XACML - XML Amsterdam2011

1,665
-1

Published on

Presentation about eXtensible Access Control Markup Language (XACML) delivered at XML Amsterdam 2011

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,665
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
47
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Access Control List focuses on ResourceRole-Based Access Control generalizes SubjectAttribute-Based Access Control generalizes all attributesPolicy-Based Access Control standardizes attributesRisk-Adaptive Access Control
  • XACML - XML Amsterdam2011

    1. 1. eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313© Copyright 2011 EMC Corporation. All rights reserved. 1
    2. 2. Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations© Copyright 2011 EMC Corporation. All rights reserved. 2
    3. 3. Access Control© Copyright 2011 EMC Corporation. All rights reserved. 3
    4. 4. Access Control• Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system• An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment© Copyright 2011 EMC Corporation. All rights reserved. 4
    5. 5. Access Control List (ACL)• (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges• Widely available, e.g. in operating systems© Copyright 2011 EMC Corporation. All rights reserved. 5
    6. 6. Role-Based Access Control (RBAC)• (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion• Commonly available, e.g. in databases© Copyright 2011 EMC Corporation. All rights reserved. 6
    7. 7. Attribute-Based Access Control (ABAC)• (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute• Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9• State of the art© Copyright 2011 EMC Corporation. All rights reserved. 7
    8. 8. Policy-Based Access Control (PBAC)• (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization• Coming soon…© Copyright 2011 EMC Corporation. All rights reserved. 8
    9. 9. Risk-Adaptive Access Control (RAdAC)• (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well• Not anytime soon© Copyright 2011 EMC Corporation. All rights reserved. 9
    10. 10. Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc© Copyright 2011 EMC Corporation. All rights reserved. 10
    11. 11. XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs!© Copyright 2011 EMC Corporation. All rights reserved. 11
    12. 12. eXtensible Access Control Markup Language© Copyright 2011 EMC Corporation. All rights reserved. 12
    13. 13. Architecture© Copyright 2011 EMC Corporation. All rights reserved. 13
    14. 14. Request<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /></Request>© Copyright 2011 EMC Corporation. All rights reserved. 14
    15. 15. Response<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result></Response>© Copyright 2011 EMC Corporation. All rights reserved. 15
    16. 16. Policy Language (1)• Hierarchical structure: PolicySet → Policy → Rule© Copyright 2011 EMC Corporation. All rights reserved. 16
    17. 17. Policy Language (2)• Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching• Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition>© Copyright 2011 EMC Corporation. All rights reserved. 17
    18. 18. Attribute Matching Effect<Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule>© Copyright 2011 EMC Corporation. All rights reserved. 18
    19. 19. Conflict Resolution• Multiple rules can be applicable• Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm• Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides© Copyright 2011 EMC Corporation. All rights reserved. 19
    20. 20. Obligations• Action that PEP must perform – Email manager, log access, …• Optional part of the specification© Copyright 2011 EMC Corporation. All rights reserved. 20
    21. 21. X stands for eXtensible• Custom attribute IDs• Custom functions• Custom data types• Custom combining algorithms© Copyright 2011 EMC Corporation. All rights reserved. 21
    22. 22. Optional Profiles• RBAC• Multiple Resource• Hierarchical Resource• Privacy• SAML• XML Digital Signature© Copyright 2011 EMC Corporation. All rights reserved. 22
    23. 23. What’s new in 3.0• Subject/Resource/Action/Environment generalized into attribute categories• Advice (like obligation but optional)• Obligations & advice can be dynamic• More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs)• XPath improvements (XPath data type)• Updated profiles – Multi: decision schemes – SAML :pass policies with request• New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress)© Copyright 2011 EMC Corporation. All rights reserved. 23
    24. 24. Implementations Commercial Embedded Open Source SunXac ml© Copyright 2011 EMC Corporation. All rights reserved. 24
    25. 25. Q&A sinnema313© Copyright 2011 EMC Corporation. All rights reserved. 25
    26. 26. THANK YOU© Copyright 2011 EMC Corporation. All rights reserved. 26
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×