Which of the following protocols only facilitates access control?



A. XACML


Service Provisioning Markup Language (SPML) is an OASIS developed markup language designed to provide service, user, and resource provisioning between organizations. Security Assertion Markup Language (SAML) is used to exchange user authentication and authorization data. Extensible Access Control Markup Language (XACML) is used to describe access controls. 




Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.





Extensible Access Control Markup Language (XACML) is a standard for an access control policy language using Extensible Markup Language (XML). Its goal is to create an attribute-based access control system that decouples the access decision from the application or the local machine. It provides for fine-grained control of activities based on criteria including:


Attributes of the user requesting access (for example, all division managers in London)


The protocol over which the request is made (for example, HTTPS)


The authentication mechanism (for example, requester must be authenticated with a certificate)

XACML uses several distributed components. Policy enforcement point (PEP): This entity is protecting the resource that the subject (a user or an application) is attempting to access. When it receives a request from a subject, it creates an XACML request based on the attributes of the subject, the requested action, the resource, and other information. Policy decision point (PDP): This entity retrieves all applicable policies in XACML and compares the request with the policies. It transmits an answer (access or no access) back to the PEP. XACML is valuable because it is able to function across application types. XACML is a good solution when disparate applications that use their own authorization logic are in use in the enterprise. By leveraging XACML, developers can remove authorization logic from an application and centrally manage access using policies that can be managed or modified based on business need without making any additional changes to the applications themselves.