XACML Authorization

XACML - eXtensible Access Control Markup Language

Here I'm going to explain where we can use WSO2IS as a XACML engine.

Lets look at the following example to understand Authentication and Authorization

1. This is simple billing system with three services
Create Account, View Account Details, Delete Account
Admin Role - Can access all three services
User Role - Can access View Account Details


Now user Dinuka going to login to this system, then the system is going to check whether the username and password are correct or not. This operation call Authentication

Think about this scenario: user call Malinda going to log in to the system and try to access the Delete Account service. First of all user should be Authenticated then have to check whether the logged in user has permission to access the service Delete Account. This operation call Authorization.

Actually above system is using Role Based Authorization

2. Now will try to understand how to use the XACML engine for Authorization
In this system we are using ESB(enterprise service bus), AS(application server), IS(Identity Server)



1. Request to Access Resource A - First of all ESB authenticate the user, then it will call to PEP(This is Entitlement mediator) .In this Entitlement mediator we have to define the Identity server details.

2. Is Authorized ? - PEP call to PDP(Policy Decision point) and ask whether this user Authorized to access the Resource A

3. Yes/No - PEP evaluate the policies in the Policy store and take the decision according to the defined policies.

If the Decision is Yes - we are allowing to user to access the resource.

The benefit of the above system is easily we can change the permission of the users without changing any other component such as ESB or AS. The only thing we have to do is change the policies in the policy store.

Let me explain the PAP (Policy Administration Point) - This is handling the administration part of the XACML engine (ex/ Upload polices, Edit policies ..etc.)