Good news! Version 3.0 of the eXtensible Access Control Markup Language (XACML) has just been voted a Committee Specification Draft. There will only be a 15 day public review, since it has already been at that level before we dropped back to Working Draft. There is still a long way to go until version 3.0 becomes an OASIS standard, but at least we’ve started down that path.

What is XACML?
In short, XACML offers an architecture for access control, a policy language for describing and evaluating access control policies, and a protocol for requesting access. I’ve written about XACML in a series on EMC’s Developers Network:

• Introduction to XACML: Access Control Policies in XML
• Real world examples of XACML security policies
• Implementing an XACML PEP in Java

What’s new in 3.0?
Axiomatics were the first company to implement 3.0 (their CTO, Erik Rissanen, is editor of the spec). They’ve also summarized what has changed since 2.0, the current OASIS standard:

• Webinar with Kuppinger Cole
• Presentation by Gerry Gebel
• Blog post by David Brossard

Who’s using XACML?
Obviously not many people are using 3.0, since it’s not a standard yet. But 2.0 has been around since 2005 and is used in various places. Below is a sample of places where XACML is being used:

• PayPal
• Datev
• Swedish National Health Service
• Bell Helicopter Textron Inc.
• Department of Veterans Affairs
• Bank of America
• Other organizations, that remain unnamed

I’ll update this list when I find more examples. If you know of any, please let me know.

Update 2011-08-19: BitKOO is the second vendor to attest 3.0 compliance, after Axiomatics.