XML Access Control Markup Language (XACML) provides XML documents with support for access control lists on the document and elements. Access control can be as fine-grained as a single element in an XML document. Access control supports four types of actions: create, read, write, and delete. It is organized around triplets of object, subject, and action.

An XACML object represents a single element or a set of elements in a XML document. The elements are specified through an XPATH expression. Let us look at a typical bank transaction document:

<?xml version="1.0"?>
<transaction>
 <name>Sherry Ann Rattan</name>
 <zipcode>06002</zipcode>>
 <action>debit</action>
 <merchant>Porsche</merchant>
 <description>2003 Boxster</description>
 <creditcardnumber>2222 111 232 23222</creditcardnumber>
 <expiration>19770216</expiration>
 <amount>98222.22</amount>
</transaction>

Let's say that the Web service has the ability to read the amount but does not have the ability to write to it. We would simply define the appropriate access control:

<?xml version="1.0"?>
<policy>
 <xacl>
 <object href="amount"/>
 <rule>
 <acl>
 <subject>
 <uid>WebServiceOne</uid>
 </subject>
 <action permission="grant"/>
 <action permission="deny"/>
 </acl>
 </rule>
 </xacl>
</policy>

This specification is controlled by the OASIS Technical Committee and may undergo several changes before it becomes a standard. The ability to apply field-level access-control lists coupled with encryption and other security options will make security integration between disparate Web services a lot easier. XACML will allow this to happen in a standards-based, open manner.