Which of the following statements are true about the XACML standard and architecture?
A.
The Policy Enforcement Point (PEP) is where permit / deny access decisions are made.
B.
The Policy Information Point (PIP) provides information such as user attributes or
environmental data that may be used to make access control decisions.
C.
XACML defines an XML schema used to represent rules for access control.
D.
XACML defines a TCP protocol used to communicate messages between Policy Enforcement
Points.
E.
SAML assertions can be used to carry XACML authorization decisions.
Explanation:
A: PEP – Policy Enforcement Point, where permit/deny access decisions are
enforced.
B: PIP – Policy Information Point, where information can be retrieved to evaluate
policy conditions. For example, a user’s role or time of day may be needed by the
PDP to make a policy decision.
C: eXtensible Access Control Markup Language (XACML) provides a standard way to
represent access control policy information using XML. XAMCL defines access control policies in
terms of rules, which in turn are defined to include a target, an effect, and a set of conditions.
XACML defines an XML schema used to represent rule
E: The SAML 2.0 profile of XACML 2.0 defines SAML assertions used to carry policies, policy
queries and responses, authorization decisions, authorization query decisions and responses, and
attribute assertions. In this way SAML authentication, attribute, and authorization
assertions are incorporated into the security framework to complement XACML.
Reference: Oracle Reference Architecture,Security, Release 3.1