XACML-Based Access Control

Leverage XACML for fine-grained access control.

Historically, access control solutions for government information sharing projects have been implemented on a project-by-project basis, using point solutions that are neither interoperable with each other nor flexible enough to handle the complex requirements of modern information sharing initiatives that cross traditionally isolated branches of government.

For this reason, policy based access control (PBAC) approaches, which allow access rules to be defined and updated in a policy-oriented fashion, have become increasingly popular. The eXtensible Access Control Markup Language (XACML) has emerged as an extremely flexible policy expression language for PBAC.

Unfortunately, XACML was not quickly or widely adopted by identity and access management (IAM) vendors. Moreover, those IAM products that do provide some level of support for XACML usually fail to meet the loose-coupling and policy-based configuration goals required for PBAC best practices.

Deploy an XACML-compliant API Gateway.

A best-practice solution for XACML-based PBAC consists of various architectural components. These components usually include a policy enforcement point (PEP), policy decision point (PDP), policy administration point (PAP), policy information point (PIP), obligation service (OS) and context handler (CH).

The core architectural requirements—PEP and PDP—can be met by deploying an XACML-enabled SOA, XML or API gateway at the edge of the departmental architecture. Specifically, a gateway appliance can be used as a central policy decision point and as part of the policy enforcement point. However, not all gateway appliances support XACML.

CA API Gateway is built on a legacy of award-winning XML and SOA functionality. The API Gateway provides wide support for XACML, allowing it to be used directly as an authorization policy language. It can also be used indirectly, as support for integration with third-party XACML-compliant enterprise products.

XACML PEP and PDP in one product

CA API Gateway is recognized by top analyst firms as one of the leading appliances in its class. It comes with a range of government-grade security certifications (including FIPS 140-2 and Common Criteria) and is widely used across various branches of the US Federal Government.

CA API Gateway delivers two of the most important requirements for XACML-based PBAC:

  • A PEP capable of creating and enforcing an XACML authorization query request/response
  • A PDP able to provide an XACML authorization query Web service for PEP invocation and to utilize XACML as an authorization policy

When deployed as a centralized PDP, CA API Gateway can:

  • Receive standards-based authorization queries from a variety of PEPs.
  • Retrieve attributes from a variety of authoritative sources.
  • Evaluate any information collected, based on the rules expressed within an XACML policy.

These PDP capabilities, combined with the ability of CA API Gateway to provide SAML-based attribute services and authentication token services through its integrated Secure Token Service (STS), make it possible to implement all aspects of policy decision, attribute collection and identity federation in a single product.

Learn more about this solution

Visit the CA API Gateway page >

Data Sheet

CA API Gateway

Enable secure, manageable partner, mobile and cloud access.

CA API Gateway

Data Sheet

CA API Management Suite

Make API-based information sharing safe reliable and cost-effective.

CA API Management Suite

Analyst Report

The Forrester Wave – API Management Solutions, Q3 2014

Read a detailed evaluation of top API management vendors.

The Forrester Wave – API Management Solutions, Q3 2014