This wiki has been archived and is now read-only.


From Policy Languages Interest Group
Jump to: navigation, search

Review of Policy Languages and Frameworks

The following is a non-exhaustive list of Policy languages and frameworks.

Platform for Privacy Preferences Project (P3P)

Summary P3P enables Websites to express their privacy practices in a standard format that can be retrieved automatically and interpreted by user agents
Type/Scope Privacy
Responsible W3C P3P Specification Working Group
Specification P3P 1.0 Recommendation
Representation XML Schema

Open Digital Rights Language (ODRL)

Summary ODRL is intended to provide flexible and interoperable mechanisms to support transparent and innovative use of digital content in publishing, distributing and consuming of digital media across all sectors and communities
Type/Scope Rights
Responsible ODRL Initiative
Specification Version 1.1 (PDF) (HTML)
Representation XML Schema
Comments A proposal to represent ODRL in Microformats has been made and is under development

Creative Commons (CC)

Summary Creative Commons is a rights description language for content on the net. It has a human readable contract, a short form and a RDF encoding

for the expressed metadata

Type/Scope Rights
Responsible Creative Commons
Specification Version 3.0 Overview of the different parts
Representation RDF

eXtensible Access Control Markup Language (XACML)

Summary XACML aim is to express well-established ideas in the field of access-control policy using an extension language of XML
Type/Scope Access Control
Responsible OASIS XACML Technical Committee
Specification Version 2.0 (zip)
Representation XML Schema

Geospatial eXtensible Access Control Markup Language (GeoXACML)

Summary GeoXACML extends XACML 2.0 by defining the data type "Geometry" and geo-specific functions to declare and enforce access restrictions based on geometric and topological characteristics of the protected resources. GeoXACML supports GML2 and GML3 encoding of geometries.
Type/Scope Access Control
Responsible Open Geospatial Consortium, Inc (OGC)
Implemenation Specification Version 1.0
Representation XML Schema (same as XACML 2.0)

A P3P Preference Exchange Language (APPEL)

Summary a language for describing collections of preferences regarding P3P policies between P3P agents.
Type/Scope Privacy Preferences
Responsible W3C P3P Specification Working Group
Specification A P3P Preference Exchange Language 1.0 (APPEL1.0)
Representation XML Schema

MPEG-21 Part 5: Rights Expression Language

Summary ISO/IEC 21000-5:2004 defines an authorization model to specify whether the semantics of a set of Rights Expressions permit a given Principal to perform a given Right upon a given optional Resource during a given time interval based on a given authorization context
Type/Scope Rights
Responsible MPEG-21 Working Group
Specification (Link to Purchase)
Representation XML Schema

MPEG-21 Part 6: Rights Data Dictionary

Summary ISO/IEC 21000-6:2004 describes a Rights Data Dictionary which comprises a set of clear, consistent, structured, integrated and uniquely identified terms to support the MPEG-21 Rights Expression Language (REL)
Type/Scope Rights
Responsible MPEG-21 Working Group
Specification (Link to Purchase)
Representation XML Schema

Web Services Policy Framework

Summary The Web Services Policy Framework provides a general purpose model and corresponding syntax to describe the policies of entities in a Web services-based system
Type/Scope Web Services
Responsible W3C Web Services Policy Working Group
Specification WS Policy 1.5 W3C Recommendation
Representation XML Schema
  • No mechanism to attach policy to endpoints. But see member submission WS-PAEPR
  • Problems with policy intersection: if intersection yields more than one alternative, which one was selected? why did intersection fail?
  • No way to find out what policy a message follows.
  • Need metadata to reason about assertions (what assertions can be combined) and policies (what policies are compatible).

Common Policy

Summary Common Policy defines a framework for authorization policies controlling access to application-specific data
Type/Scope Access Control
Responsible IETF Geopriv Working Group
Specification RFC4745
Representation XML Schema

SCA Policy Framework

Summary The Service Component Architecture (SCA) Policy Framework allows policies and policy subjects specified using WS-Policy, as well as with other policy languages, to be associated with SCA components
Type/Scope Web Services
Responsible Open Service Oriented Architecture
Specification SCA Policy Framework V1.00
Representation XML Schema


Summary The Security Assertion Markup Language (SAML) is an XML-based framework for communicating user authentication, entitlement, and attribute information
Type/Scope Access Control
Responsible OASIS Security Services Technical Committee
Specification Version 2.0 (zip)
Representation XML Schema


Summary Permis is a language for specifying role based authorisation control policies for distributed systems.
Type/Scope Role based authorisation control policies
Responsible David Chadwick, Department of Computing, University of Kent, UK
Specification PERMIS template
Representation XML Schema


Summary Ponder is a language for specifying management and security policies for distributed systems.
Type/Scope management and security policies (incl. access control)
Responsible Policy Group, Department of Computing, Imperial College London, UK
Specification Version 2.3 (pdf)
Representation EBNF, compiles into XML


Summary Ponder2 is a significant re-design and re-implementation of the Ponder framework for policy-based management. This revised version re-focusses the target application domain of the framework to self-management. The specification language used by the framework draws on SmallTalk syntax and is called PonderTalk.
Type/Scope management and security policies (incl. access control) for self-managing systems
Responsible Policy Group, Department of Computing, Imperial College London, UK
Specification PonderTalk
Representation EBNF, compiles into XML


Summary Autonomic Computing Policy Language (ACPL) is an XML-based language that provides the basis for writing and storing policies for Policy Management for Autonomic Computing (PMAC). ACPL uses the Autonomic Computing Expression Language (ACEL), which facilitates writing policy rules.
Type/Scope policies for Policy Management for Autonomic Computing
Responsible IBM
Specification Version 1 (pdf)
Representation XML Schema


Summary Accountability in RDF (AIR) is a policy language, represented in Turtle + N3-like quoting, which employs dependency tracking to provide automated explanation generation for policy decisions. It is integrated with the Tabulator extension and has a customized interface for exploring explanations.
Type/Scope privacy and accountability policies
Responsible Decentralized Information Group
Specification Version 1 (html)
Representation Turtle


Summary Web Information Quality Assessment Policy Language (WIQA-PL) allows the description of policies about the quality of information available on the web to be accessed by capturing measures of the quality of the information.
Type/Scope information quality policies
Responsible Freie Universität Berlin
Specification Version 1
Representation RDF

Web Services Policy Language - WS-XACML

Summary WSPL/WS-XACML is a popular contender for specifying policies about web services. The syntax is a strict subset of XACML.
Type/Scope WSPL/WS-XACML is suitable for specifying a wide range of policies, including authorization, quality-of-service, quality-ofprotection, reliable messaging, privacy, and application-specific service options.
Responsible OASIS Extensible Access Control Markup Language TC
Specification V1 Dec 2006
Representation XML Schema


Summary UDDI v3.0.2 discusses policies for a registry.

There is also an XML Schema, which can be used to store the policies. The actual policy description is just text.

Section K.2.2 has an example policy.

A template to help define your own registry policy is also available.

Type/Scope registry policies
Responsible OASIS UDDI Spec TC (no longer active)
Specification UDDI v3.0.2 (html)
Representation XML Schema

(alternate location)

Access Control for Cross-site Requests

Summary This document defines a mechanism to express policies that enable client-side cross-site requests.
Type/Scope cross-site access control policies
Responsible Web Application Formats (WAF) Working Group
Specification W3C Editor's Draft
Representation HTTP headers, XML Processing Instructions


Summary Rei is a policy language based in OWL-Lite that allows policies to be specified as constraints over allowable and obligated actions on resources in the environment.
Type/Scope Rei includes meta policy specifications for conflict resolution, speech acts for remote policy management and policy analysis specifications like what-if analysis and use-case management making it a suitable candidate for adaptable security in the environments under consideration. The Rei engine, developed in XSB, reasons over Rei policies and domain knowledge in RDF and OWL to provide answers about the current permissions and obligations of an entity, which are used to guide the entity's behavior.
Responsible UMBC ebiquity research group
Specification V2.0 Ontology Specification
Representation OWL-Lite

PRIME Languages

Summary The EU PRIME Project has developed a privacy-aware access control policy language and a data handling policy language, comprehensive of privacy obligation policies. This R&D work is in progress. Documentation is available online, about the overall PRIME approach and philosophy. The aim has primarily been to deal with privacy management both at the user and enterprise/organisational sides. PRIME R&D work factors in "privacy elements" into policies, including users's preferences and organisational privacy constraints and automates policy decision and enforcement steps. PRIME recognises that different types of policies and languages are required in the privacy management space, given its complexity and variety of needs and requirements.
Type/Scope Privacy-aware access control and data handling policies, comprehensive of privacy obligation policies.
Responsible Privacy and Identity Management for Europe (PRIME) project
Specification Project Specification
Representation XML-Schema
Documents Overview of PRIME privacy-aware access control policies: http://www.w3.org/Policy/pling/wiki/images/e/e0/PRIME-privacyaware_accesscontrol_policies.pdf


Summary Protune (PROvisional TrUst NEgotiation) is a policy framework meant to support the creation of policies and advanced policy enforcement points, supporting not only traditional access control but also trust negotiation (to automate security checks and privacy-aware information release) and second generation explanation facilities (to improve user awareness about -and control on- policies).
Type/Scope Privacy-aware access control and trust management.
Responsible Daniel Olmedilla, L3S Research Center, Germany and Piero Bonatti, Naples University, Italy
Specification Project Documentation
Representation EBNF


Summary PLUS License Data Format ("LDF"): The LDF is an ordered group of fields available for optional use in embedding and reading image license metadata in digital files and other documents. The LDF only contains information essential to the understanding of an image license
Type/Scope Rights information for images.
Responsible The PLUS Coalition
Specification License Data Format
Representation XML/RDF with Adobe XMP

3GPP2 IMS (PDF, RCAF, etc.)
OGF WS-Agreement may be out of scope
Oracle AAPML and it's potential successor as part of Liberty Alliance's IGF work
Oracle CARML and it's potential successor as part of Liberty Alliance's IGF work
A Presence-based GEOPRIV Location Object Format (RFC 4119) and potentially other items from the GeoPriv working group
SecPAL [1]