.
Authorization Domain
Authorization Domains are aggregates of domain data (policies, attributes, attribute connectors, etc.) used to evaluate an access request and produce a permit or deny response.
C
Cache Configuration
A configuration object that allows the user to define how attributes are to be cached.
Combining algorithm
A combining algorithm determines how elements in a policy tree will be combined to render a final result. One set of combining algorithms are available for Policies and another for Rules. For example, "Deny-overrides" means that if even if multiple rules are evaluated to Permit, one single Deny still leads to a Deny decision.
Condition
Conditions are optional elements within Rules used to create a Boolean expression. A condition can compare attribute values with another, and use nested functions and attributes to create complex expressions. The Effect of a Rule is applicable if the condition evaluates to True. If the evaluation for some reason fails with an error, the result is Indeterminate. If the Condition does not apply, the result of the Rule evaluation is NotApplicable.
E
Effect
The decision (PERMIT or DENY) which is returned by a Rule evaluation if all its conditions are satisfied. The evaluation of the Policy in which the Rule resides may still lead to a different decision since Rules are combined using a Combining Algorithm.
Environment attribute
Attribute describing the context in which an actor (defined by subject attributes) requests access to a resource (defined by resource attributes). Examples are date or time of day, authentication method, or device (from where access was made), etc.
P
PDP
The Policy Decision Point (PDP) is a central part of the XACML Reference Architecture. It evaluates an applicable policy and renders an authorization decision.
PEP
The Policy Enforcement Point (PEP) is the component that enforces access control decisions made by a PDP. The PEP 1) intercepts access requests in the system it protects and 2) sends a corresponding XACML request to a PDP and then finally 3) takes actions to enforce the decision mandated by the PDP. Users of Axiomatics Policy Server (APS) have access to SDKs that simplify the implementation of PEPs in different environments.
PIP
A Policy Information Point (PIP) is an abstract component in the XACML Reference Architecture. It represents a provider of attribute values during a policy evaluation. In Axiomatics Policy Server (APS) Attribute Connectors simplify the implementation of PIPs.
Policy
A Policy is a top-level node in an XACML policy structure. A Policy node in the Policy Tree can be a child of a Policy Set or Policy Package. A Policy can have a Target, and it can have one or more Rules as children. The difference between a Policy and a Policy Set is that the Policy Set can contain multiple Policies and Policy Sets, whereas the Policy contains multiple Rules.
Policy Set
A Policy Set is a top-level node in an XACML policy structure. It can be a child of a Policy Package or another a Policy Set. A Policy Set can have a Target, and multiple Policies, Policy Sets, or Policy References as children. A Policy Set can contain multiple Policies and Policy Sets, but, unlike a Policy, the Policy Set cannot contain Rules.
R
Rule
Rules are children of Policies. A Rule has the Effect of Permit or Deny. A rule can have a Target, a Condition, or both. Note: According to the XACML standard, a Rule can also contain elements of type Obligation or Advice. If you have Obligations or Advice written in the stand-alone Java program included in the package or in the Policy Editor within the Axiomatics Services Manager, the Authorization Service properly includes them in authorization decisions.
T
Target
A Target defines the applicability of Policy Sets, Policies or Rules. The target determines if the element is to be considered during policy evaluation. It is used to compare an attribute with a constant value, such as "Country=France". The target's node in the policy tree is evaluated if the access request has a corresponding attribute-value pair. If not, the node is disregarded by the authorization service.
X
XACML
The eXtensible Access Control Markup Language (XACML) is an OASIS standard for externalized and attribute based access control maintained. It defines a policy language for access control policies, a request/response protocol for clients querying a policy evaluation service for policy decisions and finally a reference architecture for these components. The reference architecture describes the interaction between components such as the client Policy Enforcement Point (PEP), the Policy Decision Point (PDP) server and its Policy Information Point (PIP) connectors which can gather attributes from external sources.