OASIS eXtensible Access Control Markup Language XACML - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

OASIS eXtensible Access Control Markup Language XACML

Description:

Same attribute used in multiple resource decisions ... Language is very 'wordy' Many long URLs. Expect it to be generated by programs ... – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 22
Provided by: listsOa
Category:

less

Transcript and Presenter's Notes

Title: OASIS eXtensible Access Control Markup Language XACML


1
OASIS eXtensible Access Control Markup Language
(XACML)
  • Hal Lockhart
  • hal.lockhart_at_entegrity.com

2
Outline
  • Overview Theory
  • XACML Charter and Objectives
  • Concepts and processing
  • Rules, Policies and Policy Sets
  • Request and Response Contexts
  • XACML Status

3
First a Little Theory
4
Types of Authorization Info - 1
  • Attribute Assertion
  • Properties of a system entity (typically a
    person)
  • Relatively abstract business context
  • Same attribute used in multiple resource
    decisions
  • Examples X.509 Attribute Certificate, SAML
    Attribute Statement, XrML PossessProperty
  • Authorization Policy
  • Specifies all the conditions required for access
  • Specifies the detailed resources and actions
    (rights)
  • Can apply to multiple subjects, resources, times
  • Examples XACML Policy, XrML License, X.509
    Policy Certificate

5
Types of Authorization Info - 2
  • AuthZ Decision
  • Expresses the result of a policy decision
  • Specifies a particular access that is allowed
  • Intended for immediate use
  • Example SAML AuthZ Decision Statement, IETF COPS

6
Implications of this Model
  • Benefits
  • Improved scalability
  • Separation of concerns
  • Enables federation
  • Distinctions not absolute
  • Attributes can seem like rights
  • A policy may apply to one principal, resource
  • Systems with a single construct tend to evolve to
    treating principal or resource as abstraction

7
XACML TC Charter
  • Define a core XML schema for representing
    authorization and entitlement policies
  • Target - any object - referenced using XML
  • Fine grained control, characteristics - access
    requestor, protocol, classes of activities, and
    content introspection
  • Consistent with and building upon SAML

8
XACML Membership
  • Affinitex
  • Crosslogix
  • Entegrity Solutions
  • Entrust
  • Hitachi (Quadrasis)
  • IBM
  • OpenNetworks
  • Overxeer, inc.
  • Pervasive Security Systems
  • Sterling Commerce
  • Sun Microsystems
  • Xtradyne
  • Various individual members

9
XACML Objectives
  • Ability to locate policies in distributed
    environment
  • Ability to federate administration of policies
    about the same resource
  • Base decisions on wide range of inputs
  • Multiple subjects, resource properties
  • Decision expressions of unlimited complexity
  • Ability to do policy-based delegation
  • Usable in many different environments
  • Types of Resources, Subjects, Actions
  • Policy location and combination

10
General Characteristics
  • Defined using XML Schema
  • Strongly typed language
  • Extensible in multiple dimensions
  • Borrows from many other specifications
  • Features requiring XPath are optional
  • Obligation feature optional (IPR issue)
  • Language is very wordy
  • Many long URLs
  • Expect it to be generated by programs
  • Complex enough that there is more than one way to
    do most things

11
XACML Concepts
  • Policy PolicySet combining of applicable
    policies using CombiningAlgorithm
  • Target Rapidly index to find applicable
    Policies or Rules
  • Conditions Complex boolean expression with many
    operands, arithmetic string functions
  • Effect Permit or Deny
  • Obligations Other required actions
  • Request and Response Contexts Input and Output
  • Bag unordered list which may contain duplicates

12
XACML Concepts
Target
Target
Target
Condition
Effect
Rules
Obligations
Policies
Obligations
PolicySet
13
Request and Response Context
14
Rules
  • Smallest unit of administration, cannot be
    evaluated alone
  • Elements
  • Description documentation
  • Target select applicable policies
  • Condition boolean decision function
  • Effect either Permit or Deny
  • Results
  • If condition is true, return Effect value
  • If not, return NotApplicable
  • If error or missing data return Indeterminate
  • Plus status code

15
Target
  • Designed to efficiently find the policies that
    apply to a request
  • Makes it feasible to have very complex Conditions
  • Attributes of Subjects, Resources and Actions
  • Matches against value, using match function
  • Regular expression
  • RFC822 (email) name
  • X.500 name
  • User defined
  • Attributes specified by Id or XPath expression
  • Normally use Subject or Resource, not both

16
Condition
  • Boolean function to decide if Effect applies
  • Inputs come from Request Context
  • Values can be primitive, complex or bags
  • Can be specified by id or XPath expression
  • Fourteen primitive types
  • Rich array of typed functions defined
  • Functions for dealing with bags
  • Order of evaluation unspecified
  • Allowed to quit when result is known
  • Side effects not permitted

17
Datatypes
  • From XML Schema
  • String, boolean
  • Integer, double
  • Time, date
  • dateTime
  • anyURI
  • hexBinary
  • base64Binary
  • From Xquery
  • dayTimeDuration
  • yearMonthDuration
  • Unique to XACML
  • rfc822Name
  • x500Name

18
Functions
  • Equality predicates
  • Arithmetic functions
  • String conversion functions
  • Numeric type conversion functions
  • Logical functions
  • Arithmetic comparison functions
  • Date and time arithmetic functions
  • Non-numeric comparison functions
  • Bag functions
  • Set functions
  • Higher-order bag functions
  • Special match functions
  • XPath-based functions
  • Extension functions and primitive types

19
Policies and Policy Sets
  • Policy
  • Smallest element PDP can evaluate
  • Contains Description, Defaults, Target, Rules,
    Obligations, Rule Combining Algorithm
  • Policy Set
  • Allows Policies and Policy Sets to be combined
  • Use not required
  • Contains Description, Defaults, Target,
    Policies, Policy Sets, Policy References, Policy
    Set References, Obligations, Policy Combining
    Algorithm
  • Combining Algorithms Deny-overrides,
    Permit-overrides, First-applicable,
    Only-one-applicable

20
Request and Response Context
  • Request Context
  • Attributes of
  • Subjects requester, intermediary, recipient,
    etc.
  • Resource name, can be hierarchical
  • Resource Content specific to resource type,
    e.g. XML document
  • Action e.g. Read
  • Environment other, e.g. time of request
  • Response Context
  • Resource ID
  • Decision
  • Status (error values)
  • Obligations

21
XACML Status
  • First Meeting 21 May 2001
  • Weekly or bi-weekly calls 7 F2F Meetings
  • Requirements from Healthcare, DRM, Registry,
    Financial, Online Web, XML Docs, Fed Gov,
    Workflow, Java, Policy Analysis, WebDAV
  • Deliverables Glossary, Usecases Requirements,
    Domain Model, 2 Schemas, Policy Semantics,
    Conformance Tests, Profiles, Security Privacy
    Considerations, Extensibility Points
  • Committee Specification 7 November 2002
  • Public Comment Period 8 November 8 December
  • Submit to OASIS Possibly December 12
Write a Comment
User Comments (0)
About PowerShow.com