eXtensible Access Control Markup Language

Use XACML Advice elements to generate detail decisions.

XACML engine usually returns a Boolean decision (whether permit or deny). Let see how we can use Advice elements in the XACML to return a policy decision more than a Boolean value. Let takes some example in MDM (Mobile Device Management) systems. MDM contains the policy enforcement point (PEP) for mobile devices. PEP decides what […]

Authorization for APIs with XACML and OAuth 2.0

In this blog post, let see how we can implement XACML to authorize the APIs. I wish you are familiar with OAuth 2.0 and lets directly go through the diagram   OAuth access token is granted to the application from OAuth Authorization Server. Application can use the Access Token to access the API resources in […]

Access Control for Data Access Layer with XACML

Lets try to understand how XACML can be used to filter out authorized data from data access layer. Also let learn how we can implement data filtering sample with using open source XACML engine. First it is better to understand sample use case for this. Use Case KDiamond is company that sells Diamond all other […]

XACML based Access Control for Web Applications

XACML is the standard for access control in the SOA. But it seems to be that it is still not much widely adopted within the enterprises yet. I guess, mostly people may not have an idea about the capability of the XACML… It just not a XML based policy language… It has lot of extensibility […]

XACML PIP for finding hierarchical resources

If you are working with XACML.  You surely have heard about the PIP (Policy information Point). PIPs help to PDP by finding things that are needed for policy evaluation. PIPs are mostly extension points that can be implemented and plugged with PDP according to the your use case. Identity Server supports several PIP extension points. […]

XACML PAP PDP Separation

With my previous post,  i went through XACML PDP (Policy Decision Point) architecture by using WSO2 Identity Server.  In this blog post, i am hoping to go through how PDP and PAP have been separated each other. In some implementation (specially with older Identity server versions),  there is no any separation with PAP (Policy Administrator […]