Enforcement the XML way

GCN Insider | Trends & technologies that affect the way government does IT

• By Joab Jackson
• Aug 13, 2006

Policy management is one thing, but enforcing policy is another issue altogether. You may have policies in place describing which personnel can access which applications, or even which parts of a building.

But how do you enforce those privileges without overwhelming employees with a plethora of passwords, or overloading administrators with an orgy of authentication systems? At a recent Federal CIO Council XML Community of Practice meeting, Anne Anderson, a senior staff engineer for Sun Microsystems Inc. of Santa Clara, Calif., introduced Access Control Markup Language, or XACML (pronounced ex-ax-i-mal).

Although still in its commercial infancy, Extensible Markup Language-based XACML promises a way of enforcing policies across different platforms. It doesn't care what type of resources you're trying to control'it might be a locked door or a database'Anderson said.

XACML has two major components, a Policy Enforcement Point and Policy Decision Point. The PEP intercepts requests for documents or services and sends a request to the PDP, which consults a set of rules to determine if the requester has the right to access the item. Rules can be made up of a combination of conditions'XACML has a wide range of regular expressions, comparisons and functions, and it can be extended to include other capabilities. Other technologies cover the same ground'Microsoft Active Directory being the 800-pound gorilla'though most don't have the same depth of rule-making. They also base access on individuals, not on specific chains of rules, Anderson explained.

Overseen by the Organization for the Advancement of Structured Information Standards, XACML developers are working toward Version 3 of the standard. Sun has posted an open-source implementation (sunxacml.sourceforge.net). Government users include the Office of the Secretary of Defense's Personnel and Readiness office, the Veterans Health Administration and the Defense Information Systems Agency.