Tutorial on XACML

1
Tutorial on XACML

• Audumbar

2
Access control and privacy

• Who can access what, under what conditions,
• and for what purpose

3
XACML - About

• The eXtensible Access Control Markup Language is
  an OASIS Standard
• The XACML standard provides
• Policy Language
• Request and Response Language
• Standard data-types, functions, combining
  algorithms
• Extensibility
• Privacy profile, RBAC profile
• An architecture defining the major components in
  an implementation

4
General terms

• Resource
• Data, system component or service
• Subject
• An actor who makes a request to access certain
  Resources.
• Action
• An operation on resource
• Environment
• The set of attributes that are relevant to an
  authorization decision and are independent of a
  particular subject, resource or action
• Attributes
• Characteristics of a subject, resource, action or
  environment
• Target
• Defines conditions that determine whether policy
  applies to request

5
Usage Scenario
PEP

• Policy Enforcement Point (PEP)
• Entity protecting the resource(e.g. file system)
• Performs access control by making decision
  requests and enforcing authorization decisions.

6
Usage Scenario

• Policy Administration Point (PAP)
• creates security policies and stores these
  policies in the repository.

PAP
7
Usage Scenario

• Context Handler
• A Context is the canonical representation of a
  decision request and an authorization decision.
• Context Handler can be defined to convert the
  requests in its native format to the XACML
  canonical form and to convert the Authorization
  decisions in the XACML canonical form to the
  native format.

Context Handler
8
Usage Scenario

• The Policy Decision Point (PDP)
• Receives and examines the request
• Retrieves applicable policies
• evaluates the applicable policy and
• Returns the authorization decision to PEP

PDP
9
Usage Scenario

• Policy Information Point (PIP)
• serves as the source of attribute values, or the
  data required for policy evaluation.

PIP
10
How does it work Data Flow
11
XACML Policy Structure
12
Policy Language model
13
XACML Policy Example

• ltPolicy PolicyId"ExamplePolicy"
• RuleCombiningAlgId"urnoasisnamestcx
  acml1.0rule-combining-algorithmpermit-overrides
  "gt
• ltTargetgt
• ltSubjectsgt ltAnySubject/gtlt/Subjectsgt
• ltResourcesgtltResourcegt
• ltResourceMatch MatchId"urnoasisnamestcxacml
  1.0functionanyURI-equal"gt
• ltAttributeValue DataType"http
  //www.w3.org/2001/XMLSchemaanyURI"gthttp//server.
  example.com/code /docs/developer-guide.htmllt/Att
  ributeValuegt
• ltResourceAttributeDesignator
  DataType"http//www.w3.org/2001/XMLSchemaanyURI"
  
• 
  AttributeId"urnoasisnamestcxacml1.0resource
  resource-id"/gt
• lt/ResourceMatchgt
• lt/Resourcegtlt/Resourcesgt
• ltActionsgtltAnyAction/gtlt/Actionsgt
• lt/Targetgt
• ltRule RuleId"ReadRule" Effect"Permit"gt
• lt/Rulegt
• lt/Policygt

14
Policy Example contd

• ltRule RuleId"ReadRule" Effect"Permit"gt
• ltTargetgt
• ltSubjectsgtltAnySubject/gtlt/Subjectsgt
• ltResourcesgtltAnyResource/gtlt/Resourcesgt
• ltActionsgt
• ltActiongt
• ltActionMatch MatchId"urnoasisnamestcxacml
  1.0functionstring-equal"gt
• ltAttributeValue DataType"http//www.w3.org/200
  1/XMLSchemastring"gtreadlt/AttributeValuegt
• ltActionAttributeDesignator DataType"http//www
  .w3.org/2001/XMLSchemastring
  AttributeId"urnoasisnamestcxacml1.0ac
  tionaction-id"/gt
• lt/ActionMatchgt
• lt/Actiongt
• lt/Actionsgt
• lt/Targetgt
• ltCondition FunctionId"urnoasisnamestcxacml1
  .0functionstring-equal"gt
• ltApply FunctionId"urnoasisnamestcxacml1.0
  functionstring-one-and-only"gt
• ltSubjectAttributeDesignator DataType"http//www
  .w3.org/2001/XMLSchemastring
  AttributeId"group"/gt
• lt/Applygt
• ltAttributeValue DataType"http//www.w3.org/2001
  /XMLSchemastring"gtdeveloperslt/AttributeValuegt
• lt/Conditiongt

15
XACML Request Structure
16
Request Example

• ltRequestgt
• ltSubjectgt
• ltAttribute AttributeId"urnoasisnamestcxacml
  1.0subjectsubject-id" DataType"urnoasisn
  amestcxacml1.0data-typerfc822Name"gt
  ltAttributeValuegtxyz_at_users.example.comlt/Attribu
  teValuegt
• lt/Attributegt
• ltAttribute AttributeId"group"
  DataTypehttp//www.w3.org/2001/XMLSchemastring
  Issuer"admin_at_users.example.com"gt
  ltAttributeValuegtdeveloperslt/AttributeValuegt
  
• lt/Attributegt
• lt/Subjectgt
• ltResourcegt
• ltAttribute AttributeId"urnoasisnamestcxacml
  1.0resourceresource-id" DataType"http//ww
  w.w3.org/2001/XMLSchemaanyURI"gt
  ltAttributeValuegthttp//server.example.com/code
  /docs/developer-guide.html lt/AttributeValuegt
• lt/Attributegt
• lt/Resourcegt
• ltActiongt
• ltAttribute AttributeId"urnoasisnamestcxacml
  1.0actionaction-id" DataType"http//www.w
  3.org/2001/XMLSchemastring"gt ltAttributeValue
  gtreadlt/AttributeValuegt
• lt/Attributegt
• lt/Actiongt
• lt/Requestgt

17
XACML Response Structure
18
XACML Response Example

• ltResponsegt
• ltResultgt
• ltDecisiongtPermitlt/Decisiongt
• ltStatusgt
• ltStatusCode Value"urnoasisnamestcxacml1.0
  statusok"/gt lt/Statusgt
• lt/Resultgt
• lt/Responsegt
• Effect
• Permit/Deny/Not Applicable/Indeterminate

19
Combining Algorithms

• Deny-overrides
• if any evaluation returns Deny, then the result
  must be Deny.
• If all rules evaluate to Permit, then the result
  is Permit.
• Permit-overrides
• if any rule evaluates to Permit, then the result
  of is Permit.
• If any rule evaluates to Deny and all other rules
  evaluate to NotApplicable, then the result is
  Deny.
• If all rules are found to be NotApplicable, then
  the result is NotApplicable.

20
Combining Algorithms

• First applicable rules evaluated in their
  listing order
• For each rule, if the target matches and the
  condition evaluates to True, then the result of
  that rule will be the evaluation of the policy
  (either Permit, Deny, or Indeterminate).
• Otherwise, the algorithm goes to the next rule.
  If no rule applies, then the result is
  NotApplicable.
• Only-one-applicable
• For all of policies in the policy set, if no
  policy applies, then the result is NotApplicable.
  
• If more than one policy applies, then the result
  is Indeterminate.
• If only one policy applies, then the result is
  the result of evaluating that policy.

21
Extensibility

• Extensible XML attribute types
• The following XML attributes with values that are
  URIs, may be extended by the creation of new URIs
  associated with new semantics for these
  attributes.
• AttributeId, DataType, FunctionId, MatchId,
  ObligationId, PolicyCombiningAlgId,
  RuleCombiningAlgId, StatusCode, SubjectCategory.
• For a given structured data-type, a community of
  XACML users MAY define new attribute identifiers
  for each leaf sub-element of the structured
  data-type that has a type conformant with one of
  the XACML-defined primitive data-types.
• A community of XACML users MAY define a new
  function that can be used to compare a value of
  the structured data-type against some other
  value. This method may only be used by PDPs that
  support the new function.

22
Privacy profile

• This profile defines two attributes.
• urnoasisnamestcxacml2.0resourcepurpose
• the purpose for which the data resource was
  collected
• urnoasisnamestcxacml2.0actionpurpose
• the purpose for which access to the data
  resource is requested
• Matching purpose rule
• Deny-Overrides
• access SHALL be denied unless the purpose for
  which access is requested matches, by
  regular-expression match, the purpose for which
  the data resource was collected.

23
RBAC profile

• Scope
• If a subject has roles R1 , R2, ... Rn enabled,
  can subject X access a given resource using a
  given action?
• Is subject X allowed to have role Ri enabled?
• If a subject has roles R1 , R2, ... Rn enabled,
  does that mean the subject will have permissions
  associated with a given role R'? That is, is role
  R' either equal to or junior to any of roles R1 ,
  R2, Rn?

24
RBAC Profile Policies

• Role ltPolicySetgt,
• Each Role ltPolicySetgt references a single
  corresponding Permission ltPolicySetgt
• Permission ltPolicySetgt,
• actual permissions associated with a given role,
• references to Permission ltPolicySetgts associated
  with other roles that are junior to the given
  role
• Role Assignment ltPolicygt or ltPolicySetgt
• which roles can be enabled or assigned to which
  subjects
• HasPrivilegesOfRole ltPolicygt
• a ltPolicygt in a Permission ltPolicySetgt that
  supports requests
• asking whether a subject has the privileges
  associated with a given role.

25
XACML implementations

• Using SUN XACML implementation
• Building a PDP
• Building a PEP
• Creating and Encoding Policies
• Validating policies and requests
• Supporting attribute selectors
• XACMLight Apache Axis2 Web Service XACML 2.0
  PDP/PAP Implementation
• XACML Policy editors

26
Limitations

• XACML is verbose and complex in some ways.
• Interactions involving PAP, PIP, etc., are not
  standardized.
• Policy administration, policy versioning, etc.,
  are not standardized.

27
References

• OASIS XACML Technical Committee Home Page
• http//www.oasis-open.org/committees/tc_home.php?w
  g_abbrevxacml
• Sun's XACML Open Source Implementation
• http//sunxacml.sourceforge.net/