Encyclopedia of Database Systems

Living Edition
| Editors: Ling Liu, M. Tamer Özsu

Access Control Policy Languages

  • Athena VakaliEmail author
Living reference work entry
DOI: https://doi.org/10.1007/978-1-4899-7993-3_5-2


Access Control Policy Language Access Control Policy Access Control Model Digital Right Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



An access control policy language is a particular set of grammar, syntax rules (logical and mathematical), and operators which provides an abstraction-layer for access control policy specifications. Such languages combine individual rules into a single policy set, which is the basis for (user/subject) authorization decisions on accessing content (object) stored in various information resources. The operators of an access control policy language are used on attributes of the subject, resource (object), and their underlying application framework to facilitate identifying the policy that (most appropriately) applies to a given action.

Historical Background

The evolution of access control policy languages is inline with the evolving large-scale highly distributed information systems and the Internet, which turned the tasks of authorizing and controlling of accessing on a global enterprise (or on Internet) framework increasingly challenging and difficult. Obtaining a solid and accurate view of the policy in effect across its many and diverse systems and devices has guided the development of access control policy languages accordingly.

Access control policy languages followed the Digital Rights Management (DRM) standardization efforts, which had focused in introducing DRM technology into commercial and mainstream products. Originally, access control was practiced in the most popular RDBMSs by policy languages that were SQL based. Certainly, the access control policy languages evolution was highly influenced by the wide adoption of XML (late 1990s) mainly in the enterprise world and its suitability for supporting access control acts. XML’s popularity resulted in an increasing need to support more flexible provisional access decisions than the initial simplistic authorization acts which were limited in an accept/deny decision. In this context, proposals of various access control policy languages were very active starting around the year 2000. This trend seemed to stabilize around 2005.

The historical pathway of such languages should highlight the following popular and general-scope access control policy languages:
  • 1998: the Digital Property Rights Language (DPRL, Digital Property Rights Language, http://xml.coverpages.org/dprl.html) mostly addressed to commercial and enterprise communities was specified for describing rights, conditions, and fees to support commerce acts

  • 2000: XML Access Control Language (XACL, XML Access Control Language, http://xml.coverpages.org/xacl.html) was the first XML-based access control language for the provisional authorization model

  • 2001: two languages were publicized:
    • The eXtensible rights Markup Language (XrML, The Digital Rights Language for Trusted Content and Services, http://www.xrml.org/) promoted as the digital rights language for trusted content and services

    • The Open Digital Rights Language (ODRL, Open Digital Rights Language, http://odrl.net/) for developing and promoting an open standard for rights expressions for transparent use of digital content in all sectors and communities

  • 2002: the eXtensible Media Commerce Language (XMCL, eXtensible Media Commerce Language, http://www.w3.org/TR/xmcl/) tocommunicate usage rules in an implementation-independent manner for interchange between business systems and DRM implementations

  • 2003: the eXtensible Access Control Markup Language (XACML, eXtensible Access Control Markup Language, http://www.oasis-open.org/committees/xacml/) was accepted as a new OASIS, Organization for the Advancement of Structured Information Standards, http://www.oasis-open.org/, Open Standard language, designed as an XML specification with emphasis on expressing policies for information access over the Internet.

  • 2005: Latest version XACML 2.0 appeared and policy languages which are mostly suited for Web services appear. These include WS-SecurityPolicy, http://www-128.ibm.com/developerworks/library/specification/ws-secpol/, which defines general security policy assertions to be applied into Web services security frameworks.


Since Internet and networks in general are currently the core media for data and knowledge exchange, a primary issue is to assure authorized access to (protected) resources located in such infrastructures. To support access control policies and mechanisms, the use of an appropriate and suitable language is the core requirement in order to express all of the various components of access control policies, such as subjects, objects, constraints, etc. Initial attempts for expressing access control policies (consisting of authorizations) involved primary “participants” in a policy, namely the subject (client requesting access), the object (protected resource), and the action (right or type of access).

To understand the access control policy languages the context in which they are applied must be explained. Hence, the following notions which appear under varying terminology must be noted:
  • Content/objects: Any physical or digital content which may be of different formats, may be divided into subparts and must be uniquely identified. Objects may also be encrypted to enable secure distribution of content.

  • Permissions/rights/actions: Any task that will enforce permissions for accessing, using and acting over a particular content/object. They may contain constraints (limits), requirements (obligations), and conditions (such as exceptions, negotiations).

  • Subjects/users/parties: Can be humans (end users), organizations, and defined roles which aim in consuming (accessing) content.

Under these three core entities, the policies are formed under a particular language to express offers and agreements. Therefore, the initial format of such languages authorization was (subject, object, and action) defining which subject can conduct what type of action over what object. However, with the advent of databases, networking, and distributed computing, users have witnessed (as presented in the section “Historical Background”) a phenomenal increase in the automation of organizational tasks covering several physical locations, as well as the computerization of information related services [1, 2]. Therefore, new ideas have been added into modern access control models, like time, tasks, origin, etc. This was evident in the evolution of languages which initially supported an original syntax for policies limited in a three-tuple (subject, Subject primitive allows user IDs, groups, and/or role names. object, Object primitive allows granularity as fine as a single element within an XML document, and action, Action primitive consists of four kinds of actions: read, write, create, and delete.) which then was found quite simplistic and limited and it was extended to include non-XML documents, to allow roles and collections as subjects and to support more actions (such as approve, execute, etc.).

Table 1 summarizes the most important characteristics of the popular general scope access control policy languages. It is evident that these languages differentiate on the subjects/users types, on the protected object/content type (which is considered as trusted when it is addressed to trusted audience/users) and on the capabilities of access control acts, which are presented under various terms and formats (rights, permissions, privileges, etc.). Moreover, this table highlights the level at which the access control may be in effect for each language, i.e., the broad categorization into fine- and coarse-grained protection granularity, respectively, refers to either partitions/detailed or full document/object protection capability. Moreover, the extensibility of languages which support Web-based objects and content is noted.
Table 1

Summary of most popular access control policy languages


Subject types

Object types

Protection granularity

Accessing core formats



Registered users

Digital XML data sources, stored on repositories


Digital licenses assigned for a time-limited period


XACL/XML syntax

Group or organization members

Particular XML documents


Set of particular specified privileges


XrML/XML schema

Registered users and/or parties

digital XML data sources


Granted rights under specified conditions


ODRL/open-source schema-valid XML syntax

Any user

Trusted or untrusted content


Digital or physical rights


XMCL/XML namespaces

Registered users

Trusted multimedia content


Specified keyword-based licenses

Particular business models

XACML/XML schema

Any users organized in categories

Domain-specific input


Rule-based permissions


WS-Security policy/XML, SOAP

Any Web users/Web services

Digital data sources


Protection acts at SOAP Web services messages level

Web services security

The need for moreover flexible policy languages is evident by cases such as the OPL which supports a wide range of access control principles in XML directly, by providing dedicated language constructs for each supported principle [3]. OPL is based on a module concept, and it can easily cope with the language complexity that usually comes with a growing expressiveness and it is suitable for enterprise frameworks.

To expand on the above, specific-scope languages have also emerged mainly to support research-oriented applications and tools. The most representative of such languages include:
  • X-Sec [4]: To support the specification of subject credentials and security policies in Author-X and Decentral Author-X [5]. X-Sec adopts the idea of credentials which is similar to roles in that one user can be characterized by more than one credentials.

  • XAS Syntax: Designed to support the ACP (Access Control Processor) tool [6]. It is a simplified XML-based syntax for expressing authorizations.

  • RBXAC: A specification XML-based language supporting the role-based access control model [7].

  • XACL: Which was originally based on a provisional authorization model and it has been designed to support ProvAuth (Provisional Authorizations) tool. Its main function is to specify security policies to be enforced upon accesses to XML documents.

  • Cred-XACL [8]: A recent access control policy language focusing on credentials support on distributed systems and the Internet.

The core characteristics of these specific-scope languages are given in Table 2, which summarizes them with respect to their approach for objects and subjects management, their policies practicing and their subscription and ownership mechanisms. Such a summary is important in order to understand the “nature” of each such language in terms of objects and subjects identification, protection (sources) granularity and (subject) hierarchies, policies expression and accessing modes under prioritization, and conflict resolution constraints. Finally, it should be noted that these highlighted characteristics are important in implementing security service tasks which support several security requirements from both the system and the sources perspective.
Table 2

Specific-scope access control languages characteristics





XAS syntax


Protected resources

XML documents and DTDs

XML documents and DTDs

XML documents

XML documents and DTDs






Protection granularity

Content, attribute


Content, attribute




XML-expressed credentials

Roles, UIDs, groups


User ID, location

Grouping of subjects





Subjects hierarchy



Role trees


Support public subject






Expressed in

Policy base

XACL policy file

Access control files












Access modes

Authoring, browsing

Read, write, create, delete




No-prop, first-level, cascade


According to role tree

Local, recursive


Implicit rules

ntp, ptp, dtd

Hard, soft

Conflict resolution


According to priorities and implicit rules

Implicitly, explicitly

Other issues











Key Applications

Access control policy languages are involved in the transparent and innovative use of digital resources which are accessed in applications related to key nowadays areas such as publishing, distributing and consuming of electronic publications, digital images, audio and movies, learning objects, computer software and other creations in digital form.

Relationship-Based Access Control (ReBAC) has moreover characterized tracking of interpersonal relationships among social networks users, and the expression of access control policies in terms of these relationships has been facilitated by devising a policy language [9], based on modal logic, for composing access control policies that support delegation of trust.

Access control languages have also ben utilized in several other ways such as in the case of securing RDF graphs via an underlying query language which on the basis of a redaction mechanism provides fine grained RDF access control [10]. Such access control languages require critical features support (such as policy resolution, cascading policies etc.).

Future Directions

From the evolution of access control policy languages, it appears that, in the future, emphasis will be given on languages that are mostly suited for Web-accessed repositories, databases, and information sources. This trend is now apparent from the increasing interest on languages that control accessing on Web services and Web data sources. At the same time, it manages the challenges posed by acknowledging and identifying users/subjects on the Web, especially in emerging and evolving domains such as in social networks.

URL to Code


Recommended Reading

  1. 1.
    Stoupa K, Vakali A. Policies for web security services, chapter III. In: Ferrari E, Thuraisingham B, editors. Web and information security. Hershey: Idea-Group Publishing; 2006.Google Scholar
  2. 2.
    Vuong NN, Smith GS, Deng Y. Managing security policies in a distributed environment using eXtensible markup language (XML). In: Proceedings of 16th ACM Symposium on Applied Computing; 2001. p. 405–11.Google Scholar
  3. 3.
    Alm C, Wolf R, Posegga J. The OPL access control policy language. In: Fischer-H¨ubner S, et al., editors. TrustBus 2009, LNCS 5695. Berlin/Heidelberg: Springer; 2009. p. 138–48.Google Scholar
  4. 4.
    Bertino E, Castano S, Ferrari E. On specifying security policies for web documents with an XML-based language. In: Proceedings of 6th ACM Symposium on Access Control Models and Technologies; 2001. p. 57–65.Google Scholar
  5. 5.
    Bertino E, Castano S, Ferrari E. Securing XML documents with author-X. IEEE Internet Computing. May–June 2001. p. 21–31.Google Scholar
  6. 6.
    Damiani E, De Capitani di Vimercati S, Paraboschi S, Samarati P. Design and implementation of an access control processor forXML documents. In: Proceedings of 9th International World Wide Web Conference; 2000. p. 59–75.Google Scholar
  7. 7.
    He H, Wong RK. A role-based access control model for XML repositories. In: Proceedings of 1st International Conference on Web Information Systems Engineering; 2000. p. 138–45.Google Scholar
  8. 8.
    Stoupa K. Access control techniques in distributed systems and the Internet. Ph.D. Thesis, Aristotle University, Department of Informatics; 2007.Google Scholar
  9. 9.
    Fong PWL. Relationship-based access control: protection model and policy language. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY ‘11). New York: ACM; 2011. p. 191–202.Google Scholar
  10. 10.
    Rachapalli J, Khadilkar V, Kantarcioglu M, Thuraisingham B. Redaction based RDF access control language. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT ‘14). New York: ACM; 2014. p. 177–80.Google Scholar
  11. 11.
    Qi N, Kud M. Access control policy languages in XML, applications and trends. Springer Science+Business Media, LLC; 2008. p. 55–71.Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.Aristotle UniversityThessalonikiGreece

Section editors and affiliations

  • Elena Ferrari
    • 1
  1. 1.DiSTAUniv. of InsubriaVareseItaly