Access Control in eXist

eXist uses the OASIS standard eXtensible Access Control Markup Language (XACML) for XQuery access control. XACML 1.1 and 1.0 are currently supported.

This documentation is divided into four parts. The first part of this documentation, Capabilities, is intended to be a thorough overview of what in eXist is controlled using XACML. This part does not require prior knowledge of XACML and should provide the database administrator with enough information to decide whether to enable and use eXist's XACML subsystem.

The second part, Introduction to XACML, is a brief introduction to XACML. The targeted level of detail is the level necessary to use eXist's policy editor to manage policies (policies are how access is restricted in XACML). It also provides some background information on the XACML implementation library used by eXist.

The third part, Using XACML in eXist includes a short description of how to configure the XACML subsystem in eXist. This covers enabling XACML, the location of policies, and the default behavior of the XACML subsystem. This part then describes how to create, edit, and remove policies in eXist using the graphical editor.

The last part of the documentation, XACML Developer's Guide, is targeted towards eXist developers and describes how to implement a Policy Enforcement Point (PEP) in eXist, among other topics.

A basic description of the operation of access control using XACML in eXist is the that database administrator writes policies (either manually or with the graphical editor) that determine who can access what resources and when and how those resources can be accessed. When an XQuery is executed (or some other controlled resource is accessed), eXist asks Sun's XACML Implementation if that action is permitted according to the provided policies. If access is denied, a PermissionDeniedException is thrown. If it is granted, program execution continues normally.

September 2009
Mark Harrah
harrah@umd.edu