Access control policies govern the authorization of an attempted request to access online resources in a software system. The resources in a system vary such as networking devices, infrastructure, data, services, or other security-critical components accessible in a network. Access control has been broadly used for financial, security, privacy, safety, defense, and many other applications to protect the resources from being accessed by unauthorized users.
Access control policies for cybersecurity are enforced by an access control model, such as Attribute-based Access Control (ABAC), Multilevel Security, and Workflows. The legacy DAC (Discretionary Access Control), RBAC( Role-Based Access Control), RBAC (Rule-Based Access Control), OrBAC (Organization-Based Access control), MAC (Mandatory Access Control), IBAC (Identity-Based Access Control), HBAC (History-Based Access Control), RsBAC (Responsibility Based Access control) can be evolved into an ABAC model.
XACML (eXtensible Access Control Makeup Language) 2.0/3.0 defines a framework for access control policy enforcement. The framework includes PEP (Policy Enforcement Point), PDP (Policy Decision Point), PIP (Policy Information Point), PAP (Policy Administration Point), and PRP (Policy Retrieval Point). XACML defines a standard language to describe the access control policies such that they can be deployed in the access control system. A user-end request to access a resource is routed to PEP which transfers the request to a PDP for evaluation and authorization decision. PDP then refers to PIP and PRP for a necessary verification through a PAP.