Copyright © 2009 Open Geospatial Consortium, Inc. 113 10.6.1 XACML see [19], [20], [21], [22] The eXtensible Access Control Markup Language XACML as specified in the OASIS standard describes a multi purpose Policy Language that allows the declaration of access rights in XML. It further defines the process of interpreting Policies in order to derive an authorization decision. In addition, it describes structures of requestresponse messages in XML that allows requesting an authorization decision from a Policy Decision Point PDP as it is useful in a Service Oriented Architecture. Different profiles to XACML exist that define specific use of XACML. The following is an excerpt of important profiles: ―RBAC Profile‖ see [20] defines how to declare XACML based access rights based on the Role Based Access Control RBAC Model. This profile supports RBAC0 core RBAC and RBAC1 hierarchical RBAC. There is no support for RBAC2 constraint RBAC. ―SAML Profile‖ see [21] defines extensions to SAML so that XACML specific information can be securely exchanged. The following different extensions are defined: o ―AttributeQuery‖ can be used for requesting one or more attributes from an Attribute Authority. o ―AttributeStatement‖ defines a standard SAML statement that contains one or more attributes. This statement may be used in a SAML Response from an Attribute Authority, or it may be used in a SAML Assertion as a format for storing attributes in an Attribute Repository. o ―XACMLPolicyQuery‖ can be used for requesting one or more policies from a Policy Administration Point PAP. o ―XACMLPolicyStatement‖ defines a SAML statement extension that can be used in a SAML response from a PAP. o ―XACMLAuthzDecisionQuery‖ defines a SAML request extension that can be used by a PEP to request an authorization decision from an XACML PDP. This is an alternative to the XACMLAuthorizationDecisionRequest defined in XACML. o ―XACMLAuthzDecisionStatement‖ defines a SAML statement extension that can be used in a SAML response from an XACML PDP. This is an alternative to the XACMLAuthorizationDecisionResponse defined in XACML. ―DSIG Profile‖ see [22] defines a recommendation to exchange authorization decision request and responses based on the SAML Profile for XACML that supports applying digital signatures for the purpose of authentication and establishing message integrity. This is a relevant profile as XACML itself does not support to apply digital signatures to the XACML native authorization decision request and response messages. 114 Copyright © 2009 Open Geospatial Consortium, Inc. 10.6.2 GeoXACML see [23], [24], [25]