Tutorial on XACML - PowerPoint PPT Presentation

About This Presentation
Title:

Tutorial on XACML

Description:

Tutorial on XACML. Audumbar. Access control and privacy. ... http://server.example.com/code/docs/developer-guide.html – PowerPoint PPT presentation

Number of Views:165
Avg rating:3.0/5.0
Slides: 28
Provided by: Aud134
Category:
Tags: xacml | html | tutorial

less

Transcript and Presenter's Notes

Title: Tutorial on XACML


1
Tutorial on XACML
  • Audumbar

2
Access control and privacy
  • Who can access what, under what conditions,
  • and for what purpose

3
XACML - About
  • The eXtensible Access Control Markup Language is
    an OASIS Standard
  • The XACML standard provides
  • Policy Language
  • Request and Response Language
  • Standard data-types, functions, combining
    algorithms
  • Extensibility
  • Privacy profile, RBAC profile
  • An architecture defining the major components in
    an implementation

4
General terms
  • Resource
  • Data, system component or service
  • Subject
  • An actor who makes a request to access certain
    Resources.
  • Action
  • An operation on resource
  • Environment
  • The set of attributes that are relevant to an
    authorization decision and are independent of a
    particular subject, resource or action
  • Attributes
  • Characteristics of a subject, resource, action or
    environment
  • Target
  • Defines conditions that determine whether policy
    applies to request

5
Usage Scenario
PEP
  • Policy Enforcement Point (PEP)
  • Entity protecting the resource(e.g. file system)
  • Performs access control by making decision
    requests and enforcing authorization decisions.

6
Usage Scenario
  • Policy Administration Point (PAP)
  • creates security policies and stores these
    policies in the repository.

PAP
7
Usage Scenario
  • Context Handler
  • A Context is the canonical representation of a
    decision request and an authorization decision.
  • Context Handler can be defined to convert the
    requests in its native format to the XACML
    canonical form and to convert the Authorization
    decisions in the XACML canonical form to the
    native format.

Context Handler
8
Usage Scenario
  • The Policy Decision Point (PDP)
  • Receives and examines the request
  • Retrieves applicable policies
  • evaluates the applicable policy and
  • Returns the authorization decision to PEP

PDP
9
Usage Scenario
  • Policy Information Point (PIP)
  • serves as the source of attribute values, or the
    data required for policy evaluation.

PIP
10
How does it work Data Flow
11
XACML Policy Structure
12
Policy Language model
13
XACML Policy Example
  • ltPolicy PolicyId"ExamplePolicy"
  • RuleCombiningAlgId"urnoasisnamestcx
    acml1.0rule-combining-algorithmpermit-overrides
    "gt
  • ltTargetgt
  • ltSubjectsgt ltAnySubject/gtlt/Subjectsgt
  • ltResourcesgtltResourcegt
  • ltResourceMatch MatchId"urnoasisnamestcxacml
    1.0functionanyURI-equal"gt
  • ltAttributeValue DataType"http
    //www.w3.org/2001/XMLSchemaanyURI"gthttp//server.
    example.com/code /docs/developer-guide.htmllt/Att
    ributeValuegt
  • ltResourceAttributeDesignator
    DataType"http//www.w3.org/2001/XMLSchemaanyURI"

  • AttributeId"urnoasisnamestcxacml1.0resource
    resource-id"/gt
  • lt/ResourceMatchgt
  • lt/Resourcegtlt/Resourcesgt
  • ltActionsgtltAnyAction/gtlt/Actionsgt
  • lt/Targetgt
  • ltRule RuleId"ReadRule" Effect"Permit"gt
  • lt/Rulegt
  • lt/Policygt

14
Policy Example contd
  • ltRule RuleId"ReadRule" Effect"Permit"gt
  • ltTargetgt
  • ltSubjectsgtltAnySubject/gtlt/Subjectsgt
  • ltResourcesgtltAnyResource/gtlt/Resourcesgt
  • ltActionsgt
  • ltActiongt
  • ltActionMatch MatchId"urnoasisnamestcxacml
    1.0functionstring-equal"gt
  • ltAttributeValue DataType"http//www.w3.org/200
    1/XMLSchemastring"gtreadlt/AttributeValuegt
  • ltActionAttributeDesignator DataType"http//www
    .w3.org/2001/XMLSchemastring
    AttributeId"urnoasisnamestcxacml1.0ac
    tionaction-id"/gt
  • lt/ActionMatchgt
  • lt/Actiongt
  • lt/Actionsgt
  • lt/Targetgt
  • ltCondition FunctionId"urnoasisnamestcxacml1
    .0functionstring-equal"gt
  • ltApply FunctionId"urnoasisnamestcxacml1.0
    functionstring-one-and-only"gt
  • ltSubjectAttributeDesignator DataType"http//www
    .w3.org/2001/XMLSchemastring
    AttributeId"group"/gt
  • lt/Applygt
  • ltAttributeValue DataType"http//www.w3.org/2001
    /XMLSchemastring"gtdeveloperslt/AttributeValuegt
  • lt/Conditiongt

15
XACML Request Structure
16
Request Example
  • ltRequestgt
  • ltSubjectgt
  • ltAttribute AttributeId"urnoasisnamestcxacml
    1.0subjectsubject-id" DataType"urnoasisn
    amestcxacml1.0data-typerfc822Name"gt
    ltAttributeValuegtxyz_at_users.example.comlt/Attribu
    teValuegt
  • lt/Attributegt
  • ltAttribute AttributeId"group"
    DataTypehttp//www.w3.org/2001/XMLSchemastring
    Issuer"admin_at_users.example.com"gt
    ltAttributeValuegtdeveloperslt/AttributeValuegt
  • lt/Attributegt
  • lt/Subjectgt
  • ltResourcegt
  • ltAttribute AttributeId"urnoasisnamestcxacml
    1.0resourceresource-id" DataType"http//ww
    w.w3.org/2001/XMLSchemaanyURI"gt
    ltAttributeValuegthttp//server.example.com/code
    /docs/developer-guide.html lt/AttributeValuegt
  • lt/Attributegt
  • lt/Resourcegt
  • ltActiongt
  • ltAttribute AttributeId"urnoasisnamestcxacml
    1.0actionaction-id" DataType"http//www.w
    3.org/2001/XMLSchemastring"gt ltAttributeValue
    gtreadlt/AttributeValuegt
  • lt/Attributegt
  • lt/Actiongt
  • lt/Requestgt

17
XACML Response Structure
18
XACML Response Example
  • ltResponsegt
  • ltResultgt
  • ltDecisiongtPermitlt/Decisiongt
  • ltStatusgt
  • ltStatusCode Value"urnoasisnamestcxacml1.0
    statusok"/gt lt/Statusgt
  • lt/Resultgt
  • lt/Responsegt
  • Effect
  • Permit/Deny/Not Applicable/Indeterminate

19
Combining Algorithms
  • Deny-overrides
  • if any evaluation returns Deny, then the result
    must be Deny.
  • If all rules evaluate to Permit, then the result
    is Permit.
  • Permit-overrides
  • if any rule evaluates to Permit, then the result
    of is Permit.
  • If any rule evaluates to Deny and all other rules
    evaluate to NotApplicable, then the result is
    Deny.
  • If all rules are found to be NotApplicable, then
    the result is NotApplicable.

20
Combining Algorithms
  • First applicable rules evaluated in their
    listing order
  • For each rule, if the target matches and the
    condition evaluates to True, then the result of
    that rule will be the evaluation of the policy
    (either Permit, Deny, or Indeterminate).
  • Otherwise, the algorithm goes to the next rule.
    If no rule applies, then the result is
    NotApplicable.
  • Only-one-applicable
  • For all of policies in the policy set, if no
    policy applies, then the result is NotApplicable.
  • If more than one policy applies, then the result
    is Indeterminate.
  • If only one policy applies, then the result is
    the result of evaluating that policy.

21
Extensibility
  • Extensible XML attribute types
  • The following XML attributes with values that are
    URIs, may be extended by the creation of new URIs
    associated with new semantics for these
    attributes.
  • AttributeId, DataType, FunctionId, MatchId,
    ObligationId, PolicyCombiningAlgId,
    RuleCombiningAlgId, StatusCode, SubjectCategory.
  • For a given structured data-type, a community of
    XACML users MAY define new attribute identifiers
    for each leaf sub-element of the structured
    data-type that has a type conformant with one of
    the XACML-defined primitive data-types.
  • A community of XACML users MAY define a new
    function that can be used to compare a value of
    the structured data-type against some other
    value. This method may only be used by PDPs that
    support the new function.

22
Privacy profile
  • This profile defines two attributes.
  • urnoasisnamestcxacml2.0resourcepurpose
  • the purpose for which the data resource was
    collected
  • urnoasisnamestcxacml2.0actionpurpose
  • the purpose for which access to the data
    resource is requested
  • Matching purpose rule
  • Deny-Overrides
  • access SHALL be denied unless the purpose for
    which access is requested matches, by
    regular-expression match, the purpose for which
    the data resource was collected.

23
RBAC profile
  • Scope
  • If a subject has roles R1 , R2, ... Rn enabled,
    can subject X access a given resource using a
    given action?
  • Is subject X allowed to have role Ri enabled?
  • If a subject has roles R1 , R2, ... Rn enabled,
    does that mean the subject will have permissions
    associated with a given role R'? That is, is role
    R' either equal to or junior to any of roles R1 ,
    R2, Rn?

24
RBAC Profile Policies
  • Role ltPolicySetgt,
  • Each Role ltPolicySetgt references a single
    corresponding Permission ltPolicySetgt
  • Permission ltPolicySetgt,
  • actual permissions associated with a given role,
  • references to Permission ltPolicySetgts associated
    with other roles that are junior to the given
    role
  • Role Assignment ltPolicygt or ltPolicySetgt
  • which roles can be enabled or assigned to which
    subjects
  • HasPrivilegesOfRole ltPolicygt
  • a ltPolicygt in a Permission ltPolicySetgt that
    supports requests
  • asking whether a subject has the privileges
    associated with a given role.

25
XACML implementations
  • Using SUN XACML implementation
  • Building a PDP
  • Building a PEP
  • Creating and Encoding Policies
  • Validating policies and requests
  • Supporting attribute selectors
  • XACMLight Apache Axis2 Web Service XACML 2.0
    PDP/PAP Implementation
  • XACML Policy editors

26
Limitations
  • XACML is verbose and complex in some ways.
  • Interactions involving PAP, PIP, etc., are not
    standardized.
  • Policy administration, policy versioning, etc.,
    are not standardized.

27
References
  • OASIS XACML Technical Committee Home Page
  • http//www.oasis-open.org/committees/tc_home.php?w
    g_abbrevxacml
  • Sun's XACML Open Source Implementation
  • http//sunxacml.sourceforge.net/
Write a Comment
User Comments (0)
About PowerShow.com