XACML - XML Amsterdam2011

eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313© Copyright 2011 EMC Corporation. All rights reserved. 1

Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations© Copyright 2011 EMC Corporation. All rights reserved. 2

Access Control• Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system• An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment© Copyright 2011 EMC Corporation. All rights reserved. 4

Access Control List (ACL)• (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges• Widely available, e.g. in operating systems© Copyright 2011 EMC Corporation. All rights reserved. 5

Role-Based Access Control (RBAC)• (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion• Commonly available, e.g. in databases© Copyright 2011 EMC Corporation. All rights reserved. 6

Attribute-Based Access Control (ABAC)• (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute• Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9• State of the art© Copyright 2011 EMC Corporation. All rights reserved. 7

Policy-Based Access Control (PBAC)• (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization• Coming soon…© Copyright 2011 EMC Corporation. All rights reserved. 8

Risk-Adaptive Access Control (RAdAC)• (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well• Not anytime soon© Copyright 2011 EMC Corporation. All rights reserved. 9

Request<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /></Request>© Copyright 2011 EMC Corporation. All rights reserved. 14

Response<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result></Response>© Copyright 2011 EMC Corporation. All rights reserved. 15

Policy Language (2)• Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching• Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition>© Copyright 2011 EMC Corporation. All rights reserved. 17

Attribute Matching Effect<Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule>© Copyright 2011 EMC Corporation. All rights reserved. 18

Conflict Resolution• Multiple rules can be applicable• Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm• Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides© Copyright 2011 EMC Corporation. All rights reserved. 19

What’s new in 3.0• Subject/Resource/Action/Environment generalized into attribute categories• Advice (like obligation but optional)• Obligations & advice can be dynamic• More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs)• XPath improvements (XPath data type)• Updated profiles – Multi: decision schemes – SAML :pass policies with request• New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress)© Copyright 2011 EMC Corporation. All rights reserved. 23

XACML - XML Amsterdam2011

by Remon Sinnema

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 4

Statistics

XACML - XML Amsterdam2011 Presentation Transcript

http://a0.twimg.com	3
https://twitter.com	1