|
|
XML Access Control Markup Language (XACML) provides XML documents with support for access control lists on the document and elements. Access control can be as fine-grained as a single element in an XML document. Access control supports four types of actions: create, read, write, and delete. It is organized around triplets of object, subject, and action.
An XACML object represents a single element or a set of elements in a XML document. The elements are specified through an XPATH expression. Let us look at a typical bank transaction document:
<?xml version="1.0"?>
<transaction>
<name>Sherry Ann Rattan</name>
<zipcode>06002</zipcode>>
<action>debit</action>
<merchant>Porsche</merchant>
<description>2003 Boxster</description>
<creditcardnumber>2222 111 232 23222</creditcardnumber>
<expiration>19770216</expiration>
<amount>98222.22</amount>
</transaction>
Let's say that the Web service has the ability to read the amount but does not have the ability to write to it. We would simply define the appropriate access control:
<?xml version="1.0"?>
<policy>
<xacl>
<object href="amount"/>
<rule>
<acl>
<subject>
<uid>WebServiceOne</uid>
</subject>
<action name="read" permission="grant"/>
<action name="write" permission="deny"/>
</acl>
</rule>
</xacl>
</policy>
This specification is controlled by the OASIS Technical Committee and may undergo several changes before it becomes a standard. The ability to apply field-level access-control lists coupled with encryption and other security options will make security integration between disparate Web services a lot easier. XACML will allow this to happen in a standards-based, open manner.
|
|