iSHARE Developer Portal
Other resources
Version 2.2 (current version)
Version 2.2 (current version)
  • Welcome to the iSHARE Developer Portal
  • Introduction
    • Getting started
      • Test certificates
      • Test participants
      • OpenAPI Descriptions
      • Postman collections
    • Release info
    • Help & support
    • Specific technical standards
      • JSON Web Token (JWT)
      • OAuth 2.0
      • OpenID Connect 1.0
      • PKI
      • TLS
      • XACML 3.0
      • Caching
      • DID
      • UTC
      • X.509
      • HTTP response codes
    • UI Guidelines
    • Conformance test tool
  • Roles
    • Roles
  • All roles (common endpoints)
    • Access token (M2M)
    • Capabilities
  • Authorisation Registry Role
    • Getting started
    • Access token (M2M)
    • Capabilities
    • Delegation
    • Delegation Policy
  • Entitled Party
    • Getting started
  • Identity Provider
    • Getting started
    • Authorize
    • Login
    • Access token
    • User info
    • Capabilities
  • Participant Registry role
    • Getting started
    • Access token (M2M)
    • Capabilities
    • Parties [GET]
    • Parties [OPTIONS]
    • Parties [POST]
    • Parties (single party) [GET]
    • Parties (single party) [OPTIONS]
    • Parties (single party) [PUT]
    • Trusted list
    • Versions
    • Data Spaces
    • Create Entitled Party / Service Consumer
  • Service Consumer Role
    • Getting started
  • Service Provider Role
    • Getting started
      • Service
    • Access token (M2M)
    • Capabilities
    • Return
  • Reference
    • iSHARE JWT
      • Client Assertion
    • Authentication
    • Authorization
    • Authorisation rules
  • Licenses model
Powered by GitBook
LogoLogo

  • Cookie Policy

  • Privacy Policy

  • Imprint

  • Contact Us

Copyright © 2024 iSHARE Foundation

On this page
  1. Introduction
  2. Specific technical standards

XACML 3.0

Within iSHARE, it is essential to provide fine-grained authorization. Besides rules on the authorization , it is important to have varying options to describe the resources and its attributes to which the rules apply.

XACML 3.0 is a specification for describing such authorization rules, but it is XML-based. For iSHARE, a JSON port was created for expressing the XACML specifications regarding authorization . This 'delegation evidence structure' is discussed in more detail in the chapter on delegation evidence structure.

On this page a brief description of XACML is provided. For the most recent version of the specification click on this link.

Description

XACML (eXtensible Access Control Markup Language) is an XML-based specification that is designed to control access to applications. One of the main advantages of this specification is that applications and systems with their own and different authorization structure can be integrated into one authorization scheme. authorization and the rules surrounding it can be managed centrally regardless of authorization mechanism of the applications themselves. This phenomenon is called externalisation. XACML is derived from SAML and provides the underlying specification for ABAC (Attribute-Based Access Control). XACML is also suitable to be used in combination with RBAC (Role-Based Access Control).

Moreover, with the help of XACML authorization can be arranged and managed in detail. This is called fine-grained authorization . XACML supports the use of security labels, rules with arbitrary attributes, rules with a certain duration and dynamic rules.

In XACML two main functions can be distinguished. One function defines the criteria with which authorization are assigned, such as 'only an experienced user from department X is allowed to modify documents’. The other function compares the criteria with the rules or policies to determine whether a person is allowed to perform the operation on the object or not.

The architecture of XACML is fairly complex. This is partly due to the fact that it is difficult to fit the various components of XACML in the application landscape. These components should be positioned in such a way that the owner of the data can somehow control the authorization to his or her data, but at the same time the components should be positioned in such a way that the performance is not negatively influenced. This is extra important when independent parties need to cooperate with each other and want to jointly organise the access to their applications. Finally, applications need to be compatible with XACML.

PreviousTLSNextCaching

Last updated 3 months ago