Constrained Delegation in XML-Based Access Control and Digital Rights Management Standards
In access control and digital rights management, delegation introduces the ability to decentralize the management of the privileges in a system. Constrained delegation presents a new approach to delegation, where the authority to create a permission and the permission itself is clearly differentiated. This allows the use of delegation for scenarios where one may have the authority to create a permission, but without having the permission for himself. In this paper the authors examine some of the most popular XML standards for access control and digital rights management, and how constrained delegation can be supported by them. Specifically they take a look at the Secure Assertion Markup Language (SAML), the eXtensible Access Control Markup Language (XACML), and the eXtensible rights Markup Language (XrML).