XACML: What is a Policy and Policy Set?

January 21, 2012 by
Filed under: Design, Security 

A Policy in XACML is essentially an XML document that describes a couple of things needed to grant permission or access to a resource. It comes down to some basic composition,

You have a set of three things,

1 – Subject : This is who is requesting access, the “WHO”

2 – Resource: This is the “WHAT” and specifically it is something you are protecting for some reason.

3 – Action: This is the "active verb” that is being performed, usually the activity of what you can do to the resource as in disk-access would be “Read” , “write”, “delete” or could be a function in the system at a higher level “manage” or “review”.

A Policy is linked to these three things which are grouped together as a “target” to make things reusable, and also add shared attributes to the collective.

A Policy also has this thing called “Policy Combining Algorithm” and a “Rule Combining Algorithm” this is the logic to use when more than one policy or rule are in use, the standard default is DENY-OVERRIDES

Deny-Overrides: This is that a deny permission will always override a permit, so that if you have 100 rules applied to you, if only 1 of them is deny, you cannot access, this is a more default-secure method for security.

The Rule is straightforward, it defines the logic and attributes needed to check for security on the target, this is the power of XACML as you can apply a rule which is composed of an Effect and optionally a condition, so this means , effect is always “permit” or “deny” and you can apply a condition optionally to grant the effect based on time of day or other attributes for the user.

Policy Set this is just as it says, a collection of policies which allows for better composition.


Lastly there are these things called “Obligations” which help cross-cut a concern like logging or auditing, preventing rule-explosion. 


The composition above describes the Scheme of a Policy and Policy set as is required by the XACML standard.  In summary you can see that

A Policy has

0 or 1 Targets,

has 1 policy combining algorithm,

0 or 1 Obligations,

1 Rule Combining Algorithm.

A Target has a Subject, Resource, and Action, and Rule, and a Policy Set and Policy.

A Rule has an Effect and 0 or 1 Conditions, and a Rule Combining Algorithm.

A Policy Set has a Target, A Policy Combining Algorithm, and 0 or 1 Obligations.

An Example Policy is shown below:


Next overview will be around the application of the Policies, and an implementation of a PDP (Policy Decision Point) in C# as an example on how it works internally.


Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

%d bloggers like this: