Working with XACML¶
XACML is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is very popular as a fine grained authorization method among the community. Fine-grained authorization specifies the requirements and variables in an access control policy that is used to authorize access to a resource. However, there are plenty of other aspects of XACML other than it being just a fine grained authorization mechanism.
Info
For more information about XACML, see Access Control and Entitlement Management.
We generally use the HTTPS transport protocol for calling a Web Service API that has been exposed by the PDP (Policy Decision Point). With WSO2 Identity Server, we can also use the Thrift protocol to communicate with the PDP. Since is a well known fact that Thrift is faster than HTTP, we can get significantly higher performance along with less response time by using thrift protocol with WSO2 Identity Server.
Note
Using thrift in XACML calls
In order to use thrift in XACML calls, you must first enable the thrift
service. To do this, set the following property to true in the deployment.toml file found in the <IS_HOME>/repository/conf folder.
[entitlement.thrift]
enable=trueThe following topics provide information and instructions on how to use XACML to perform various access control related functions.
- Enabling REST Notifications For XACML Policy Updates
- Identity Server as a XACML Engine
- Working with XACML Multiple Decision Profile Requests
- Fine-grained Authorization using XACML Requests in JSON Format
- Improving XACML PDP Performance with Caching Techniques
- Writing XACML2.0 Policies in WSO2 Identity Server
- Writing XACML3 Policies in WSO2 Identity Server
- Sending Notifications to External PEP Endpoints
- Writing a XACML 3.0 Policy Using XPath