One main function of the XACML framework is to enable the development of effective security policies across the enterprise, instead of implementing individual policies for each point of access. The goal is to promote a common language and interoperability between access control implementations by multiple vendors.
As web access management has greatly evolved, several enterprises have embraced single sign-on systems with the separation of web-based authentication and coarse-grained authorization logic from applications. Despite this, when it comes to how organizations manage fine-grained authorization policies, significant challenges persist. To overcome these challenges, organizations must look beyond authentication and coarse-grained authorization towards a model of externalizing application authorization decisions. The XACML system is a mature standard framework built specifically for this.
Historically, RBAC has been the primary access control method used in enterprises, but it is no longer sufficient due to the explosion of access points and data volume. RBAC is limited to defining access permissions by role. This means it applies a sort of “one-size fits-all” solution which can be dangerous because it often results in too much or not enough access. Because users can be assigned multiple roles, it is possible that they contain conflicting data. This allows for loopholes in the permissions. RBAC also requires that administrators be extremely attentive to changes of users and roles and ensure that role assignment combinations are current, accurate, and consistent with other roles a user might be assigned.
ABAC, on the other hand, allows an enterprise to extend existing roles using attributes and policies. By adding context, authorization decisions can be made based not only on a user’s role, but also by taking into account who or what that user is related to, what that user needs access to, where that user needs access from, when that user needs access, and how that user is accessing the requested information. By creating a policy that is easy to understand, with context around a user and what s/he should have access to, access control becomes far more robust. This functionality expands the scope of RBAC significantly.
Enterprises have made significant investments in many business-critical applications and IT systems, however most of these applications and IT systems are based in RBAC. Therefore, enterprises are looking for ways to preserve their investment and extend the lifespan of these applications. ABAC and XACML offer an excellent option. XACML can be used as the standard to implement ABAC to extend RBAC or a hybrid ABAC and RBAC model.
Further, many enterprises have been developing custom solutions to meet the complex access control requirements of their business. However, this is a costly undertaking and it is difficult to maintain quality service. XACML can help enterprises break away from this dilemma by adopting a XACML-based commercial off-the-shelf (COTS) solution to eliminate the need to build a custom solution. With XACML’s fine-grained, attribute-based access control policy language, policies can be modified without requiring code changes or application downtime. This enables organizations to react quickly to changes in business or regulatory environments, greatly increasing agility and flexibility, and enhancing overall data protection while greatly reducing cost. Because access policies become centralized, altering the policies does not require software changes to individual applications. This results in a consistent enforcement of policies across key business applications – without relying on individual system administrators.