Currently i'm working in a on-line payment company, i need to implement a access control system. I used XACML for experimental purpose 2 years ago, and used it in a management system(based on Balana's XACML implementation). I noticed XACML Version 3 specification hasn't been updated since Jan 2013, i wonder whether this specification is still under maintenance. If not, does anyone know any alternative?
2 Answers
5
votes
What David says is correct. In addition, the OASIS XACML Technical Committee (TC) has just voted to hold a public review of Errata for XACML 3.0. The review should start within a few days. The corrections are minor, but it does show we are maintaining the documents and getting input from the field.
Although no one is currently working on them, there are several unfinished Profiles I would like to see completed. One is to extend the JSON format for XACML to cover the policy language. It currently only covers only the decision request protocol. Another is the ALFA policy language which is a more user friendly, JSON-like language originally developed by Axiomatics, and endorsed by the TC.
For people who want to use XACML, in addition to several excellent commercial products, there are at least two other open source implementations in addition the the WS02 - Balana one mentioned above. Forgerock has one and there is another originally developed in house at ATT. The later one was contributed to the Apache Incubator, but failed to gain traction and was mothballed. However the original code is still freely available under Apache license.
Finally I should mention that I have proposed various ways to integrate XACML with token-based authorization schemes such as OAuth. However this has not gone past the research stage.
3
votes
Yes, XACML is still very much active. The standard, in version 3, is mature and right now no one is working on XACML 4.0. Given XACML 3.0 is a standard, there won't be changes made to 3.0. Either we go to 3.1 or 4.0. There are enhancements we are thinking of for a 4.0 version but this is not the focus for now.
The focus is on profiles, both technical profiles (such as the JSON profile of XACML) and business profiles (such as the Export Control profile of XACML).
Disclaimer: I work for Axiomatics, the leading XACML implementation. I am also a member of the XACML Technical Committee.
We see more and more requests for Attribute Based Access Control and XACML in the marketplace especially in financial and healthcare
