Transform XACML to Rego automatically

Take advantage of all of the power that OPA & Rego can provide to your Access Control solutions.

Architecture

Xackalope is an on-prem software solution. You POST XACML documents to it, and it converts them into one or more .rego files that faithfully replicate the XACML functionality. It saves those files to a location of your preference. Create OPA bundles from those .rego files and deploy them, and your Open Policy Agent instances will provide the exact same access control functionality that you had with XACML. In addition, you can then extend and improve the Policy As Code logic to support the extensive features of Rego.

Compatibility

Does Xackalope support the complete XACML spec?

Not yet, but we support all of the commonly used tags and structures. If we’re missing tags that you need, we’ll work with you to implement them.

Can we send XML-based documents to OPA for decision making?

No, but our system supports the JSON implementation of XACML’s queries.

What will we have to change in our applications?

  • Send the queries as XACML-JSON
  • Change the URL to which the JSON XACML query is sent
  • Accept XACML-JSON Response objects

Are we locked in to using Xackalope forever?

No – once you convert your XACML to Rego, and train your people to develop Access Control in Rego, you don’t need Xackalope anymore.

Benefits

Once you’ve replaced your XACML with Rego, you’ll see several benefits:

  1. Open Policy Agents process documents very fast, and have a small memory/disk footprint. They can be deployed as standalone processes, as containers, as sidecars in Kubernetes, etc.
  2. OPAs can be deployed throughout your organization, with the code residing in a centralized location and automatically delivered to the agents
  3. OPAs include a data section which can also be managed centrally and deployed automatically, enriching the capabilities of your Access Control policy
  4. Rego supports lists, sets, key-value pairs, iteration, plugins for access to third-party data, JWTs, encryption, hashing and a variety of other security and quality-of-life capabilities
  5. Enhanced features (data access, centralized management and decision log aggregation, etc) are available via Styra DAS and other OPA-compatible management systems.