An Introduction to eXtensible Access Control Markup Language XACML - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

An Introduction to eXtensible Access Control Markup Language XACML

Description:

Access control means defining 'who can access what, and under ... AttributeAssignment AttributeId='mailto' DataType='http://www.w3.org/2001/XMLSchema#string' ... – PowerPoint PPT presentation

Number of Views:1106
Avg rating:5.0/5.0
Slides: 44
Provided by: hemant
Category:

less

Transcript and Presenter's Notes

Title: An Introduction to eXtensible Access Control Markup Language XACML


1
An Introduction to eXtensible Access Control
Markup Language XACML
  • Hemant Goyal
  • BE IT NSIT

2
The Plan
  • Access Control
  • What is it?
  • Why is it needed?
  • Privacy
  • General Terms

3
The Plan II
  • XACML
  • About
  • General Usage Scenario
  • Advantages and Limitations
  • Structure
  • Components
  • Request
  • Policies
  • Response
  • Practical Implementation

4
Access Control
  • Wikipedia
  • Access control is the ability to permit or deny
    the use of something by someone.
  • http//sunxacml.sourceforge.net/
  • Access control means defining who can access
    what, and under what conditions?

5
Access Control Need?
  • Consider three user groups who must share
    resources amongst themselves.
  • Requirement of a generic method to address such
    situations where data must be shared and also
    hidden from other users for various reasons.

6
Access Control Need?
  • Consider the hierarchal structure of an
    organization.
  • Different members of different groups have access
    to different amounts of data.
  • Again such access to resources must be cleverly
    dealt with.

7
Access Control AND Privacy
  • who can access what, under what conditions AND
  • for what purpose
  • ?

8
Access Control Privacy
  • An access control policy can be transformed into
    a privacy aware access control policy with the
    association of the following parameters
  • Intent or Purpose for access against each
    resource.
  • Obligations to be fulfilled on access to certain
    data resources
  • Data Retention Periods.

9
General Terms
  • Let us formally define some terms now
  • Official Definition
  • Resource - Data, service or system component
  • Examples
  • User Folders in a shared File System
  • Service to send emails
  • Some are allowed to use the service
  • Some are not.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
10
General Terms
  • Official Definition
  • Subject - An actor whose attributes may be
    referenced by a predicate.
  • (Un) Official explanation
  • Subject An actor who makes a request to access
    certain Resources. Terms that are used to
    describe a subject are called Subject Attributes.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
11
General Terms
  • Official Definition
  • Action - An operation on a resource.
  • Examples
  • View
  • Create
  • Update
  • Delete

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
12
General Terms
  • Official Definition
  • Environment - The set of attributes that are
    relevant to an authorization decision and are
    independent of a particular subject, resource or
    action
  • Examples
  • Time of Day
  • IP address

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
13
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Subject Attribute
  • Username
  • ramesh

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
14
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Resource Attribute
  • resource-id
  • hospital.patient.xray_report

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
15
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Action Attribute
  • action-id
  • edit

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
16
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Environment Attribute
  • time
  • 930 p.m.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
17
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Environment Attribute
  • time
  • 930 p.m.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
18
General Terms
  • Official Definitions
  • Policy decision point (PDP) - The system entity
    that evaluates applicable policy and renders an
    authorization decision.
  • Policy enforcement point (PEP) - The system
    entity that performs access control, by making
    decision requests and enforcing authorization
    decisions.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
19
Part II
  • eXtensible Access Control Markup Language

20
An Important Note
  • From here onwards when we talk about access
    control we automatically imply privacy aware
    access control.

http//dev2dev.bea.com/pub/a/2004/02/xacml.html
21
XACML - About
  • XACML defines a general policy language used to
    protect resources as well as an access decision
    language.
  • Markup language has been approved and
    standardized by OASIS.

http//dev2dev.bea.com/pub/a/2004/02/xacml.html
22
XACML - About
  • XACML describes
  • an access control policy language
  • a request/response language

http//sunxacml.sourceforge.net/
23
XACML General Usage Scenario
  • Policy Enforcement Point
  • A subject (e.g. human user, workstation) wants to
    take some action on a particular resource.
  • The subject submits its query to the entity
    protecting the resource (e.g. file system, web
    server). This entity is called a Policy
    Enforcement Point (PEP).

http//sunxacml.sourceforge.net/
24
XACML General Usage Scenario
  • Policy Enforcement Point
  • The PEP forms a request (using the XACML request
    language) based on the attributes of the
  • Subject
  • Action
  • Resource
  • Other relevant information privacy parameters

http//sunxacml.sourceforge.net/
25
XACML General Usage Scenario
  • Policy Development Point
  • It does the following
  • Receives and examines the request.
  • Retrieves applicable policies (written in the
    XACML policy language).
  • Determines whether access should be granted.
  • Returns the access decision to the PEP.

http//sunxacml.sourceforge.net/
26
XACML Advantages ?
  • ONE STANDARD access control policy language for
    ALL organizations.
  • Administrators save time and money because they
    don't need to rewrite their policies in many
    different languages.
  • Developers save time and money because they don't
    have to invent new policy languages and write
    code to support them. They can reuse existing code

http//sunxacml.sourceforge.net/
27
XACML Advantages ?
  • Tools supporting easy writing of XACML policies
    and requests would be available
  • UMU-XACML-Editor-v1.2.0
  • .NET based XACML Policy and request editors
  • Provides a lot of flexibility as it is a very
    general purpose language and extremely extensible.

http//sunxacml.sourceforge.net/
28
XACML Limitations ?
  • XACML does not explicitly require the
    specification of purpose or intent which is often
    associated with a privacy policy.
  • The language's flexibility and expressiveness
    comes at the cost of complexity and verbosity.
  • Absence of Semantic Validation Tools.

A Comparison of Two Privacy Policy Languages
EPAL and XACML Anne Anderson Survey on
XML-Based Policy Languages for Open Environments
Mariemma I. Yagüe /
29
XACML Limitations ?
  • Features like policy versioning and management
    are not defined in XACML framework these must be
    incorporated by the application developer.
  • No feature of temporary authorization specified.
  • If an employee must be authorized to access some
    data for 10 15 minutes, then one must create
    the entire policy.

http//sunxacml.sourceforge.net/
30
XACML Structure
http//sunxacml.sourceforge.net/
31
XACML Structure
http//sunxacml.sourceforge.net/
32
XACML Structure
  • ltRequest
  • xmlns"urnoasisnamestcxacml1.0context
  • xmlnsxsihttp//www.w3.org/2001/XMLSchema-instan
    ce
  • xmlnsdb"db_acad"gt

http//sunxacml.sourceforge.net/
33
XACML Structure
  • ltSubjectgt
  • ltAttribute
  • AttributeId"db_acad_users_user_username"
  • DataType"http//www.w3.org/2001/XM
    LSchemastring"gt
  • ltAttributeValuegt
  • student4
  • lt/AttributeValuegt
  • lt/Attributegt
  • lt/Subjectgt

http//sunxacml.sourceforge.net/
34
XACML Structure
  • ltResourcegt
  • ltAttribute
  • AttributeId"urnoasisnamestcxacml1.0resourc
    eresource-id"
  • DataType"http//www.w3.org/2001/X
    MLSchemastring"gt
  • ltAttributeValuegt
  • sub2
  • lt/AttributeValuegt
  • lt/Attributegt
  • lt/Resourcegt

http//sunxacml.sourceforge.net/
35
XACML Structure
  • ltActiongt
  • ltAttribute AttributeId"urnoasisnamestcxac
    ml1.0actionaction-id"
  • DataType"http//www.w3.org/2001/XM
    LSchemastring"gt
  • ltAttributeValuegt
  • view
  • lt/AttributeValuegt
  • lt/Attributegt
  • lt/Actiongt

http//sunxacml.sourceforge.net/
36
XACML Structure
  • ltEnvironmentgt
  • ltAttribute AttributeIdcurrent-time"
  • DataType"http//www.w3.org/2001/XM
    LSchemastring"gt
  • ltAttributeValuegt
  • 940 am
  • lt/AttributeValuegt
  • lt/Attributegt
  • lt/Evironmentgt

http//sunxacml.sourceforge.net/
37
XACML Policy Structure
http//sunxacml.sourceforge.net/
38
XACML Response Structure
http//sunxacml.sourceforge.net/
39
XACML Response Structure
  • ltResponsegt
  • ltResultgt
  • ltDecisiongt
  • Permit
  • lt/Decisiongt
  • ltStatusgt
  • ltStatusCode Value"urnoasisnamestcxacml1.0s
    tatusok"/gt
  • lt/Statusgt
  • lt/Resultgt
  • lt/Responsegt

http//sunxacml.sourceforge.net/
40
XACML Response Structure
  • ltDecisiongt
  • Permit
  • lt/Decisiongt

http//sunxacml.sourceforge.net/
41
XACML Response Structure
  • ltStatusgt
  • ltStatusCode Value"urnoasisnamestcxacml1.0s
    tatusok"/gt
  • lt/Statusgt

http//sunxacml.sourceforge.net/
42
XACML Response Structure
  • ltObligationsgt
  • ltObligation ObligationId"email"
    FulfillOn"Permit"gt
  • ltAttributeAssignment AttributeId"mailto
  • DataType"http//www.w3.org/2001/XMLSchemastring"
    gt
  • //contextResourceContent/dbuser/dbemail
    /text()
  • lt/AttributeAssignmentgt
  • ltAttributeAssignment AttributeId"text
  • DataType"http//www.w3.org/2001/XMLSchemastring"
    gt
  • Your marks have been accessed by the Dean
    for the purpose of Creation of GradeSheet.
  • lt/AttributeAssignmentgt
  • lt/Obligationgt

http//sunxacml.sourceforge.net/
43
References
  • http//sunxacml.sourceforge.net/
  • XACML Core Specification Documents
    access_control-xacml-2.0-core-spec-os.pdf
  • http//dev2dev.bea.com/pub/a/2004/02/xacml.html
  • A Comparison of Two Privacy Policy Languages
    EPAL and XACML Anne Anderson
  • Survey on XML-Based Policy Languages for Open
    Environments Mariemma I. Yagüe
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "An Introduction to eXtensible Access Control Markup Language XACML" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!