This page is work in progress

Differences between XACML 2.0 and XACML 3.0

Core Specification

Bug fixes

Obligations in rules

In XACML 2.0, obligations can only be added to policies and policy sets. In XACML 3.0, rules can also contain obligations.

The content element

In a XACML 2.0 request, there can only be XML content inside the resource category as part of the ResourceContent element (see line 467 of the XACML 2.0 spec PDF). In XACML 3.0, the ResourceContent element is generalized into a Content element that can be found in any category.

Scope of XPath expressions

In XACML 2.0, XPath expressions apply to the root of the XACML request. In XACML 3.0, XPath expressions apply to the root of the Content element.

The Target element

XACML 2.0

In XACML 2.0, a target groups attributes of the same category together under elements that reflect that category e.g. <Resources> and <Resource>. There is an or (disjunctive) relationship between attributes of the same category. This is clearly specified in the XACML 2.0 specification in section 5.5. The top-level category elements are combined using an and (conjunctive) relationship. This is specified on line 1909.

XACML 3.0

XACML 3.0 clearly removes the disjunctive and conjunctive function of the category (e.g. <Resources>) elements and introduces the AnyOf and AllOf elements. The target element still bears the conjunctive function though. Note that XACML 2.0 had already introduced and defined the any-of and all-off functions (ll. 4558-4568 XACML 2.0) but simply did not have the equivalent schema elements. Section 5.6 (line 1872) of the XACML 3.0 specification explains the behavior of the Target element and its children in XACML 3.0.

What you can express in a target

Rule

XACML 2.0

XACML 3.0

Doctor view medical record

Yes

Yes

Doctor or nurse view medical record

Yes

Yes

Doctor or nurse view or edit medical record

Yes

Yes

Doctor view medical record or nurse edit medical record

No

Yes

Sample XACML 2.0 target

doctors read medical records

<xacml2:Target>
    <xacml2:Subjects>
      <xacml2:Subject>
        <xacml2:SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml2:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</xacml2:AttributeValue>
          <xacml2:SubjectAttributeDesignator AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
        </xacml2:SubjectMatch>
      </xacml2:Subject>
    </xacml2:Subjects>
    <xacml2:Resources>
      <xacml2:Resource>
        <xacml2:ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml2:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medical record</xacml2:AttributeValue>
          <xacml2:ResourceAttributeDesignator AttributeId="resource-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </xacml2:ResourceMatch>
      </xacml2:Resource>
    </xacml2:Resources>
    <xacml2:Actions>
      <xacml2:Action>
        <xacml2:ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml2:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml2:AttributeValue>
          <xacml2:ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </xacml2:ActionMatch>
      </xacml2:Action>
    </xacml2:Actions>
</xacml2:Target>

Sample XACML 3.0 target

doctors read or write to medical records

  <xacml3:Target>
    <xacml3:AnyOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </xacml3:Match>
      </xacml3:AllOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </xacml3:Match>
      </xacml3:AllOf>
    </xacml3:AnyOf>
    <xacml3:AnyOf>
      <xacml3:AllOf>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </xacml3:Match>
        <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medical record</xacml3:AttributeValue>
          <xacml3:AttributeDesignator AttributeId="resource-type" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        </xacml3:Match>
      </xacml3:AllOf>
    </xacml3:AnyOf>
  </xacml3:Target>

Custom Categories

In XACML 2.0 and 3.0, attributes always relate to categories. XACML 2.0 defined a final set of categories (the most common of which were subject, resource, action, and environment). In XACML 3.0, users are given the option to create their own custom categories.

Use of XPath

Obligations & Advice

Introduction of the Advice element

Section 5.35 of the XACML 3.0 specification defines a new element called Advice which is analogous to an Obligation. The key difference lies in the way a Policy Enforcement Point (PEP) needs to handle Obligations and Advice. The PEP may interpret the advice and the value of the advice id and arguments. The PEP shall interpret the obligation and the value of the obligation id and arguments.

Introduction of variables in the Obligation and Advice element

In XACML 2.0, obligations were static in the sense that they could not convey the value of an attribute that may change at runtime. Let's take the following example: * On deny, tell the PEP to send an email to the administrator

  <xacml2:Obligations>
    <xacml2:Obligation FulfillOn="Permit" ObligationId="email">
      <xacml2:AttributeAssignment AttributeId="email" DataType="http://www.w3.org/2001/XMLSchema#string">administrator@acme-xacml.org</xacml2:AttributeAssignment>
    </xacml2:Obligation>
  </xacml2:Obligations>

This obligation in XACML 2.0 would have had to contain the administrator's email statically (or let the PEP figure out the value). In XACML 3.0, the administrator value can be determined at runtime, for instance through a policy information point (PIP). This enables richer scenarios such as * On deny, tell the PEP to send an email to the requestor's line manager.

  <xacml3:ObligationExpressions>
    <xacml3:ObligationExpression FulfillOn="Permit" ObligationId="email">
      <xacml3:AttributeAssignmentExpression AttributeId="emailId" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" Issuer="">
        <xacml3:AttributeDesignator AttributeId="manager-email" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
      </xacml3:AttributeAssignmentExpression>
    </xacml3:ObligationExpression>
  </xacml3:ObligationExpressions>

XACML 2.0 could not cater for such an obligation since at design-time, we do not know who the requestor is and therefore we do not know who their line manager is.

XACML profiles

New profiles

XACML 3.0 Export Compliance-US (EC-US) Profile Version 1.0

XACML v3.0 Administration and Delegation Profile Version 1.0

This is discussed in Policy Administration Control and Delegation using XACML and Delegent by Seitz et al. (see references below).

Updated profiles

The following is a non-exhaustive list of profiles that have been updated to take into account new functionality or syntax changes.

XACML v3.0 Multiple Decision Profile Version 1.0

References

  1. XACML 3.0 specification

  2. Seitz et al., Policy Administration Control and Delegation using XACML and Delegent

  3. Olav L. Bandmann, Babak Sadighi Firozabadi, Mads Dam:Constrained Delegation.

DifferencesBetweenXACML2.0AndXACML3.0 (last edited 2012-04-27 15:04:45 by david.brossard)