|
|
XML Access Control Markup Language (XACML) provides XML documents with support for access control lists on the document and elements. Access control can be as fine-grained as a single element in an XML document. Access control supports four types of actions: create, read, write, and delete. It is organized around triplets of object, subject, and action.
An XACML object represents a single element or a set of elements in a XML document. The elements are specified through an XPATH expression. Let us look at a typical bank transaction document:
<?xml version="1.0"?> <transaction> <name>Sherry Ann Rattan</name> <zipcode>06002</zipcode>> <action>debit</action> <merchant>Porsche</merchant> <description>2003 Boxster</description> <creditcardnumber>2222 111 232 23222</creditcardnumber> <expiration>19770216</expiration> <amount>98222.22</amount> </transaction>
Let's say that the Web service has the ability to read the amount but does not have the ability to write to it. We would simply define the appropriate access control:
<?xml version="1.0"?> <policy> <xacl> <object href="amount"/> <rule> <acl> <subject> <uid>WebServiceOne</uid> </subject> <action permission="grant"/> <action permission="deny"/> </acl> </rule> </xacl> </policy>
This specification is controlled by the OASIS Technical Committee and may undergo several changes before it becomes a standard. The ability to apply field-level access-control lists coupled with encryption and other security options will make security integration between disparate Web services a lot easier. XACML will allow this to happen in a standards-based, open manner.
|
|