Skip to main content
Version: 1.1

Glossary

This is a list of terms used in the Contextual Authorization Query (CAQ) solution with accompanying definitions.

TermDescription
ALFAThe Abbreviated Language for Authorization (ALFA) is a domain-specific language for XACML policies. It has a syntax similar to programming languages which makes it easy for developers to work with. It presents domain specific information such as attribute identifiers in compact form and can be compiled into XACML 3.0.
ADSAccess Decision Service (ADS) is the equivalent of a PDP (Policy Decision Point) service in the Axiomatics solution set. that provides externalized dynamic attribute-based authorization decisions to Policy Enforcement Points (PEPs). The PEPs can obtain Permit/Deny decisions on access requests, using policies authored according to industry standards.
Attribute ConnectorAn object in the CAQ that represents an attribute source. Typically, certain attributes of a policy need to get their value from an external source such as a database or LDAP directory. An attribute connector contains information about the type of attribute source (LDAP, SQL), the XACML attributes it provides, and how to obtain them (query strings specific to the PIP type and instance).
Authorization DecisionThe result of a policy evaluation returned by the authorization service, such as ADS, to the requesting client. For ADS the decision returned conforms with the XACML standard - policies evaluate to Permit, Deny, Indeterminate, or NotApplicable, and (optionally) a set of obligations and advice.
Authorization DomainThe authorization domain is a domain containing XACML policies and configurations (such as attribute connectors and/or cache configurations) to be used by the authorization service. The attribute connectors contain information on how to access attribute values from attribute sources. A separate authorization domain is needed, if the policies or attribute connectors are different.
Authorization Domain ConfigurationThe authorization domain configuration file contains a set of XACML policies and configurations (such as attribute connectors and/or cache configurations) to be used by the CAQ. It is deployed by setting a file reference to it in the application configuration file.
ADMAuthorization Domain Manager (ADM) is a content-management system, tailored for authorization domains. ADM provides a service that stores and manages domains in a secure way, providing fine-grained data access control and a standardized API for serving authorization domains to authorization engines in production.
ASMAxiomatics Services Manager (ASM) is the main interface and central point of service for Authorization Services that allows you to manage the entire Axiomatics authorization infrastructure.
PDPA Policy Decision Point (PDP) is a central part of the XACML Reference Architecture. It evaluates an applicable policy and renders an authorization decision. In the Axiomatics solution the PDP solution is Access Decision Service (ADS).
PEPThe Policy Enforcement Point (PEP) is the component that enforces access control decisions made by a PDP. The PEP
1) intercepts access requests in the system it protects and
2) sends a corresponding XACML request to a PDP and then finally
3) takes actions to enforce the decision mandated by the PDP.
PolicyA Policy is a top-level node in a XACML policy structure. A Policy node in the Policy Tree can be a child of a Policy Set or Policy Package. A Policy can have a Target and it can have one or more Rules as children. The difference between a Policy and a Policy Set is that the Policy Set can contain multiple Policies and Policy Sets, whereas the Policy contains multiple Rules.
XACMLThe eXtensible Access Control Markup Language (XACML) is an OASIS standard for externalized and attribute-based access control. It defines a policy language for access control policies, a request/response protocol for clients querying a policy evaluation service for policy decisions and finally a reference architecture for these components.