Clever Geek Handbook

What is an XACML Profile?

I am new to XACML (eXtensible Access Markup Language) and I am a little confused. I don't understand what a profile is. For example, RBAC or SAML profiles.

What's the difference between them? Aren't structure and elements always the same?

Thanks for helping

+3


source to share


2 answers


There are two things that define XACML profiles: which AttributeId should be used for certain pieces of information, and the specific structure that the policy should accept.

XACML is powerful, mainly due to its flexibility, but that flexibility brings value when you want to exchange policies across organizations. For example, one organization might use a "login-id" to specify the name of a user account, while another might use a "username". Profiles can define known identifiers for this attribute.



Specifying the structure can be useful when higher-level management interfaces are built on top of some policy. It is often necessary to extract information from a policy and present it to the user, and limiting the structure in a profile can be a way of documenting what is expected.

Profiles can also be used as a document like "here to make this use case in XACML", which saves customers and vendors from re-implementing the wheel.

+4


source


XACML provides two types of profiles:

  • Profiles that define best practices for using XACML to express well-defined scenarios such as export controls, intellectual property protection, and role-based access controls. These are Craig's profiles. These profiles do not require any specific technical implementation on behalf of an XACML engine other than the core XACML 2.0 / 3.0 language. They define a set of common attributes, their identification, their possible values, and their use in possible policies. See, for example, the IP Security Profile here: http://docs.oasis-open.org/xacml/3.0/ipc/xacml-3.0-ipc-v1-spec-cs-01-en.pdf . These profiles aim to define compatible ways of expressing common requirements.
  • Profiles extending the technical use / scope of XACML 2.0 / 3.0. Such profiles require technical implementation on behalf of the engine used. Such profiles include SAML XACML Profile, Multiple Decision Profile, and Administrative Delegation Profile. For example, a cross-solution profile defines how a policy enforcement point can send multiple authorization requests as part of a single generic XACML request. These profiles aim to broaden the technical scope of XACML.


Hope this helps, David.

+1


source






More articles:


All Articles