XACML References, Version 1.18

Editor:  Anne Anderson, Sun Microsystems <Anne.Anderson@Sun.COM>
Version: 1.18
Updated: 05/06/06 (yy/mm/dd)

These lists include publications, standards, and products that contain substantial information about XACML or make use of XACML in a substantial way. These are listed here solely for the information of parties interested in XACML. By including these links, neither the XACML TC, nor OASIS itself, is endorsing, recommending, or guaranteeing the accuracy of the referenced statements, publications, standards, or products. in any way. Neither the XACML TC nor OASIS itself guarantees the completeness or accuracy of the information in this list of references. This list may be modified at any time as further information about these or other publications and products becomes known. Additional submissions for listings and corrections are invited by the editor.

Bibliography
Standards
Products and Deployments

Bibliography

This bibliography includes papers, articles, presentations, specifications, and other publications that contain substantial information about XACML or make use of XACML in a substantial way.

2005
2004
2003
2002

2005

Extensible Access Control Markup Language (XACML), by Robin Cover, Cover Pages page on XACML. Updated regularly. Available at http://xml.coverpages.org/xacml.html.
Predicates for Boolean web service policy languages, by Anne Anderson, WWW 2005 Workshop on Policy Management for the Web, 10 May 2005. Available at: http://www.csee.umbc.edu/pm4w/papers/anderson12.pdf, slides at http://www.csee.umbc.edu/pm4w/presentations/anderson.pdf.
Verification and change-impact analysis of access-control policies, Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, Michael Carl Tschantz; May 2005; Proceedings of the 27th international conference on Software engineering. Available at http://www.cs.brown.edu/~sk/Publications/Papers/Published/fkmt-verif-change-impact-xacml/.
A comparison of compression techniques for XML-based security policies in mobile computing environments, by Xuebing Qing, Carlisle Adams, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/xuebing_qing_18500102.ppt
Using SPML to provision dynamic XACML rules to manage privacy and access control in Web security infrastructure, by Michel Hétu, Anton Stiglic, Claude Vigeant, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/vigeant_18500162.pdf
Policy verification and change impact analysis, by Kathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, Michael Carl Tschantz (Brown Univ), Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/fisler_18500059.ppt.
Administrative policies in XACML, by Erik Rissanen, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/rissanen_18500187.ppt
The Globus authorization processing framework The Globus authorization processing framework, by Frank Siebenlist, Takuya Mori, Rachana Ananthakrishnan, Liang Fang, Tim Freeman, Kate Keahey, Sam Meder, Olle Mulmo, Thomas Sandholm, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/mori_18500001.pdf
Approaches to generalization of XACML, by Tim Moses, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/moses_18500213.ppt
Attribute based access control (ABAC): a new access control approach for service oriented architectures, by Eric Yuan, Jin Tong, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/yuan_18500229.ppt
Key differences between XACML and EPAL, by Anne Anderson, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/Anderson_KeyDiffsXACMLandEPAL.pdf
Model-driven design and administration of access control in enterprise applications, by Aleksey Studnev, Kathleen Johnson, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/studnev_18500106.ppt.
Putting Trust into the Network: Securing Your Network through Trusted Access Control, by Ned Smith (Intel, TCG), Ottawa New Challenges for Access Control Workshop, 27 April, 2005. Available at: http://lotos.site.uottawa.ca/ncac05/smith_18500034.ppt.
A Network Access Control Approach Based on the AAA Architecture and Authorization Attributes, by Lopez, G.; Gomez, A.F.; Marin, R.; Canovas, O.; Parallel and Distributed Processing Symposium, 2005. Proceedings. 19th IEEE International 04-08 April 2005 Page(s):287a - 287a. Slides available at http://www.cs.uccs.edu/~SNS/talks/SSN05_Spain.ppt.
Using XACML and SAML for Authorisation messaging and assertions: XACML and SAML standards overview and usage examples, by Yuri Demchenko, 28 March, 2005. Available at http://www.uazone.org/demch/analytic/draft-authz-xacml-saml-02.pdf
Globus Toolkit: Authorization Processing, by Frank Siebenlist, Takuya Mori; session: "XACML and Globus: Authorization Policy Framework Integration in the Globus Toolkit", GlobusWORLD 2005, Feb 7-11 2005, Boston, MA. Available at: http://www.mcs.anl.gov/~franks/GW05/GW05-XACMLandGlobus-Demo.ppt.pdf
Access Control for the Grid: XACML, by Anne Anderson; session: "XACML and Globus: Authorization Policy Framework Integration in the Globus Toolkit", GlobusWORLD 2005, Feb 7-11, Boston, MA. Available at: http://www.globusworld.org/2005Slides/Session%201b(2).pdf
Differences between XACML versions 1.0 and 2.0, by Eleanor Joslin (Parthenon Computing Ltd), 7 January 2005. Available at: http://blog.parthenoncomputing.com/xacml/archives/2005/01/the_differences.html.
How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML), by A. Matheus, System Science, 2005, HICSS '05. Proceedings of the 38th Annual Hawaii International Conference on 03-06 Jan. 2005 Page(s):168a - 168a. Available at: http://csdl.computer.org/comp/proceedings/hicss/2005/2268/07/22680168aabs.htm.

2004

Meeting central: making distributed meetings more effective, by Nicole Yankelovich, William Walker, Patricia Roberts, Mike Wessler, Jonathan Kaplan, Joe Provino; 6-10 November 2004, Proceedings of the 2004 ACM conference on Computer supported cooperative work 2004, Chicago, Illinois, USA
Service applications: An OGSA-based accounting system for allocation enforcement across HPC centers, Thomas Sandholm, Peter Gardfjäll, Erik Elmroth, Lennart Johnsson, Olle Mulmo; November 2004; Proceedings of the 2nd international conference on Service oriented computing
XML Security: Control information access with XACML: The objectives, architecture, and basic concepts of eXtensible Access Control Markup Language, by Manish Verma, 18 Oct 2004. Available at http://www-128.ibm.com/developerworks/xml/library/x-xacml/
Privacy protecting data collection in media spaces, by Jehan Wickramasuriya, Mahesh Datt, Sharad Mehrotra, Nalini Venkatasubramanian, 10-16 October, 2004; Proceedings of the 12th annual ACM international conference on Multimedia, 2004, New York, NY, USA
Trust, Access Control, and Rights for Web Services, Part 2, by Sams Publishing, 12 Oct 2004. Available at http://www.devshed.com/c/a/Security/Trust-Access-Control-and-Rights-for-Web-Services-Part-2/4/.
Security & analysis I: Synthesising verified access control systems in XACML, by Nan Zhang, Mark Ryan, Dimitar P. Guelev; October 2004; Proceedings of the 2004 ACM workshop on Formal methods in security engineering
Experiences with NMI at Michigan: NSF Middleware Initiative, by Shawn McKee, 1 October 2004, NMI/SURA Testbed Workshop. Available at http://www.nsf-middleware.org/testbed/meetings/I2workshop04/UMich_NMI_Results_at_I2-Y3.ppt.
Collaboration and security in CNL's virtual laboratory, by Andrew Tokmakoff, Yuri Demchenko and Martin Snijders. WACE 2004, 23 September 2004. Available at http://www-unix.mcs.anl.gov/fl/flevents/wace/wace2004/talks/tokmakoff.pdf.
Evaluation of XML Technologies as Applied to Access Control, by David Staggs (SAIC) for Dept. of Veterans Affairs, Veterans Health Administration, Office of Information, 13 Sept 2004. Available at http://www.va.gov/rbac/docs/Veterans_Administration_Lab_Eval_of_XML_Technologies.pdf.
Administrative Delegation in XACML, by Erik Rissanen, Babak Sadighi Firozabadi. Swedish Institute of Computer Science. 2 Sept 2004. Submitted to W3C Workshop on Constraints and Capabilities for Web Services. Available at http://www.w3.org/2004/08/ws-cc/erbsf-20040902.
Constraints and Capabilities for Web Services, Anne Anderson, ed., Sun Microsystems, Inc. 27 Aug 2004. Submitted to W3C Workshop on Constraints and Capabilities for Web Services. Available at http://www.w3.org/2004/08/ws-cc/aaccws-20040827.
Access Control Methods for UDDI in Web Services using XACML, presented by Dr. Dong-Il Shin, Sejong University, Republic of Korea, 6th ASTAP Forum. ASTAP04/FR08/EG.IS/04. See http://www.aptsec.org/meetings/2004/astap8/paper/ASTAP04-FR08-PL-38_RapporteurReport-IS.doc.
A Comparison of EPAL and XACML, by Anne Anderson, Sun Microsystems, Inc. 12 July 2004. Available at http://research.sun.com/projects/xacml/CompareEPALandXACML.html.
WALDEN: A Scalable Solution for Grid Account Management, by Beth Kirschner, et al., 5th IEEE/ACM International Workshop on Grid Computing (Grid 2004), 5 July 2004. Available at http://www-personal.engin.umich.edu/~hacker/papers/gridmapfile.pdf.
eXtensible Access Control Markup Language: XACML im Vergleich mit P3P und EPAL, by Stefan Berthold, Technische Universitaet Dresden, Fakultaet Informatik, 28 June 2004. Available at http://dud.inf.tu-dresden.de/~kriegel/ss04/hauptseminar/Berthold2004_HS_XACML.pdf.
Comparing WSPL and WS-Policy, by Anne Anderson, Sun Microsystems, Inc. 8 June 2004. IEEE Policy 2004 Workshop. Paper available at http://research.sun.com/projects/xacml/Policy2004.pdf. Slides available at http://www.policy-workshop.org/2004/slides/Anderson-WSPL_vs_WS-Policy_v2.pdf.
An Introduction to the Web Services Policy Language, by Anne Anderson, Sun Microsystems, Inc., 8 June 2004. IEEE Policy 2004 Workshop. Available at http://research.sun.com/projects/xacml/Policy2004.pdf.
Using uml to visualize role-based access control constraints, by Indrakshi Ray, Na Li, Robert France, Dae-Kyoo Kim; 2-4 June 2004; Symposium on Access Control Models and Technologies; Proceedings of the ninth ACM symposium on Access control models and technologies, Yorktown Heights, New York, USA
Interactive Protocol Visualization (and a WSPL Case Study), by Sean Cannella, 7 May 2004; Brown University. Available at http://www.cs.brown.edu/people/scannell/wsplv/ipvis.pdf.
LionShare Security Model, by Derek Morr; May 2004 Internet2 Member Meeting, 19-21 April, Arlington, VA. Available at http://lionshare.its.psu.edu/main/info/docspresentation/ls_sec_i2.pdf.
LionShare Peer-to-Peer Security Model, Security Whitepaper, by Derek Morr, et al.. Shibboleth, **DRAFT**; 15 April 2004. Available at lionshare.its.psu.edu/twiki/pub/Developers/LionShareP2PSecurityWhitepaper/SecurityWPv2.doc.
X.509 Proxy Certificates for dynamic delegation, by Von Welch, et al., 3rd Annual PKI R&D Workshop, Gaithersburg, MD, USA, 12-14 April 2004. Available at http://www.globus.org/Security/papers/pki04-welch-proxy-cert-final.pdf.
RSVP policy control using XACML, by E. Toktar, E. Jamhour, and G. Maziero, Policies for Distributed Systems and Networks, 2004. POLICY 2004. Proceedings. Fifth IEEE International Workshop on , 7-9 June 2004, Pages:87 - 96. Slides available at http://www.policy-workshop.org/2004/slides/Toktar-RSVPPolicyControlUsingXACML.ppt. Paper available through http://csdl.computer.org/comp/proceedings/policy/2004/2141/00/21410087abs.htm".
XACML and Federated Identity, by Hal Lockhart, BEA Systems, NASA Scientific and Engineering Workstation Procurement (SEWP) Security Symposium, 1 June 2004. Available at http://lists.oasis-open.org/archives/xacml/200406/ppt00000.ppt.
Access management for distributed systems: Role-based cascaded delegation, by Roberto Tamassia, Danfeng Yao, William H. Winsborough. June 2004. Proceedings of the ninth ACM symposium on Access control models and technologies (SACMAT). See www.cs.brown.edu/people/dyao/sacmat2004.ppt.
Role-Based Access Control (RBAC) Role Engineering Process, Version 3.0, developed for The Healthcare RBAC Task Force by SAIC, 11 May 2004. Available at http://www.va.gov/RBAC/docs/HealthcareRBACTFRoleEngineeringProcessv3.0.pdf.
CCOW Healthcare Implementation Using OASIS Standards, by Ed Coyne, Veterans Health Administration, 28-29 April 2004. VHA Health Information Architecture. Available at http://www.va.gov/rbac/docs/VHA_OASIS_CCOW_Briefing.ppt.
Access Control in a Distributed Decentralized Network: An XML Approach to Network Security using XACML and SAML, by Paul J. Mazzuca, Dartmouth College TR2004-506, Spring 2004. Available at ftp://ftp.cs.dartmouth.edu/TR/TR2004-506.pdf or http://www.cs.dartmouth.edu/reports/abstracts/TR2004-506/.
Introduction To XACML, by Phil Griffin, 19 Feb 2004. Available at http://dev2dev.bea.com/pub/a/2004/02/xacml.html
WSPL: an XACML-based Web Services Policy Language, by Anne Anderson, Sun Microsystems, Inc., 27 January 2004. Available at http://research.sun.com/projects/xacml/wspl_intro.pdf.
Design Document: SweGrid Accounting System Security Design, by Thomas Sandholm and Olle Mulmo, 22 January 2004. Available at http://www.pdc.kth.se/grid/sgas/docs/SGAS-SEC-DD-0.1.pdf.
XML Web Services and Security, by Bob Daly. Date uncertain. Available at http://www.sims.berkeley.edu/~bdaly/cde/security/WebServicesSecurityIS219.html.
Exploring a Multi-Faceted Framework for SOC: How to develop secure web-service interactions?, by Kees Leune, et al., Tilburg University, Infolab, The Netherlands. 2004. Available at http://www.leune.org/publications/psfiles/ride04_leune.pdf.

2003

Modeling Delegation of Rights in a simplified XACML with Haskell, by Frank Siebenlist, Argonne Nat. Labs/Global Grid Forum, 18 Nov 2003. Available at http://www-unix.mcs.anl.gov/~franks/haskell/XacmlDelegationHaskell0.html.
An XACML-based Policy Management and Authorization Service for Globus Resources, by Markus Lorch, Dennis Kafura, Sumit Shah, Virginia Tech, Fourth International Workshop on Grid Computing, Phoenix, AZ, 17 Nov 2003. Available at http://csdl.computer.org/comp/proceedings/grid/2003/2026/00/20260208abs.htm.
The PRIMA System for Privilege Management, Authorization and Enforcement in Grid Environments, by M. Lorch, et al., 4th Int. Workshop on Grid Computing - Grid 2003, 17 November 2003. Available at http://zuni.cs.vt.edu/publications/PRIMA-2003.pdf.
Certificate-based authorization policy in a PKI environment, by Mary R. Thompson, Abdelilah Essiari, Srilekha Mudumbai. ACM Transactions on Information and System Security (TISSEC), Volume 6 Issue 4. November 2003. Available at dsd.lbl.gov/security/Akenti/Papers/ACMTISSEC.pdf.
First Experiences Using XACML for Access Control in Distributed Systems, by Markus Lorch, Seth Proctor, Rebekah Lepro, Dennis Kafura and Sumit Shah. Presented at the ACM Workshop on XML Security 31 October 2003, Fairfax, VA, USA. Slides available at http://zuni.cs.vt.edu/publications/xml-security-xacml-experiences-presentation.pdf.
Grid security: requirements, plans and ongoing efforts, by Frank Siebenlist, Invited talk at the ACM Workshop on XML Security 31 October 2003, Fairfax, VA, USA. Slides available at: http://www.mcs.anl.gov/~franks/ACMXMLGridSecurity.pdf.
XML security: Certificate validation service using XKMS for computational grid, by Namje Park, Kiyoung Moon, Sungwon Sohn. 31 October 2003. Proceedings of the 2003 ACM workshop on XML security. Available through http://cftest.acm.org/portal/citation.cfm?id=968577.
Policy Management for OGSA Applications as Grid Services (Work in Progress), by Lavanya Ramakrishnan, MCNC-RDI Research and Development Institute. 8 Oct 2003. Available at http://www-unix.mcs.anl.gov/~keahey/DBGS/DBGS_files/dbgs_papers/ramakrishnan.pdf.
Access control: An access control framework for business processes for web services, by Hristo Koshutanski, Fabio Massacci. 31 October 2003. Proceedings of the 2003 ACM workshop on XML security.
Enterprise Privacy Authorization Language (EPAL), Matthias Schunter, ed., IBM Research Report. 1 October 2003. Available at http://www.zurich.ibm.com/security/enterprise-privacy/epal/Specification/.
The Formal Semantics of XACML, by Polar Humenn, Syracuse University, Oct 2003. Available at http://lists.oasis-open.org/archives/xacml/200310/pdf00000.pdf.
ebxmlrr 2.1-final1 open source freebXML Registry, 16 September 2003. Available at http://www.freebxml.org/ebxmlrr_final.htm>.
Virtual enterprise access control requirements, by M. Coetzee, J. H. P. Eloff. September 2003. Proceedings of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology. Available through http://portal.acm.org/citation.cfm?id=954045.
Web Services Security, by Mark O'Neill with Phillip Hallam-Baker, Sean Mac Cann, Mike Shema, Ed Simon, Paul A. Watters and Andrew White, Pages: 312, Publisher: McGraw-Hill Professional, ISBN: 0072224711. Contains a chapter on XACML. Review available at http://www.net-security.org/review.php?id=89.
XACML J2SE[TM] Platform Policy Profile, by Anne Anderson, Sun Microsystems, Inc. 21 July 2003. Available at http://research.sun.com/projects/xacml/J2SEPolicyProvider.html.
XACML: a new standard protects content in the enterprise data exchange, XMLMania, 7 July 2003. Available at http://www.xmlmania.com/documents_article_8.php.
An Introduction to XACML, by Michael Armstrong, SANS Institute, 29 June 2003. Available at http://www.giac.org/practical/GSEC/Michael_Armstrong_GSEC.pdf.
XACML: A New Standard Protects Content in Enterprise Data Exchange, Java.Sun.Com technical article, 24 June 2003. Available at http://java.sun.com/developer/technicalArticles/Security/xacml/xacml.html.
XACML, Quickstudy by Russell Kay, Computerworld, 19 May 2003. Available at http://www.computerworld.com/developmenttopics/development/story/0,10801,81295,00.html.
Sun XACML 1.0 Implementation Provides Attribute Management Techniques, Paragon Pinnacles, 19 May 2003, Article#9821, Volume 63, Issue 3. Available at http://newsletter.paragon-systems.com/articles/63/3/feature/9821.
An XACML Glossary, by Russell Kay, Computerworld, 19 May 2003. Available at http://www.computerworld.com/developmenttopics/development/story/0,10801,81294,00.html.
Securing Web Services for Use as Enterprise-Class Business Systems, an AmberPoint Whitepaper, May 2003. Available at http://www.eaiindustry.org/docs/member%20docs/amberpoint/AmberPoint%20Security.pdf.
Digital rights management and fair use by design: Fair use, DRM, and trusted computing, by John S. Erickson. April 2003. Communications of the ACM, Volume 46 Issue 4. Available through portal.acm.org/citation.cfm?id=641205.641226.
Multimedia and visualization: Self-manifestation of composite multimedia objects to satisfy security constraints, by Vijayalakshmi Atluri, Nabil Adam, Ahmed Gomaa, Igg Adiwijaya. March 2003. Proceedings of the 2003 ACM symposium on Applied computing. Available at http://cftest.acm.org/portal/citation.cfm?id=952715.
XACML -- A No-Nonsense Developer's Guide, by Vance McCarthy, Enterprise Developer News, 24 Feb 2003. Available at http://www.idevnews.com/TipsTricks.asp?ID=57.
XACML Will Help Enterprises In Three Areas, by Ray Wagner, Gartner, 21 February 2003. Available at http://www3.gartner.com/resources/113300/113307/113307.pdf.
Getting Started with XML Security: Authorization Rules: XML Access Control Markup Language (XACML), tutorial, SitePoint, date uncertain. Available at http://www.sitepoint.com/article/933/8.
Constrained delegation in XML-based Access Control and Digital Rights Management Standards, by Guillermo Navarro (Universitat Autonoma de Barcelona), Babak Sadighi Firozabadi (Swedish Institute of Computer Science), Erik Rissanen (Swedish Institute of Computer Science), Joan Borrell (Universitat Autonoma de Barcelona). Available at http://ccd.uab.es/~guille/var/ny2003.pdf.
Authorization Center Project (authZ), CMU. 2003. Available at http://icap.andrew.cmu.edu/authz/.

2002

Designing a distributed access control processor for network services on the Web, by Reiner Kraft. Proceedings of the 2002 ACM workshop on XML security. November 2002. Available at http://www.soe.ucsc.edu/~rekraft/papers/paper_aclp_workshop.pdf.
Dynamically authorized role-based access control for secure distributed computation, by C. Joncheng Kuo, Polar Humenn. November 2002. Proceedings of the 2002 ACM workshop on XML security. Available at http://portal.acm.org/ft_gateway.cfm?id=764807&type=pdf.
Towards securing XML Web services, by Ernesto Damiani, Sabrina De Capitani di Vimercati, Pierangela Samarati. November 2002. Proceedings of the 2002 ACM workshop on XML security. Available at http://seclab.dti.unimi.it/Papers/xmlw.ps.

Standards

This list includes open standards that reference XACML.

OASIS ebXML: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=regrep
OASIS Security Assertion Markup Language (SAML): http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
- See also the SAML Profile of XACML 2.0: http://docs.oasis-open.org/xacml/2_0/access_control-xacml-2.0-saml-profile-spec-os.pdf

Products and Deployments

This list includes products and deployments that make substantial use of XACML and that have been announced publicly. Readers should keep in mind that this is an incomplete list of XACML deployments. For security reasons, enterprises are frequently unwilling to publicize the security mechanisms they use internally, and many deployments of XACML fall into this category. In other cases, XACML is used internal to products, but is not exposed, and the vendor has chosen not to disclose this internal use.

By including these links, neither the XACML TC, nor OASIS itself, is endorsing, recommending, or guaranteeing the accuracy of these public announcements or their related products in any way. Neither the XACML TC nor OASIS itself guarantees the completeness or accuracy of the information in this list of products. This list may be modified at any time as further information about these or other products becomes known. Additional submissions for listings are invited by the editor.

BRT, Inc. product CJPD: http://www.beamreachtech.com/
Children's Hospital, Boston: Personal Internetworked Notary and Guardian http://www.ping.chip.org/Downloads/api/org/chip/ping/xacml/package-summary.html
ELENA Project: Smart Spaces for LearningTM: http://www.elena-project.org/images/other/index.html
Entrust: uses XACML in 3 products: http://www.entrust.com/resources/standards/xacml.htm
Exigen Group: http://lotos.site.uottawa.ca/ncac05/studnev_18500106.ppt
The Fedora Project: An Open-Source Digital Repository Management System: http://www.fedora.info/
Globus ToolKit for grid applications: http://www-unix.globus.org/toolkit/
Internet2: http://lionshare.its.psu.edu/main/info/docspresentation/ls_sec_i2.pdf
OASIS ebXML Standard Reference Implementation: http://ebxmlrr.sourceforge.net
Okiok Global Trust identity and access management product: http://www.okiok.com/index.jsp?page=Global+Trust
Parthenon Computing: Parthenon XACML Evaluation Engine: http://blog.parthenoncomputing.com/xacml/
Starbourne: http://lists.xml.org/archives/xml-dev/200409/msg00117.html
Sun XACML Open Source: http://sunxacml.sourceforge.net/
UMU-XACML Editor: http://xacml.dif.um.es/
XACML.NET: http://mvpos.sourceforge.net/xacml.htm