Your SlideShare is downloading. ×
0
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the Puzzle
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Authorization The Missing Piece of the Puzzle

1,047

Published on

Presented by Srijith Nair from Axiomatics at Nordic APIs in Copenhagen the 21st of May 2013

Presented by Srijith Nair from Axiomatics at Nordic APIs in Copenhagen the 21st of May 2013

Published in: Business, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,047
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
43
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © 2013, Axiomatics ABAuthorizationThe Missing Piece of the Puzzle@srijith@axiomaticsSrijith NairDirector, Developer Relations
  • 2. © 2013, Axiomatics ABShow of Hands:Authorization?XACML?
  • 3. © 2013, Axiomatics ABIdentity is keyServices need to know who you areYou need to prove who you areSeveral protocols exist to support AuthenticationAuthentication (AuthN)“Authentication is the act of confirming the truthof an attribute of a datum or entity. This mightinvolve confirming the identity of a person orsoftware program (…)”
  • 4. © 2013, Axiomatics ABIdentity is key, but it is not everythingAuthentication proves your identityIt does not decide what that identity entailsEnter AuthorizationAuthorization (AuthZ)“The authorization function determines whether aparticular entity is authorized to perform a givenactivity, typically inherited from authenticationwhen logging on to an application or service.”
  • 5. © 2013, Axiomatics ABSome frameworks, stds. confuse both phasesOften AuthN ≡ AuthZIf you have authenticated then you are in…AuthZ is part of a bigger processIdentifyAuthenticateAuthorizeThink of the access to your APIs…AuthN vs. AuthZ
  • 6. © 2013, Axiomatics ABBusiness-driven authorizationLet “Gold” customers access APIs 1,2 but not 3Let “Platinum” customers access all APIsCompliance-driven authorizationDo not let traders approve transactions theyrequestedPrivacy-driven authorizationDo not disclose medical data to non-employee usersAuthZ addresses various concerns
  • 7. © 2013, Axiomatics ABMandatory Access Control (MAC)Discretionary Access Control (DAC)Role-Based Access Control (RBAC)It’s widely adoptedIt’s well understood and industry-standardIt’s simpleMost apps support some form of RBACAuthorization Approaches
  • 8. © 2013, Axiomatics ABInflexible & staticDifficult to define fine-grained access control rulesDoesn’t scaleRole explosionHow to implement the rule:Doctors should be able to view the records of patientsassigned to their unit and edit the records of those patientswith whom they have a care relationshipWhere’s the role? DoctorWhat’s a patient? A record? A care relationship?Problem with RBAC?
  • 9. © 2013, Axiomatics ABPull out the highlighterWhat if we were not limited to roles?Doctors should be able to view therecords of patients assigned to theirunit and edit the records of thosepatients with whom they have a carerelationshipAttributes, Attributes, Attributes!
  • 10. © 2013, Axiomatics ABAttribute-Based Access Control (ABAC)uses attributes as building blocksin a structured language used to define access controlrules andto describe access requestsAttributesAre sets of labels or propertiesDescribe all aspects of entities that must be consideredfor authorization purposesEach attribute consists of a key-value pair such as“Class=Gold”, “OS=Windows”Attribute-based access control
  • 11. © 2013, Axiomatics ABABAC – beyond RBACRole-Based Access Control Attribute-Based Access ControlUser  Role  Permissions User + Action + Resource + ContextAttributesPoliciesExample: doctors can open & edit a patient’s healthrecord in the hospital emergency room at 3PM.Static & pre-defined Dynamic & AdaptiveRole 1Role 2PPPPPP
  • 12. © 2013, Axiomatics ABeXtensible Authorization – Future ProofingExternal toApplicationsStandards-CompliantAuthorization ServiceFine-GrainedContext-AwareAttribute-based Access Control
  • 13. © 2013, Axiomatics ABEnter XACML
  • 14. © 2013, Axiomatics ABPronunciationeXtensible Access Control Markup LanguageOASIS standardV 3.0 approved in January 2013V 1.0 approved in 2003 (10 years ago!)XACML is expressed asA specification document andAn XML schemaREST profile for XACML exists (CSD)http://www.oasis-open.org/committees/xacml/14What is XACML?
  • 15. © 2013, Axiomatics AB15What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  • 16. © 2013, Axiomatics AB16XACML-ArchitectureAccess request
  • 17. © 2013, Axiomatics AB17XACML-ArchitectureEnforcePolicy Enforcement Point
  • 18. © 2013, Axiomatics AB18XACML-ArchitectureEnforcePolicy Enforcement PointDecidePolicy Decision Point
  • 19. © 2013, Axiomatics AB19XACML-ArchitectureEnforcePolicy Enforcement PointDecidePolicy Decision PointSupportPolicy Information PointPolicy Retrieval Point
  • 20. © 2013, Axiomatics AB20XACML-ArchitectureEnforcePolicy Enforcement PointDecidePolicy Decision PointManagePolicy Administration PointSupportPolicy Information PointPolicy Retrieval Point
  • 21. © 2013, Axiomatics AB21What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  • 22. © 2013, Axiomatics ABEverything can be described in terms of attributesAttributes can be grouped into categoriesAnd many more… It’s all about Attributes! ABAC22Attributes & CategoriesEnvironmentSubject ActionResource
  • 23. © 2013, Axiomatics AB23Examples of attributesSubject Action Resource EnvironmentA user … … wants to dosomething …… with aninformation asset …… in a given contextExamples:A claimsadministrator……wants toregister a …… claim receipt for anew claim…… via a secure channelauthenticated using thecorporate smart cardAn adjuster… …wants to approvepayments of …… claim payment … …from his office computerduring regular business hoursA managerwants to …… assign a claim… …to a claimadjuster…… at 2 o’clock at night from ahotel lounge in Chisinau…
  • 24. © 2013, Axiomatics AB<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" ><xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/tmp/env/devicetype" IncludeInResult="true"><xacml-ctx:AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string>Laptop</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes><xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" ><xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"><xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes><xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" ><xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/acs/role" IncludeInResult="true"><xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">Manager</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes><xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" ><xacml-ctx:Attribute AttributeId="location" IncludeInResult="true"><xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SE</xacml-ctx:AttributeValue></xacml-ctx:Attribute><xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/asm/entity/type" IncludeInResult="true"><xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Purchase Order</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes></xacml-ctx:Request>Example XACML 3.0 Request, XML
  • 25. © 2013, Axiomatics AB<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><xacml-ctx:Result><xacml-ctx:Decision>Permit</xacml-ctx:Decision><xacml-ctx:Status><xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></xacml-ctx:Status></xacml-ctx:Result></xacml-ctx:Response>Example XACML 3.0 Response
  • 26. © 2013, Axiomatics AB3 levels of elementsPolicySetPolicyRuleAt root is PolicySet or PolicyPolicySet can contain PolicySetand PolicyPolicy can contain RuleRule evaluation returnsPERMIT, DENY, Indeterminate,NotApplicableRule Combining AlgorithmsPolicy Combining Algorithms26Language Elements of XACMLPolicySetPolicySetPolicyRuleEffectPermitDenyPolicyRuleRule
  • 27. © 2013, Axiomatics ABAll 3 elements cancontain Target elementsAt the heart of mostRules is a ConditionObligation/Advice canbe specified at all 3levels27Language Structure: Russian dollsPolicySetPolicySetPolicyRuleEffectTargetTTTCPermitDenyOObligationOOO = Obligation / AdviceC = ConditionT = Target
  • 28. © 2013, Axiomatics AB28What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  • 29. © 2013, Axiomatics ABEnvironmentSubject ActionResource EnvironmentActionResourceSubject29XACML ConceptsIt’s all about Attributes!ABAC = Attribute Based Access ControlXACML PoliciesXACML RequestXACML Response
  • 30. © 2013, Axiomatics AB• SubjectUser id = AliceRole = Manager• ActionAction id = approve• ResourceResource type = Purchase OrderPO #= 12367• EnvironmentDevice Type = Laptop30Structure of a XACML Request / ResponseXACML Request XACML ResponseCan Manager Alice approvePurchase Order 12367?Yes, she can• ResultDecision: PermitStatus: okThe core XACML specification does notdefine any specific transport /communication protocol:-Developers can choose their own.-The SAML profile defines a binding to sendrequests/responses over SAML assertions
  • 31. © 2013, Axiomatics ABIn addition, XACML response can also contain:Obligation: PEP must comply with the obligation andis required to deny access if it cannot understand orenforce the obligationAdvice: the PEP may comply with the advice and canbe safely ignored if not understood or cannot beacted on31Obligation & Advice
  • 32. © 2013, Axiomatics ABAuthN is not enough. AuthZ is needed.RBAC is often not enough. ABAC is needed.XACML is a prominent ABAC system.XACML consists of:Reference ArchitecturePolicy LanguageRequest Response ProtocolSummary
  • 33. © 2013, Axiomatics ABAxiomatics is world’s leading independent providerof dynamic AuthZ solutionsOur products enable efficient XACML-basedauthorizationAPIs, SDKs for system integrationJava and .NET supportAPS Developer Edition provides you with all the powerof our product in a read-to-use packagehttp://axiomatics.com/aps-developer-edition.htmlSummary (Axiomatics)
  • 34. © 2013, Axiomatics ABhttp://developers.axiomatics.comhttp://www.technicalprivacytraining.org/https://www.oasis-open.org/committees/xacml/http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.pdfhttp://www.webfarmr.eu/http://analyzingidentity.com/More Information
  • 35. © 2013, Axiomatics ABQuestions?Contact us atinfo@axiomatics.com

×