Margrave provides functions to answer queries about one policy or about the relationship of two policies. This provides a means to perform:
- verification of properties about an policy (e.g., "Does the policy permit all admins access to the log?")
- elucidation of a policy (e.g., "Who is permitted access to the log?"),
- change impact analysis between two policies (e.g. "what changed between Policy1 and Policy2?"), and
- verification and elucidation of a comparison of two policies (e.g. "Do all the changes between Policy1 and Policy2 involve the log? If not, what else changed?").
An access control policy states which entities has access to perform which actions on which resources. XACML provides a language to specify an access control policy using an XML syntax. A policy in XAMCL is made of
<PolicySet>s, all of which Margrave supports. (For information about which parts of XACML Margrave does and does not support, click here .)
The Margrave API provides a function to parse a policy written in XACML. Margrave can then be used to ask queries about the given policy. Margrave can also load in more than one policy and queries can be asked about the relationships between two policies. This can be used to perform change impact analysis. Rather than providing a query language, Margrave provides a set of Scheme functions that can be composed to construct queries. This allows the full power of Scheme to be used by mixing Scheme functions with Margrave functions.
Please note that Margrave is not for verification of the correctness of the syntax of an XACML file. Please use one the tools listed here for that before using Margrave. The behavior of Margrave on XACML files with syntax errors is unknown.