1

It would be great to be able to execute XACML access-control policy in a standard, efficient rules engine, either open-source (Drools) or commercial (Fair Isaac). Does any general-purpose rules engine accept OASIS' eXensible Access-Control Markup Language (preferably v3) as input? Related: do any of the main IAM vendors actually use an OEM rules engine as the basis for their policy-decision-point (PDP) product?

Kid Rocket
  • 21
  • 3
  • So XACML is a domain specific rule ML. It hasn't been defined anywhere near RuleML or W3C's RIF or some other generic definition language which *might* make a direct transformation/translation to Drools Rule Language easier. But there isn't even a direct path from these generic MLs to DRL. Implementing a highly complex translator is probably the same amount of work as writing an interpreter, and you have a free choice of the target platform while you don't have the dependency on some other intricate system. – laune Aug 23 '14 at 08:16
  • Hmmm . . I assumed that pure rules engines which have been around for a while would have been highly optimized, and lots faster than a PDP developed by firms not specialized in rules engines. But maybe the Oracles, IBMs, Axiomatics', Bitkoo's (Dells), etc. developed very efficient XACML processors, at least enough to offset the problems you cite. Is there a way to compare efficiency without a XACML-to-DRL translator. Or maybe the question is: why not use DRL or other policy language instead of XACML for PDPs? Can the substance of XACML not be expressed in those languages? – Kid Rocket Aug 25 '14 at 04:07
  • 1
    Anything that can be expressed in a series of "when...then..." specifications can be implemented very well in Drools (or any other RBS). So it would be possible to compare a Drools "native" solution with any PDP product. But I don't think that you'll see much difference in speed, except, maybe, uring a start-up phase. – laune Aug 25 '14 at 07:00
  • Although I would expect a PDP to be faster if at all, The XACML grammar is much smaller. But the main difference is not about performance but rather about state: a XACML architecture is stateless. A rules engine isn't. This means you can scale up PDPs easily. – David Brossard Aug 25 '14 at 12:10
  • So, David-- What is stateful about a rules engine that declines credit-card charges? The rules are, I guess, "stateful" but surely the transactions are not. This is actually the application I was thinking of in comparison to XACML PDP access-control decisions. What am I missing? Thanks. – Kid Rocket Sep 15 '14 at 20:23

1 Answers1

0

Not that I am aware. You can call out from drools to a xacml engine e.g. the Axiomatics Policy Server. You can likely also embed their xacml engine inside drools.

I'm not aware of any major iam vendor using a rules engine as the basis for their PDP.

David Brossard
  • 13,584
  • 6
  • 55
  • 88