Home
We are pleased to announce that a next generation release of the XACML specification has been developed.
The Attribute-Centric Authorization Language (ACAL) Core Specification is an evolution of the XACML v3.0 specification, targeted at establishing a syntax-agnostic (generalized) model with various concrete representation formats (syntaxes), including XML (forming XACML v4.0) as one of them.
As illustrated above, XACML v3 logic and a set of enhancements feed into the ACAL Core Specification v1. The core model is deliberately representation-neutral, enabling three concrete profiles to be derived from it: the XML Profile (XACML v4), the JSON Profile (JACAL v1), and the YAML Profile (YACAL v1).
The XACML v4.0 Working Draft is the XML representation profile of ACAL Core v1. It continues the well-established XACML policy language for existing deployments while incorporating the refinements made in the ACAL core model — tightened evaluation semantics, a unified obligation mechanism, and first-class short identifier support. Practitioners familiar with XACML 3.0 will find the structure recognizable; the primary changes reflect the separation of the abstract model from its concrete XML syntax.
This proposal addresses a foundational question in the ACAL specification work: how to define the core authorization model in a way that is provably consistent across its XML, JSON, and YAML representation profiles.
The approach taken is to express the ACAL core model as a representation-agnostic UML model, then derive the XML Schema and JSON Schema artifacts from that model through a defined set of mapping rules. This ensures that XACML v4.0 and JACAL v1.0 are not independently authored schemas that happen to cover the same concepts, but rather two projections of a single authoritative model. The mapping rules document the transformation conventions — naming, cardinality, type mapping, and extension points — that govern how UML model elements appear in each target representation.
The JACAL Practical Guide is a policy-author-oriented companion to the ACAL and JACAL specifications. It introduces the authorization model through ten worked examples drawn from real application domains, from simple content-tier gating to AI agent tool authorization with multi-signal risk gates. The guide is organized into foundations, examples, and reference chapters.
Guide Home and Full Table of Contents
Introduction establishes the conceptual
framework for the entire guide. It explains what ACAL is and how it
relates to XACML 3.0, describes JACAL as the JSON serialization of the
abstract ACAL model, and introduces the four standard attribute
categories — subject, action, resource, and environment — that
structure every authorization request. The chapter also defines the
four decision outcomes (Permit, Deny, NotApplicable, Indeterminate),
explains the role of the deny-unless-permit combining algorithm as a
secure default, and introduces the Short Identifier mechanism that
allows URI aliases to be used in place of full URIs throughout a
policy.
Architecture and Evaluation Flow describes the runtime system that surrounds a JACAL policy. It covers the three principal components — the Policy Enforcement Point (PEP), the Policy Decision Point (PDP), and the Policy Information Point (PIP) — and the data flow between them. The chapter walks through the authorization request lifecycle step by step, from the moment a subject initiates an action to the moment the PEP enforces the decision, using the Example 1 policy as a concrete vehicle. It also covers combining algorithm selection, deployment architecture patterns, and observability considerations.
Policy Authoring Patterns and Pitfalls covers the design decisions that determine
whether a policy behaves correctly in production. The central topics
are attribute modeling strategy, the bag-versus-singleton distinction
(and why using string-equal on a multi-valued attribute produces a
silent Indeterminate), MustBePresent semantics, and function argument
order. The chapter catalogs six recurring ABAC design patterns —
Identity Match, Organizational Boundary, Role/Classification
Membership, Numeric Authorization, Risk Threshold, and Emergency
Override with Obligation — with cross-references to the guide examples
that demonstrate each one.
Requests and Responses documents
the JACAL JSON structures that flow between the PEP and the PDP. It
covers the Request document anatomy — RequestEntity arrays, the
Category discriminator, RequestAttribute entries, Value arrays,
and DataType declarations — and the Response document anatomy,
including Decision, Status, StatusCode, and the Notice array
used to return obligations. Four fully worked request/response
exchanges are shown, including a scenario with a missing attribute
producing Indeterminate, and a break-glass Permit with an obligation
payload.
Authoring Your First Policy
is a step-by-step tutorial for practitioners writing their first JACAL
policy. Starting from a plain-English authorization question, it walks
through mapping the question to attribute categories and identifiers,
determining cardinality and selecting the appropriate comparison
function, choosing a combining algorithm, constructing the Apply
expression tree, and verifying the result with manual decision traces.
The chapter closes with a nine-step checklist that can be applied to
any new policy.