Enforcement the XML way
GCN Insider | Trends & technologies that affect the way government does IT
- By Joab Jackson
- Aug 13, 2006
Policy management is one thing, but enforcing policy is another issue altogether. You may have policies in place describing which personnel can access which applications, or even which parts of a building.
But how do you enforce those privileges without overwhelming employees with a plethora of passwords, or overloading administrators with an orgy of authentication systems? At a recent
Federal CIO Council XML Community of Practice meeting, Anne Anderson, a senior staff engineer for
Sun Microsystems Inc. of Santa Clara, Calif., introduced
Access Control Markup Language, or XACML (pronounced ex-ax-i-mal).
Although still in its commercial infancy, Extensible Markup Language-based XACML promises a way of enforcing policies across different platforms. It doesn't care what type of resources you're trying to control'it might be a locked door or a database'Anderson said.
XACML has two major components, a Policy Enforcement Point and Policy Decision Point. The PEP intercepts requests for documents or services and sends a request to the PDP, which consults a set of rules to determine if the requester has the right to access the item. Rules can be made up of a combination of conditions'XACML has a wide range of regular expressions, comparisons and functions, and it can be extended to include other capabilities. Other technologies cover the same ground'Microsoft Active Directory being the 800-pound gorilla'though most don't have the same depth of rule-making. They also base access on individuals, not on specific chains of rules, Anderson explained.
Overseen by the Organization for the Advancement of Structured Information Standards, XACML developers are working toward Version 3 of the standard. Sun has posted an open-source implementation (
sunxacml.sourceforge.net). Government users include the Office of the Secretary of Defense's Personnel and Readiness office, the Veterans Health Administration and the Defense Information Systems Agency.
About the Author
Joab Jackson is the senior technology editor for Government Computer News.