Introduction

This document describes the functionalities implemented by the XACML PDP processor attached to this page. XACML stands for eXtensible Access Control Markup Language. PDP stands for Policy Decision Point. The PDP is a policy component which's main goal is to make accesscontrol decisions based upon XACML requests and XACML policies.

The PDP processor, as described in this document, generates a XACML response based upon two inputs: a XACML request document and a XACML policy document. This document does NOT describe where these policies and requests originate from, but is does point to the schema definition to which they should comply.

Libraries

The following additional libraries, apart from the ones shipped with Orbeon, are used by this processor:

• Sun's XACML implementation: http://sunxacml.sourceforge.net

Input document: request

Purpose

This input document contains the XACML request. The request contains a subject, resource and action. Each of these entities consist of one or more attribute/value pairs.

Namespace

All nodes in this document should be in the following namespace URN: urn:oasis:names:tc:xacml:1.0:context

XML Schema definition

http://www.oasis-open.org/committees/download.php/919/cs-xacml-schema-context-01.xsd

Example document

<Request xmlns="urn:oasis:names:tc:xacml:1.0:context">
    <Subject>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>jasper.linthorst</AttributeValue>
        </Attribute>
        <Attribute AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="avernet">
            <AttributeValue>volunteer</AttributeValue>
        </Attribute>
    </Subject>
    <Resource>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>http://sites.google.com/a/orbeon.com/forms/contributions/xacml-pdp-processor</AttributeValue>
        </Attribute>
    </Resource>
    <Action>
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
            <AttributeValue>write</AttributeValue>
        </Attribute>
    </Action>
</Request>

Input document: policy

Purpose

This input document contains all policies needed for the PDP to evaluate the request.

Namespace

All nodes in this document should be in the following namespace URN: urn:oasis:names:tc:xacml:1.0:policy

XML Schema definition

http://www.oasis-open.org/committees/download.php/915/cs-xacml-schema-policy-01.xsd

Example document

Processing

The high level internal workings of the PDP processor are illustrated in the following table:

Output document: response

Purpose

This output document contains the result of the evaluation. The PDP can return the following decisions upon accesscontrol in its response:

• Permit, access to the requested resource can be granted.

• Deny, access to the requested resource must be denied.

• Indeterminate, an error occured or some value is missing.

• NotApplicable, there's no policy that matches the requested target.

Furthermore the PDP procesor can return a set of obligations. Depending on the XACML PEP these obligations will be executed after permitting or denying access to the requested resource. An example of an obligation could be to send a message to a log host whenever access to a resource is denied. The actual execution of the obligations have to be implemented by the PEP.

Namespace

This document should use the following namespace URN: urn:oasis:names:tc:xacml:1.0:context

XML Schema definition

http://www.oasis-open.org/committees/download.php/919/cs-xacml-schema-context-01.xsd

Example document

Usage in a pipeline

References and Documentation