Recommendation ITU-T X.1144 (04/2024) eXtensible Access Control Markup Language (XACML) 3.1
Summary
History
FOREWORD
Table of Contents
1 Scope
2 References
3 Definitions
     3.1 Terms defined elsewhere
     3.2 Terms defined in this Recommendation
4 Abbreviations and acronyms
5 Conventions
6 Overview
     6.1 Requirements
     6.2 Rule and policy combining
     6.3 Combining algorithms
     6.4 Multiple subjects
     6.5 Policies based on subject and resource attributes
     6.6 Multi-valued attributes
     6.7 Policies based on resource contents
     6.8 Operators
     6.9 Policy distribution
     6.10 Policy indexing
     6.11 Abstraction layer
     6.12 Actions performed in conjunction with enforcement
     6.13 Supplemental information about a decision
7 XACML models
     7.1 Data-flow model
     7.2 XACML context
     7.3 Policy language model
          7.3.1 Rule
               7.3.1.1 Rule target
               7.3.1.2 Effect
               7.3.1.3 Condition
               7.3.1.4 Obligation expressions
               7.3.1.5 Advice
          7.3.2 Policy
               7.3.2.1 Policy target
               7.3.2.2 Rule-combining algorithm
               7.3.2.3 Obligation expressions
               7.3.2.4 Advice
          7.3.3 Policy set
               7.3.3.1 Policy-combining algorithm
               7.3.3.2 Obligation expressions
               7.3.3.3 Advice expressions
8 Syntax
     8.1 Element 
     8.2 Element 
     8.3 Element 
     8.4 Element 
     8.5 Element 
     8.6 Element 
     8.7 Element 
     8.8 Element 
     8.9 Element 
     8.10 Element 
     8.11 Element 
     8.12 Simple type VersionType
     8.13 Simple type VersionMatchType
     8.14 Element 
     8.15 Element 
     8.16 Element 
     8.17 Element 
     8.18 Element 
     8.19 Element 
     8.20 Element 
     8.21 Element 
     8.22 Simple type EffectType
     8.23 Element 
     8.24 Element 
     8.25 Element 
     8.26 Element 
     8.27 Element 
     8.28 Element 
     8.29 Element 
     8.30 Element 
     8.31 Element 
     8.32 Element 
     8.33 Element 
     8.34 Element 
     8.35 Element 
     8.36 Element 
     8.37 Element 
     8.38 Element 
     8.39 Element 
     8.40 Element 
     8.41 Element 
     8.42 Element 
     8.43 Element 
     8.44 Element 
     8.45 Element 
     8.46 Element 
     8.47 Element 
     8.48 Element 
     8.49 Element 
     8.50 Element 
     8.51 Element 
     8.52 Element 
     8.53 Element 
     8.54 Element 
     8.55 Element 
     8.56 Element 
     8.57 Element 
     8.58 Element 
9 XPath 2.0 definitions
10 Functional requirements
     10.1 Unicode issues
          10.1.1 Normalization
          10.1.2 Version of Unicode
     10.2 Policy enforcement point
          10.2.1 Base PEP
          10.2.2 Deny-biased PEP
          10.2.3 Permit-biased PEP
     10.3 Attribute evaluation
          10.3.1 Structured attributes
          10.3.2 Attribute bags
          10.3.3 Multivalued attributes
          10.3.4 Attribute matching
          10.3.5 Attribute retrieval
          10.3.6 Environment attributes
          10.3.7 AttributeSelector evaluation
     10.4 Expression evaluation
     10.5 Arithmetic evaluation
     10.6 Match evaluation
     10.7 Target evaluation
     10.8 VariableReference evaluation
     10.9 Condition evaluation
     10.10 Extended "indeterminate"
     10.11 Rule evaluation
     10.12 Policy evaluation
     10.13 Policy set evaluation
     10.14 Policy and policy set value for i "Indeterminate" target
     10.15 PolicySetIdReference and PolicyIdReference evaluation
     10.16 Hierarchical resources
     10.17 Authorization decision
     10.18 Obligations and advice
     10.19 Exception handling
          10.19.1 Unsupported functionality
          10.19.2 Syntax and type errors
          10.19.3 Missing attributes
     10.20 Identifier equality
11 Conformance
     11.1 Schema elements
     11.2 Identifier prefixes
     11.3 Algorithms
     11.4 Status codes
     11.5 Attributes
     11.6 Identifiers
     11.7 Data-types
     11.8 Functions
     11.9 Identifiers planned for future deprecation
     A.1 Introduction
     A.2 Data-types
     A.3 Functions
          A.3.1 Equality predicates
          A.3.2 Arithmetic functions
          A.3.3 String conversion functions
          A.3.4 Numeric data-type conversion functions
          A.3.5 Logical functions
          A.3.6 Numeric comparison functions
          A.3.7 Date and time arithmetic functions
          A.3.8 Non-numeric comparison functions
          A.3.9 String functions
          A.3.10 Bag functions
          A.3.11 Set functions
          A.3.12 Higher-order bag functions
          A.3.13 Regular-expression-based functions
          A.3.14 Special match functions
          A.3.15 XPath-based functions
          A.3.16 Other functions
          A.3.17 Extension functions and primitive types
     A.4 Functions, data-types, attributes and algorithms planned for deprecation
     B.1 XACML namespaces
     B.2 Attribute categories
     B.3 Data-types
     B.4 Subject attributes
     B.5 Resource attributes
     B.6 Action attributes
     B.7 Environment attributes
     B.8 Status codes
     B.9 Combining algorithms
     C.1 Extended "Indeterminate" values
     C.2 Deny-overrides
     C.3 Ordered-deny-overrides
     C.4 Permit-overrides
     C.5 Ordered-permit-overrides
     C.6 Deny-unless-permit
     C.7 Permit-unless-deny
     C.8 First-applicable
     C.9 Only-one-applicable
     C.10 Legacy Deny-overrides
     C.11 Legacy Ordered-deny-overrides
     C.12 Legacy Permit-overrides
     C.13 Legacy Ordered-permit-overrides
     I.1 Example one
          I.1.1 Example policy
          I.1.2 Example request context
          I.1.3 Example response context
     I.2 Example two
          I.2.1 Example medical record instance
          I.2.2 Example request context
          I.2.3 Example plain-language rules
          I.2.4 Example XACML rule instances
               I.2.4.1 Rule 1
               I.2.4.2 Rule 2
               I.2.4.3 Rule 3
               I.2.4.4 Rule 4
               I.2.4.5 Example PolicySet
     II.1 Extensible XML attribute types
     II.2 Structured attributes
     III.1 Threat model
          III.1.1 Unauthorized disclosure
          III.1.2 Message replay
          III.1.3 Message insertion
          III.1.4 Message deletion
          III.1.5 Message modification
          III.1.6 NotApplicable results
          III.1.7 Negative rules
          III.1.8 Denial of service
     III.2 Safeguards
          III.2.1 Authentication
          III.2.2 Policy administration
          III.2.3 Confidentiality
          III.2.4 Policy integrity
          III.2.5 Policy identifiers
          III.2.6 Trust model
          III.2.7 Privacy
     III.3 Unicode security issues
     III.4 Identifier equality