Skip to main content
Version: 7.3

Glossary

A

Access control

Control that determines whether an actor is allowed to perform a requested action on a given information asset in accordance with a policy or policy set.

Action

An operation on an information asset, a Resource.

Action attribute

Attribute defining the action which an actor (defined by subject attributes) wants to perform on an information asset (defined by resource attributes). Examples are read, write, delete or update, etc.

Advice

Supplementary information provided by a Policy or Policy Set and returned to the Policy Enforcement Point (PEP) together with the decision made by the Policy Decision Point (PDP). According to the XACML standard, it is not mandatory for the PEP to enforce an Advice. The PEP has the option of displaying Advice information about, for example, why access was denied, what a user can do to avoid a problem situation, etc.

ALFA

The Abbreviated Language for Authorization (ALFA) is a domain-specific language for XACML policies. It has a syntax similar to programming languages which makes it easy to work with for developers. It presents domain specific information such as attribute identifiers in compact form and can be compiled into XACML 3.0.

Applicable policy

The set of policies / policy sets that control whether a specific access request should be permitted or denied. Use the Target to define applicability.

ASM

Short form of Axiomatics Services Manager, the central point of service for Authorization Services and for management of the entire Axiomatics authorization infrastructure. .

Associativity of operator

If operators have the same precedence, the order of evaluation is determined by their associativity. Operators can be left associative or right associative (or non-associative for that matter). If ¤ is a right associated operator the expression x ¤ y ¤ z is the same as x ¤ (y ¤ z).

Attribute

Attributes define the actor (subject), the information asset to which the actor want access (resource), what the actor wants to do with it (action) and under what circumstances (environment). Attributes are used in Targets and Conditions.

Attribute Connector

An object in the Axiomatics Services Manager that represents an attribute source. An Attribute Connector contains information about the type of attribute source (LDAP, SQL), the XACML attributes it provides, and how to obtain them (query strings specific to the PIP type and instance).

Attribute Constraint

Constraints can be set on allowed values for attributes of type integer and string.

Attribute Dictionary

A set of attributes used to author policies. In Axiomatics Policy Server 6.0 and later, attributes can be organized in different namespaces.

Attribute Finder

An implementation using the Axiomatics Policy Server PIP API to implement an Attribute Connector to query a PIP for Attributes.

Attribute Source Credentials

The credentials required to connect to an Attribute Source. These typically include a URL and a username/password combination. Credential types can however vary depending on the configuration of the actual Attribute Connector.

Authorization decision

The result of a policy evaluation returned by the Authorization Service, such as a PDP, to the requesting client, a PEP. For a PDP, the decision returned should conform with the XACML standard - policies evaluate to "Permit", "Deny", "Indeterminate" or "NotApplicable", and (optionally) a set of obligations and advice.

Authorization Domain

Authorization Domains are aggregates of domain data (policies, attributes, attribute connectors, etc.) used to evaluate an access request and produce a permit or deny response.

Authorization Service

An ASM-managed system that provides authorization services.

B

Bag

A bag is an unordered collection of attribute values. Attributes can be multi-valued, so any attribute in the request may contain zero or more values, and values may even be duplicated.

C

Cache Configuration

A configuration object that allows the user to define how attributes are to be cached.

Combining algorithm

A combining algorithm determines how elements in a policy tree will be combined to render a final result. One set of combining algorithms are available for Policies and another for Rules. For example, "Deny-overrides" means that if even if multiple rules are evaluated to Permit, one single Deny still leads to a Deny decision.

Condition

Conditions are optional elements within Rules used to create a Boolean expression. A condition can compare attribute values with another, and use nested functions and attributes to create complex expressions. The Effect of a Rule is applicable if the condition evaluates to True. If the evaluation for some reason fails with an error, the result is Indeterminate. If the Condition does not apply, the result of the Rule evaluation is NotApplicable.

Condition Editor

The Condition Editor is part of the Policy Editor in the Axiomatics Services Manager. When you select a Policy Set, Policy, or Rule node in the user interface, a modal window with several sections is displayed. The Condition Editor is available as a subsection of the Target Editor.

D

Dashboard

The Dashboard is a visualization feature of ASM that displays graphical representations of key metrics for monitoring the authorization performance of the running ADS instances.

E

Effect

The decision (PERMIT or DENY) which is returned by a Rule evaluation if all its conditions are satisfied. The evaluation of the Policy in which the Rule resides may still lead to a different decision since Rules are combined using a Combining Algorithm.

Environment attribute

Attribute describing the context in which an actor (defined by subject attributes) requests access to a resource (defined by resource attributes). Examples are date or time of day, authentication method, or device (from where access was made), etc.

O

Obligation

Supplementary information provided by a Policy or Policy set and returned to the Policy Enforcement Point (PEP) together with the decision made by the Policy Decision Point (PDP). The XACML standard mandates that a Policy Enforcement Point (PEP) implement and perform whatever actions the Obligation prescribes. An Obligation may, for instance, require that an email notification be sent to a security administrator, that additional information be included in the audit log, or that the user be prompted to acknowledge and approve contractual constraints. A PEP that fails to carry out Obligation requirements is malfunctioning and represents a security flaw.

Obligations and Advice Dictionary

A set of Obligations and Advice used in conjunction with policies and rules for policy authoring.

Obligations and Advice Editor

The Obligations and Advice Editor is part of the Policy Editor in the Axiomatics Services Manager. When you select a Policy Set, Policy, or Rule node in the user interface, a modal window with several sections is displayed. The Obligations and Advice Editor can be accessed from the lower part of the window.

P

PDP

The Policy Decision Point (PDP) is a central part of the XACML Reference Architecture. It evaluates an applicable policy and renders an authorization decision.

PEP

The Policy Enforcement Point (PEP) is the component that enforces access control decisions made by a PDP. The PEP 1) intercepts access requests in the system it protects and 2) sends a corresponding XACML request to a PDP and then finally 3) takes actions to enforce the decision mandated by the PDP. Users of Axiomatics Policy Server (APS) have access to SDKs that simplify the implementation of PEPs in different environments.

PIP

A Policy Information Point (PIP) is an abstract component in the XACML Reference Architecture. It represents a provider of attribute values during a policy evaluation. In Axiomatics Policy Server (APS) Attribute Connectors simplify the implementation of PIPs.

Policy

A Policy is a top-level node in an XACML policy structure. A Policy node in the Policy Tree can be a child of a Policy Set or Policy Package. A Policy can have a Target, and it can have one or more Rules as children. The difference between a Policy and a Policy Set is that the Policy Set can contain multiple Policies and Policy Sets, whereas the Policy contains multiple Rules.

Policy Design Board

The Policy Design Board is a part of the Policy Editor. It is the large canvas-like space where policy trees can be designed and arranged. Nodes representing Policy Sets, Policies, References and Rules are placed on the board, allowing the user to take full advantage of XACML in a graphical interface.

Policy Editor

The Policy Editor is where policy packages can be created, edited, and exported.

Policy Package

A self-contained set of XACML policy files that you create in the Policy Editor of the Axiomatics Services Manager or the standalone Policy Administration Point (PAP) editor. Policy packages can be deployed to Authorization Domains in the Axiomatics Services Manager.

Policy Set

A Policy Set is a top-level node in an XACML policy structure. It can be a child of a Policy Package or another a Policy Set. A Policy Set can have a Target, and multiple Policies, Policy Sets, or Policy References as children. A Policy Set can contain multiple Policies and Policy Sets, but, unlike a Policy, the Policy Set cannot contain Rules.

Policy Tree

The graphical representation of a policy in the Policy Design Board. It has a Policy Set at the first level, followed by other Policy Sets, Policies, and Rules as children, or sub-level nodes. Nodes in the Policy Tree can be rearranged in the structure via drag-and-drop according to the connection rules for each type of node, respectively.

Predicate

A logical Boolean expression that evaluates to True or False.

R

Reference

A Reference node in a policy tree is a pointer to yet another policy. If the Target in the reference evaluates to true, the Authorization Service will continue its evaluation of the referenced policy.

Resource attribute

Attribute used to define the information asset to which the actor is requesting access. Examples of resource attributes are classification, category, owner, or department, etc.

Rule

Rules are children of Policies. A Rule has the Effect of Permit or Deny. A rule can have a Target, a Condition, or both. Note: According to the XACML standard, a Rule can also contain elements of type Obligation or Advice. If you have Obligations or Advice written in the stand-alone Java program included in the package or in the Policy Editor within the Axiomatics Services Manager, the Authorization Service properly includes them in authorization decisions.

S

SQL Attribute Connector

Fetches attributes from referenced tables and columns in a given SQL database. For the SQL Attribute Connector, full SQL select statements must be provided for attribute mapping in the SQL Attribute Connector. (A simpler method is to use the Table Attribute Connector, as this only requires that the source table, column, and key columns, and key attributes are configured.)

Subject attribute

Attribute defining the actor who is requesting access to an information asset (resource). Examples are user role, clearance level, department, or citizenship, etc.

T

Table Attribute Connector

Fetches attributes from referenced tables and columns in a given SQL database. The Table Attribute Connector is more limited but much simpler to configure than the SQL Attribute Connector, as only the source table, column and key columns and key attributes have to be configured, whereas full SQL select statements must be provided for attribute mapping in the SQL Attribute Connector.

Target

A Target defines the applicability of Policy Sets, Policies or Rules. The target determines if the element is to be considered during policy evaluation. It is used to compare an attribute with a constant value, such as "Country=France". The target's node in the policy tree is evaluated if the access request has a corresponding attribute-value pair. If not, the node is disregarded by the authorization service.

Target Editor

The Target Editor is part of the Policy Editor in the Axiomatics Services Manager. When you select a Policy Set, Policy, or Rule node in the user interface, a modal window with several sections is displayed. The Target Editor is the first section below the description box in the window.

X

XACML

The eXtensible Access Control Markup Language (XACML) is an OASIS standard for externalized and attribute based access control maintained. It defines a policy language for access control policies, a request/response protocol for clients querying a policy evaluation service for policy decisions and finally a reference architecture for these components. The reference architecture describes the interaction between components such as the client Policy Enforcement Point (PEP), the Policy Decision Point (PDP) server and its Policy Information Point (PIP) connectors which can gather attributes from external sources.