XACML Design Considerations and Pointers

One of the challenges with XACML has been the deep knowledge/expertise required in understanding the XACML vocabulary. It can send shivers down anybody's spine when they come across a bunch of XACML policies. While the language is extremely powerful, lack of editors has been the bane.

While it is difficult to design a general purpose xacml editor without requiring the user to have extensive xacml knowledge, it should definitely be possible to create context based editors for XACML rules.  Suppose you are creating XACML policies for your web application, then you can have an editor that is specific to the web application domain.  This domain based editor approach will avoid the requirement of xacml knowledge. The policies can be designed in the domain semantics.

If you have some free time to kill and want to understand XACML better, I certainly recommend taking a peak at the Fedora XACML document ( I did not write it or was associated with the project).


Design Consideration

One of the favorite topics broached by XACML designers is the concept of date/time as part of the environment attributes.

You should be able to create XACML policies with rules such as:

• Deny requests to web applications between 5pm and 8am CDT.

One point you need to note here is that if you are setting up automated tests to validate your policies, then the time at which the PDP is running your tests, can affect the outcome of the test result.

You should embed the current time as part of your XACML request during tests such that they simulate a request occurring at a particular time - rather than when the test is run. :)

You should definitely take a look at the XML Date and Time functions including Timezone configuration as listed here.