XACML as a Standard
The OASIS Technical Committee that defines the XACML specification recently voted version 3.0 to Committee Draft Specification. A public review will follow and then the spec will move to Committee Specification and from there to Standard.
To become an OASIS standard, there must be at least three attestations of successful use of a specification. We recently got the third attestation from the Bank of America, so things are looking good on the standardization front.
XACML in the Market
But how is the market responding? I don’t have a good overview of global XACML adoption. I did, however, recently attend an XACML seminar in the Netherlands, which gave me a good impression of XACML adoption in the low countries.
The seminar kicked off with a couple of general presentations. The main point of mine was that XACML is a future-proof technology for authorization, since it can handle all major access control models. Then we moved on to talk about actual implementations.
Martijn Kaag talked about the use of XACML in eRecognition (eHerkenning), which provides authentication and authorization services for businesses and government agencies. It is required for all Dutch national, regional and local government agencies.
Oscar Koeroo talked about the use of XACML in the academic grid computing world. This is a spectacular infrastructure for particle physics research. Talking about Big Data! They make heavy use of XACML obligations.
Maarten Wegdam talked about an XACML pilot at a large Dutch bank, where they relied a lot on context information, mostly having to do with location. This context is stored in XACML environment attributes.
Things are definitely moving in the right direction, but XACML still seems confined to some isolated cases. It may take some time before we see widespread use. Until that time, we can learn from a couple of interesting places where people are pioneering with XACML.