Future-Proofing Access Control: XACML Next Generation

Perimeter-based security is obsolete. Distributed micro-services, ephemeral cloud infrastructure and third-party API integrations demand access-control decisions that are dynamic and context-aware. Static roles and permissions cannot match the velocity of modern delivery.

Attribute-Based Access Control (ABAC) has therefore become the bedrock of Zero-Trust architectures, and for two decades the eXtensible Access Control Markup Language (XACML) has been the OASIS standard for expressing ABAC policies.

On 12 June 2025 the OASIS XACML Technical Committee, with contributions from our CTO Steven Legg, announced XACML Next Generation (NG) – a sweeping modernisation that aligns the standard with today’s developer workflows and deployment models (OASIS).

Architect’s View of XACML NG

XACML NG targets three objectives: modernise, extend and simplify the language. Key technical changes:

Syntax-agnostic core with native JSON & YAML serialisations
Policies can now live alongside Terraform, Ansible and other IaC artefacts, while XML remains supported.

Flattened policy hierarchy
PolicySet and Policy merge into a single Policy construct that may contain embedded policies, rules and variables, eliminating redundant identifiers and nested combining algorithms.

Common Notice structure
Obligations and advice share one schema, differentiated by a boolean flag, trimming duplication.

Boolean Targets & rule simplification:
Targets now accept full Boolean expressions; rule-level targets disappear in favour of conditions.

Global variables & composite functions
Reusable variables and user-defined functions reduce repetition, while ternary and aggregate operators (min, max, sum, avg) make policies more concise.

JSONPath support (optional)
Complements XPath for attribute retrieval in JSON payloads.

Canonical string identifiers
Short names replace lengthy URIs, improving readability and auditability.

Ahead of the Curve: Access Sentinel

Long before NG was announced, ViewDS Access Sentinel separated policy logic from file syntax. Security teams design, test and deploy sophisticated authorisation policies in a graphical console – no manual XML, JSON or YAML – accelerating onboarding and removing syntax errors. Many NG features are already proven in production:

Schema-agnostic, reusable constructs – Named Expressions
Secure everything from IoT sensors to 5 000 door readers.

Interoperability via the XACML (XML) standard
Import/export in the canonical XML representation lets government and defence organisations exchange policies rapidly across vendors and jurisdictions, something ad-hoc formats such as OPA’s Rego cannot match.

Faster onboarding
The UI-based interface gets new analysts, engineers and auditors productive within hours, not weeks.

Future-proof engine
Composite functions, Notice structures and Boolean targets map directly to existing runtime models, so NG adoption is native, not a bolt-on.

Engineering Impact

Simpler audits
Flattened hierarchies and short identifiers yield smaller, clearer policy sets for internal and external reviewers.

Operational efficiency
Removing on-the-fly syntax translation cuts policy-parse overhead and shrinks cache sizes, improving PDP start-up and request latency.

Tangible Business Outcomes

Audit time slashed
A single, consolidated policy view allows external reviews to finish faster and cost less.

Policy exchanges in minutes
Canonical XACML XML import/export lets agencies and vendors share policies without translation; NG’s forthcoming JSON/YAML serialisations will extend that agility even further.

Day-one productivity
Analysts become effective in less time thanks to the UI interface. No XML or YAML skills required.

Lower total cost of ownership
One platform for every authorisation decision trims licence sprawl and accelerates change delivery.

No vendor lock-in
Policies are expressed in a vendor-neutral XACML format that runs on any compliant PDP/PEP, safeguarding buying power and eliminating costly rewrites. The Case for XACML Driven ABAC

Interoperability across coalitions
NATO missions, NIST frameworks already rely on XACML, so your policy set travels intact across agencies, suppliers and allied networks.

Standards alignment without disruption
organisations already using Access Sentinel gain NG compliance through routine upgrades, safeguarding previous investments.

Summary

XACML NG formalises principles we adopted years ago – flexibility, adaptability and operational simplicity.

If your access-control strategy must evolve beyond legacy constraints, let’s talk.