The eXtensible Access Control Markup Language (XACML) is an XML dialect for the server-side representation of access control policy and access control decisions. These rules can be expressed in an application-independent manner, making it versatile. XACML polices can reference other policies, and can intelligently combine policies with competing or overlapping rule sets. If the provided combination algorithms are not sufficient, application developers can define their own as needed. XACML can be used to implement Attribute Based Access Control (ABAC). Traditional access control methods such as Identity Based Access Control (IBAC), or the newer Role Based Access Control (RBAC), associate access permissions directly with a subject identity, or with the role that subject is attempting to perform. IBAC, in which an access policy needs to be defined for every identity, is a method which does not scale well and is repetitive and redundant. RBAC requires that access policies be defined for all roles in the system,and then subject identities are mapped to those roles. This scales better,but still has limitations from this one-dimensional view. RBAC generally requires a centralized management of the user-to-role and permission-to-role assignments, which is not well suited to a highly distributed environment, or to an environment with subjects and resources belonging to different security domains. ABAC is a newer method in which policy rules are defined on attributes of subjects (users, applications, processes, etc.), resources (web service,data, etc.), and environment (time, threat level, security classification,etc.). This allows for a much finer-grained access control policy than what can be achieved with RBAC. Of particular note is the ability to use security classification labels to create rules, allowing for XACML policies to be used in conjunction with the needs for a secure operating system’s Mandatory Access Control (MAC) system. ViewDS Directory supports the X.500 Basic and Simplified Access Control schemes, which offer fine grained authorization controls that generally apply to identities directly or groups of identities. ViewDS Directory provides extensions to the fine grained X.500 access control models to allow uses to be identified through Roles, or more generally through any Attribute associated with identities. Through ViewDS Directory’s support for XML, XACML policies can be stored, validated and indexed within a ViewDS Directory server. This allows ViewDS Directory to be used as a Policy Administration Point (PAP) and Policy Information Point (PIP) by XACML Policy Decision Point (PDP) software.