Margrave
download | documentation | tutorial | help | research | more information
Brown PLT has the pleasure to present The Most Honourable,
Margrave
An API for XACML Policy Verification and Change Analysis
Margrave version 2 is now available. Version 2 is updated for XACML 2.0 and offers support for the <Condition> element. Read about the updates.

Margrave version 3, which supports rules with rich predicate-based conditions, is now available here.

Margrave is a PLT Scheme API for use in analyzing access-control policies written in a subset of XACML.

Margrave provides functions to answer queries about one policy or about the relationship of two policies. This provides a means to perform:

An access-control policy states which entities has access to perform which actions on which resources. XACML provides a language to specify an access control policy using an XML syntax. A policy in XAMCL is made of <Rule>, <Policy>, and <PolicySet> elements, all of which Margrave supports. (For information about which parts of XACML Margrave does and does not support, click here .)

The Margrave API provides a function to parse a policy written in XACML. Margrave can then be used to ask queries about the given policy. Margrave can also load in more than one policy and queries can be asked about the relationships between two policies. This can be used to perform change-impact analysis. Rather than providing a query language, Margrave provides a set of Scheme functions that can be composed to construct queries. This allows the full power of Scheme to be used by mixing Scheme functions with Margrave functions.

Readers of Verification and Change-Impact Analysis of Access-Control Policies should look at the old website for the examples discussed in the paper. That paper only discusses the functionality of Margrave version 1.

Please note that Margrave is not for verification of the correctness of the syntax of an XACML file. Please use one the tools listed here for that before using Margrave. The behavior of Margrave on XACML files with syntax errors is unknown.

Page maintained by Tim Nelson (tn@cs.wpi.edu) with thanks to Michael Carl Tschantz.
This webpage was generated from Scheme code using the LAML system.