XACML is an access control policy language. In practical use of XACML a large enterprise will have many different resources and lots of policies about different resources. There is a desire to make management of the policies easy to handle.
It is desirable to centralize the machinery for policy management so it is easy to manage all the policies, rather than having lots of policies spread around all over with little control over them.
It is also desirable to make the “physical” distance between a PEP (Policy Enforcement Point) and a PDP (Policy Decision Point) short for performance reasons. Sending each request to a single central PDP in a large enterprise does not scale well. The load on the PDP will get high and the delay from the request and response in transit over a network will degrade performance.
So it is desirable to have many PDPs around, close to the resources. These many PDPs need to be managed efficiently. Each PDP must receive the right policies about those resources (or perhaps users) which they receive requests about. But at the same time it is desirable to hide this machinery of many PDPs from the administration, and present a consolidated view of the whole enterprise to the administrators.
Existing approaches to policy distribution have a lot of problems.
One approach is to distribute all policies to all PDPs. This is simple and the whole enterprise looks like a single PDP to the administrators. However, distributing all policies is inefficient, because there is an overhead in network communications sending policies which are not needed at each PDP. Each PDP will have a large set of policies to evaluate, which degrades runtime performance.
Furthermore, distributing all policies may be undesirable, because policies may be sensitive/confidential and must not be disclosed to any PDP.
Another approach is to manually decide which policies to send to which PDP. However, this represents an administrative overhead and is prone to error.
A third approach is to use a subset of XACML for control over distribution, for instance the XACML standard has a “profile” (an additional extra piece of “appendix” we could say) by which it is possible to request a policy based on matching of the top level target only. However, this represents an administrative overhead since the policies must be kept in this form. Besides, it does not allow distribution of any XACML policy, since the policies must be in a special form where the top level target is used for distribution control. Furthermore, it is prone to error.