Skip to main content
Version: 7.1

Attribute-based access control

At the core, all Axiomatics Authorization Services use XACML v 3.0, the eXtensible Access Control Markup Language, which is the standard for dynamic authorization management. Although the Axiomatics graphical user interface hides the complexities of the XACML language, policies implemented and maintained using the Axiomatics Policy Editor conform with the standard.

The XACML policy-based approach to authorization is often called Attribute-based Access Control (ABAC) since it achieves its flexibility through the use of attributes. In the Axiomatics Services Manager you use the Attribute Dictionary to define attributes needed to express your authorization policies. The attributes are used in policies and rules to determine:

  • who (Subject attribute) should be permitted or denied

  • to do something (Action attribute)

  • with an information asset (Resource attribute)

  • under given circumstances (Environment attribute)

The XACML standard is flexible and extensible. You can principally extend it with your own custom attribute category definitions. In reality this will however rarely be needed. You therefore typically place attributes that you create in one of the above categories in the Attribute Dictionary.

Expressiveness achieved through policy combinations

When business rules are documented, the "free for" of a natural language provides endless combinatorial possibilities. To transfer these rules into well-written authorization policies in the structured language of the Policy Editor, you have to capture the logical building blocks that combined constitute an unambiguous representation of the original business rule. The XACML structures available for you are Policy Set, Policy and Rule.

In addition, you can use insert a Reference in a policy tree to point to another policy. This is an efficient method to reuse policy definitions in multiple contexts.

A Combining algorithm provides XACML with the ability to reflect the expressiveness of a natural language. You can place multiple Rules inside a Policy and use these algorithms to decide how their respective Effects will be combined into one single unambiguous Effect on the level of the Policy.

Since multiple Policies can be combined into Policy Sets using Combining algorithms as well, the Policy Editor allows you to create expressions that reflect the openness of a natural language.

Defining policy applicability and scope

In large installations, for instance if your authorization service responds to requests from many different applications, the number of policies may become considerable and growing as new applications are added. Axiomatics Policy Server lets you divide your Attribute Dictionary into multiple namespaces to simplify management of attribute scope.

Your primary method to limit the scope of applicability for individual policies is to use a Target. During policy evaluation, the Authorization Service only considers XACML a policy element if the request matches the target of the element.

Conditions to consider relations

Targets can only compare the attribute value of a request with a static value. Example: Department="HR". To compare one attribute value with the value of another attribute you need to use a Condition.

Example: A policy mandates that users can read documents that belong to their own departments only. You then want the Subject attribute "department" to match the Resource attribute "department". To achieve this, you place the corresponding expression in the Condition of your Rule.