XML Access Control Markup Language

XML Access Control Markup Language (XACML) provides XML documents with support for access control lists on the document and elements. Access control can be as fine-grained as a single element in an XML document. Access control supports four types of actions: create, read, write, and delete. It is organized around triplets of object, subject, and action.

An XACML object represents a single element or a set of elements in a XML document. The elements are specified through an XPATH expression. Let us look at a typical bank transaction document:

<?xml version="1.0"?>
 <name>Sherry Ann Rattan</name>
 <description>2003 Boxster</description>
 <creditcardnumber>2222 111 232 23222</creditcardnumber>

Let's say that the Web service has the ability to read the amount but does not have the ability to write to it. We would simply define the appropriate access control:

<?xml version="1.0"?>
 <object href="amount"/>
 <action permission="grant"/>
 <action permission="deny"/>

This specification is controlled by the OASIS Technical Committee and may undergo several changes before it becomes a standard. The ability to apply field-level access-control lists coupled with encryption and other security options will make security integration between disparate Web services a lot easier. XACML will allow this to happen in a standards-based, open manner.