XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer
Upcoming SlideShare
Loading in...5

XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer



In this presentation I introduce the basics of Attribute-based Access Control, XACML, and why it matters to developers. I also focus on the latest XACML TC profiles - the REST profile and the JSON ...

In this presentation I introduce the basics of Attribute-based Access Control, XACML, and why it matters to developers. I also focus on the latest XACML TC profiles - the REST profile and the JSON profile that make integration easier and faster.



Total Views
Views on SlideShare
Embed Views



2 Embeds 33

https://twitter.com 32
https://www.linkedin.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • PronunciationOASIS standardV 3.0 approved in January 2013V 1.0 approved in 2003 (10 years ago!)XACML is expressed asA specification document andAn XML schemahttp://www.oasis-open.org/committees/xacml/
  • Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
  • Context attributesdevice typeIPtime of the dayAction attributesAction id: create, approve, view
  • Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules & conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.
  • Need to clarify the location constrain. Permit is assuming that Alice location == 12367 location

XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer Presentation Transcript

  • XACML for Developers Updates, New Tools, & Patterns for the Eager #IAM Developer #CISNapa - @davidjbrossard - @axiomatics 1
  • eXtensible Access Control Markup Language 2 What is XACML? Not guacamole De facto standard Defined at OASIS #CISNapa - @davidjbrossard - @axiomatics
  • One of the several standards in the #IAM family XACML in the IAM spectrum SAML SPML LDAP RBAC ABAC… SCIM OpenID Oauth WS-* #CISNapa - @davidjbrossard - @axiomatics 3
  • In a web 3.0 world where it’s about small apps and your data… Why XACML? it’s time to get leaks under control #CISNapa - @davidjbrossard - @axiomatics 4
  • What’s Attribute-based Access Control? #CISNapa - @davidjbrossard - @axiomatics 5
  • #CISNapa - @davidjbrossard - @axiomatics In the olden days, authorization was about Who? 6
  • Authorization should really be about… When?What? How?Where?Who? Why? 7#CISNapa - @davidjbrossard - @axiomatics
  • A car retail company has a web application that users can access to create, view, and approve purchase orders, in accordance with policy rules 8 Example Scenario: Managing Purchase Orders #CISNapa - @davidjbrossard - @axiomatics
  • Attributes Resource attributes Resource type PO amount PO location PO creator PO Status Subject attributes Identity Department Location Approval limit Role Action attributes Action type Environment attributes Device type IP address Time of day Profile designed by Sven Gabriel from The Noun Project Invisible designed by Andrew Cameron from The Noun Project Wrench designed by John O’Shea from The Noun Project Clock designed by Brandon Hopkins from The Noun Project PO Id #CISNapa - @davidjbrossard - @axiomatics 9
  • A simple rule Anyone in the purchasing department can create purchase orders #CISNapa - @davidjbrossard - @axiomatics 10
  • A manager in the purchasing department can approve purchase orders  up to their approval limit  if and only if the PO location and the manager location are the same  if and only if the manager is not the PO creator 11 A richer rule #CISNapa - @davidjbrossard - @axiomatics
  • XACML 101 – The Basics 12#CISNapa - @davidjbrossard - @axiomatics
  • 13 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
  • XACML Architecture & Flow 14 Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point #CISNapa - @davidjbrossard - @axiomatics Access Document #123 Access Document #123 Can Alice access Document #123? Yes, Permit Load XACML policies Retrieve user role, clearance and document classification
  • 15 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
  • 3 structural elements PolicySet Policy Rule Root: either of PolicySet or Policy PolicySets contain any number of PolicySets & Policies Policies contain Rules Rules contain an Effect: Permit / Deny Combining Algorithms 16 Language Elements of XACML #CISNapa - @davidjbrossard - @axiomatics
  • Root Policy Set PolicySet Policy Rule Effect=Permit Rule Effect = Deny PolicySet Policy Rule Effect = Permit #CISNapa - @davidjbrossard - @axiomatics 17 Sample XACML Policy
  • 18 Language Structure: Russian dolls PolicySet, Policy & Rule can contain Targets Obligations Advice Rules can contain Conditions Policy Set Policy Rule Effect=Permit Target Target Target Obligation Obligation Obligation Condition #CISNapa - @davidjbrossard - @axiomatics
  • 19 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
  • • Subject User id = Alice Role = Manager • Action Action id = approve • Resource Resource type = Purchase Order PO #= 12367 • Environment Device Type = Laptop 20 Structure of a XACML Request / Response XACML Request XACML Response Can Manager Alice approve Purchase Order 12367? Yes, she can • Result Decision: Permit Status: ok The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions #CISNapa - @davidjbrossard - @axiomatics
  • So what’s in it for the developer? #CISNapa - @davidjbrossard - @axiomatics 21
  • #1 A single authorization model & framework #CISNapa - @davidjbrossard - @axiomatics 22
  • #CISNapa - @davidjbrossard - @axiomatics 23 #1.a working across all layers
  • #1.b and across different technology stacks Java C Objective-C C++ C# PHP Python (Visual) Basic Perl Ruby JavaScript Visual Basic .NET Lisp Pascal Delphi/Object Pascal Share of programming languages (Feb 2013) #CISNapa - @davidjbrossard - @axiomatics 24
  • #2 A rich language to express many scenarios ACLs RBAC Whitelists Segregation-of-Duty Relation-based Trust Elevation Device-based Break the glass Privacy protection ABAC Rich business flows Data redaction #CISNapa - @davidjbrossard - @axiomatics 25
  • The REST profile of XACML OASIS XACML profile Designed by Remon Sinnema of EMC2 #3 Developer-friendly APIs XML over HTTP XML over HTTP #CISNapa - @davidjbrossard - @axiomatics 26 JSON over HTTP JSON over HTTP
  • #3. Developer-friendly APIs (cont’d) Drop the… Use curl, Perl, and Python with the REST API curl -X POST -H 'Content-type:text/xml' -T xacml-request.xml http://foo:8443/asm-pdp/pdp #CISNapa - @davidjbrossard - @axiomatics 27
  • Use the JSON profile of XACML Idea Remove the verbose aspects of XACML Focus on the key points Make a request easy to read #4 Simplified request/response #CISNapa - @davidjbrossard - @axiomatics 28
  • #4 Sample XACML Before JSON (cont’d) <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> #CISNapa - @davidjbrossard - @axiomatics 29
  • #4 Sample XACML using JSON (cont’d) {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} #CISNapa - @davidjbrossard - @axiomatics 30
  • #4 JSON & XML Side-by-side comparison 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON #CISNapa - @davidjbrossard - @axiomatics 31 Size of a XACML request
  • Natural language authoring Axiomatics Language for Authorization (ALFA) Research initiative from TSSG And many more coming… #5 Easy authoring tools #CISNapa - @davidjbrossard - @axiomatics 32
  • Provide the right tools for Easy Authoring Of XACML policies #5 Axiomatics Language For AuthZ (cont’d) Plugs into Eclipse IDE High-level syntax Auto-complete Automatic Translation to XACML 3.0 #CISNapa - @davidjbrossard - @axiomatics 33
  • Wrapping up Benefits for the developer #CISNapa - @davidjbrossard - @axiomatics 34
  • One consistent authorization model Many different applications Decide once, enforce everywhere Benefits of using XACML #1 #CISNapa - @davidjbrossard - @axiomatics 35
  • Adios endless if, else statements Hello simple if(authorized()) Benefits of using XACML #2 #CISNapa - @davidjbrossard - @axiomatics 36 0 5000 10000 15000 20000 25000 30000 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 Developer Happiness Increase Number of if / else statements terminated Developer Happiness Index
  • Security potholes are a thing of the past XACML is the concrete that fills in the cracks in your authorization wall Benefits of using XACML #3 #CISNapa - @davidjbrossard - @axiomatics 37
  • Let developers do what they know best Offload auditing, info security to security architects & auditors by externalizing authorization #CISNapa - @davidjbrossard - @axiomatics 38 Benefits of using XACML #4 Happy developer Happy auditor
  • #CISNapa - @davidjbrossard - @axiomatics 39 Next steps? Download XACML SDK Download ALFA plugin Download Eclipse Code in your favorite language
  • Questions? Contact us at info@axiomatics.comQ&A