While it has been in use by many organizations for the past few years, official standardization brings more organizations to the table, especially those in the government vertical.
Erik Rissanen, editor of the XACML 3.0 standard (and Axiomatics CTO), wrote on his blog, ”XACML 3.0 brings increased security to access control, while offering greater flexibility, in particular with regards to how it can be applied to an enterprise-wide authorization solution." His expectation is that XACML will take a visible role in identity and access management discussions going forward.
The official standardization is another entry in the authorization discussion, which is rising to the surface in the interconnected maze of cloud computing and proliferation of client types.
Who knows how the discussion might end, but software-as-a-service vendors are taking note of authorization as they deal with more mobile devices and scout ways to restrict data or functions based on the user or owner of the device. There are integration use cases involving authorization controls added to existing authentication infrastructures, and systems integrators such as Accenture, Deloitte and KPMG are paying more attention to authorization.
OASIS describes XACML as both a policy language and an access control decision request/response language. That is the core of XACML that was approved with 3.0.
In fact, the RSA Conference next month will host a demonstration portal highlighting XACML and its emerging REST and JSON profiles.
"There is a whole community of developers and practitioners that prefer these lighter weight protocols," said Gerry Gebel, president of Axiomatics Americas. "Today without them, XACML is XML-based and SOAP-based. These new profiles open up the standard for use in a lot more environments. A lot more locations."
Now getting down into the geek of the spec, the 3.0 version of XACML has new profiles, including delegation, which is used to support decentralized administration of access policies. Delegation includes new rules for access control and administration control. The 3.0 version also includes new attribute functions and datatypes that use XPath, obligation parameters that require some action (i.e. write to log) in conjunction with access approval, and performance enhancements that reduce chatter between decision and enforcement points.