Enforcement the XML way

GCN Insider | Trends & technologies that affect the way government does IT

Policy management is one thing, but enforcing policy is another issue altogether. You may have policies in place describing which personnel can access which applications, or even which parts of a building.

But how do you enforce those privileges without overwhelming employees with a plethora of passwords, or overloading administrators with an orgy of authentication systems? At a recent Federal CIO Council XML Community of Practice meeting, Anne Anderson, a senior staff engineer for Sun Microsystems Inc. of Santa Clara, Calif., introduced Access Control Markup Language, or XACML (pronounced ex-ax-i-mal).

Although still in its commercial infancy, Extensible Markup Language-based XACML promises a way of enforcing policies across different platforms. It doesn't care what type of resources you're trying to control'it might be a locked door or a database'Anderson said.

XACML has two major components, a Policy Enforcement Point and Policy Decision Point. The PEP intercepts requests for documents or services and sends a request to the PDP, which consults a set of rules to determine if the requester has the right to access the item. Rules can be made up of a combination of conditions'XACML has a wide range of regular expressions, comparisons and functions, and it can be extended to include other capabilities. Other technologies cover the same ground'Microsoft Active Directory being the 800-pound gorilla'though most don't have the same depth of rule-making. They also base access on individuals, not on specific chains of rules, Anderson explained.

Overseen by the Organization for the Advancement of Structured Information Standards, XACML developers are working toward Version 3 of the standard. Sun has posted an open-source implementation (sunxacml.sourceforge.net). Government users include the Office of the Secretary of Defense's Personnel and Readiness office, the Veterans Health Administration and the Defense Information Systems Agency.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above