OASIS eXtensible Access Control Markup Language XACML - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

OASIS eXtensible Access Control Markup Language XACML

Description:

Same attribute used in multiple resource decisions ... Language is very 'wordy' Many long URLs. Expect it to be generated by programs ... – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 22
Provided by: listsOa
Category:

less

Transcript and Presenter's Notes

Title: OASIS eXtensible Access Control Markup Language XACML


1
OASIS eXtensible Access Control Markup Language
(XACML)
  • Hal Lockhart
  • hal.lockhart_at_entegrity.com

2
Outline
  • Overview Theory
  • XACML Charter and Objectives
  • Concepts and processing
  • Rules, Policies and Policy Sets
  • Request and Response Contexts
  • XACML Status

3
First a Little Theory
4
Types of Authorization Info - 1
  • Attribute Assertion
  • Properties of a system entity (typically a
    person)
  • Relatively abstract business context
  • Same attribute used in multiple resource
    decisions
  • Examples X.509 Attribute Certificate, SAML
    Attribute Statement, XrML PossessProperty
  • Authorization Policy
  • Specifies all the conditions required for access
  • Specifies the detailed resources and actions
    (rights)
  • Can apply to multiple subjects, resources, times
  • Examples XACML Policy, XrML License, X.509
    Policy Certificate

5
Types of Authorization Info - 2
  • AuthZ Decision
  • Expresses the result of a policy decision
  • Specifies a particular access that is allowed
  • Intended for immediate use
  • Example SAML AuthZ Decision Statement, IETF COPS

6
Implications of this Model
  • Benefits
  • Improved scalability
  • Separation of concerns
  • Enables federation
  • Distinctions not absolute
  • Attributes can seem like rights
  • A policy may apply to one principal, resource
  • Systems with a single construct tend to evolve to
    treating principal or resource as abstraction

7
XACML TC Charter
  • Define a core XML schema for representing
    authorization and entitlement policies
  • Target - any object - referenced using XML
  • Fine grained control, characteristics - access
    requestor, protocol, classes of activities, and
    content introspection
  • Consistent with and building upon SAML

8
XACML Membership
  • Affinitex
  • Crosslogix
  • Entegrity Solutions
  • Entrust
  • Hitachi (Quadrasis)
  • IBM
  • OpenNetworks
  • Overxeer, inc.
  • Pervasive Security Systems
  • Sterling Commerce
  • Sun Microsystems
  • Xtradyne
  • Various individual members

9
XACML Objectives
  • Ability to locate policies in distributed
    environment
  • Ability to federate administration of policies
    about the same resource
  • Base decisions on wide range of inputs
  • Multiple subjects, resource properties
  • Decision expressions of unlimited complexity
  • Ability to do policy-based delegation
  • Usable in many different environments
  • Types of Resources, Subjects, Actions
  • Policy location and combination

10
General Characteristics
  • Defined using XML Schema
  • Strongly typed language
  • Extensible in multiple dimensions
  • Borrows from many other specifications
  • Features requiring XPath are optional
  • Obligation feature optional (IPR issue)
  • Language is very wordy
  • Many long URLs
  • Expect it to be generated by programs
  • Complex enough that there is more than one way to
    do most things

11
XACML Concepts
  • Policy PolicySet combining of applicable
    policies using CombiningAlgorithm
  • Target Rapidly index to find applicable
    Policies or Rules
  • Conditions Complex boolean expression with many
    operands, arithmetic string functions
  • Effect Permit or Deny
  • Obligations Other required actions
  • Request and Response Contexts Input and Output
  • Bag unordered list which may contain duplicates

12
XACML Concepts
Target
Target
Target
Condition
Effect
Rules
Obligations
Policies
Obligations
PolicySet
13
Request and Response Context
14
Rules
  • Smallest unit of administration, cannot be
    evaluated alone
  • Elements
  • Description documentation
  • Target select applicable policies
  • Condition boolean decision function
  • Effect either Permit or Deny
  • Results
  • If condition is true, return Effect value
  • If not, return NotApplicable
  • If error or missing data return Indeterminate
  • Plus status code

15
Target
  • Designed to efficiently find the policies that
    apply to a request
  • Makes it feasible to have very complex Conditions
  • Attributes of Subjects, Resources and Actions
  • Matches against value, using match function
  • Regular expression
  • RFC822 (email) name
  • X.500 name
  • User defined
  • Attributes specified by Id or XPath expression
  • Normally use Subject or Resource, not both

16
Condition
  • Boolean function to decide if Effect applies
  • Inputs come from Request Context
  • Values can be primitive, complex or bags
  • Can be specified by id or XPath expression
  • Fourteen primitive types
  • Rich array of typed functions defined
  • Functions for dealing with bags
  • Order of evaluation unspecified
  • Allowed to quit when result is known
  • Side effects not permitted

17
Datatypes
  • From XML Schema
  • String, boolean
  • Integer, double
  • Time, date
  • dateTime
  • anyURI
  • hexBinary
  • base64Binary
  • From Xquery
  • dayTimeDuration
  • yearMonthDuration
  • Unique to XACML
  • rfc822Name
  • x500Name

18
Functions
  • Equality predicates
  • Arithmetic functions
  • String conversion functions
  • Numeric type conversion functions
  • Logical functions
  • Arithmetic comparison functions
  • Date and time arithmetic functions
  • Non-numeric comparison functions
  • Bag functions
  • Set functions
  • Higher-order bag functions
  • Special match functions
  • XPath-based functions
  • Extension functions and primitive types

19
Policies and Policy Sets
  • Policy
  • Smallest element PDP can evaluate
  • Contains Description, Defaults, Target, Rules,
    Obligations, Rule Combining Algorithm
  • Policy Set
  • Allows Policies and Policy Sets to be combined
  • Use not required
  • Contains Description, Defaults, Target,
    Policies, Policy Sets, Policy References, Policy
    Set References, Obligations, Policy Combining
    Algorithm
  • Combining Algorithms Deny-overrides,
    Permit-overrides, First-applicable,
    Only-one-applicable

20
Request and Response Context
  • Request Context
  • Attributes of
  • Subjects requester, intermediary, recipient,
    etc.
  • Resource name, can be hierarchical
  • Resource Content specific to resource type,
    e.g. XML document
  • Action e.g. Read
  • Environment other, e.g. time of request
  • Response Context
  • Resource ID
  • Decision
  • Status (error values)
  • Obligations

21
XACML Status
  • First Meeting 21 May 2001
  • Weekly or bi-weekly calls 7 F2F Meetings
  • Requirements from Healthcare, DRM, Registry,
    Financial, Online Web, XML Docs, Fed Gov,
    Workflow, Java, Policy Analysis, WebDAV
  • Deliverables Glossary, Usecases Requirements,
    Domain Model, 2 Schemas, Policy Semantics,
    Conformance Tests, Profiles, Security Privacy
    Considerations, Extensibility Points
  • Committee Specification 7 November 2002
  • Public Comment Period 8 November 8 December
  • Submit to OASIS Possibly December 12
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "OASIS eXtensible Access Control Markup Language XACML" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!