New XACML will control access to Web services

A new open-standard language could help application developers define access policies for Web services and related documents.

The Organization for the Advancement of Structured Information Standards of Billerica, Mass., has approved the Extensible Access Control Markup Language (XACML) specification, posted online at

All previous policy languages were in proprietary formats, said Carlisle Adams, co-chairman of the OASIS XACML Technical Committee. XACML will be transportable between systems.

Adams, principal security architect for Entrust Inc. of Addison, Texas, said the committee started working on the new language specification nearly two years ago.

XACML cooperates with another recently approved OASIS standard, Security Assertion Markup Language, to create an authentication architecture for Web services, Adams said.

SAML defines a syntax for assertions, such as a user's job title or security clearance. A rules engine with policy statements written in XAML could compare the SAML assertions with policy to decide whether the user should see certain sensitive information.

Many agencies would find it helpful if the rules of the Health Insurance Portability and Accountability Act of 1996 were translated into XACML, Adams said.

'Because OASIS has now standardized XACML and SAML, a good part of the authentication architecture is in place,' Adams said.

Later this year, the XACML technical panel will consider defining Lightweight Directory Access Protocol attributes for XACML, Adams said.

Sun Microsystems Inc. has developed an open-source implementation of XACML, which Adams said would give developers access to fully compatible code. The Sun implementation appears at

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.