Ray Sinnema, profile picture
Uploaded byRay Sinnema
PPTX, PDF2,124 views

XACML - XML Amsterdam2011

This document summarizes the eXtensible Access Control Markup Language (XACML). It discusses access control models like ACL, RBAC, ABAC and how XACML supports all of them. The document outlines the key components of XACML including its architecture, request/response protocol, policy language, optional profiles, and what is new in version 3.0. It also briefly mentions some XACML implementations.

Embed presentation

Downloaded 69 times
eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

More Related Content

PPTX
Why lasagna is better than spaghetti: baking authorization into your applicat...
byDavid Brossard
 
PPTX
OData - The Universal REST API
byNishanth Kadiyala
 
PPTX
OData: A Standard API for Data Access
byPat Patterson
 
PDF
CIS14: The Very Latest in Authorization Standards
byCloudIDSummit
 
PPTX
OData, External objects & Lightning Connect
byPrasanna Deshpande ☁
 
PPTX
Modern REST APIs for Enterprise Databases - OData
byNishanth Kadiyala
 
PPTX
OData for iOS developers
byGlen Gordon
 
PPTX
Odata - Open Data Protocol
byKhaled Musaied
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
byDavid Brossard
 
OData - The Universal REST API
byNishanth Kadiyala
 
OData: A Standard API for Data Access
byPat Patterson
 
CIS14: The Very Latest in Authorization Standards
byCloudIDSummit
 
OData, External objects & Lightning Connect
byPrasanna Deshpande ☁
 
Modern REST APIs for Enterprise Databases - OData
byNishanth Kadiyala
 
OData for iOS developers
byGlen Gordon
 
Odata - Open Data Protocol
byKhaled Musaied
 

What's hot

PDF
NetWeaver Gateway- Introduction to OData
bySAP PartnerEdge program for Application Development
 
PPTX
Con8817 api management - enable your infrastructure for secure mobile and c...
byOracleIDM
 
PDF
The_Beauty_And_The_Beast_APEX_and_SAP
byNiels de Bruijn
 
PDF
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
bySalesforce Developers
 
PDF
Introduction to External Objects and the OData Connector
bySalesforce Developers
 
PDF
SAP ODATA Overview & Guidelines
byAshish Saxena
 
PDF
Oracle ADF Architecture TV - Design - ADF Service Architectures
byChris Muir
 
PDF
Getting your grips on Excel chaos
byNiels de Bruijn
 
PPTX
ADF Mythbusters UKOUG'14
byandrejusb
 
PDF
Oracle ADF Architecture TV - Design - Service Integration Architectures
byChris Muir
 
PPTX
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
byPat Patterson
 
PPTX
API Gateway - OFM Canberra October 2014
byJoelith
 
PPTX
Data Caching Strategies for Oracle Mobile Application Framework
byandrejusb
 
PPTX
ADF Anti-Patterns: Dangerous Tutorials
byandrejusb
 
PPTX
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
byNishanth Kadiyala
 
PPTX
Barcelona salesforce sdg november lightning connect
byAaron Dominguez Sanchez
 
PDF
Restful Services
bySHAKIL AKHTAR
 
PPTX
Oracle JET CRUD and ADF BC REST
byandrejusb
 
PPTX
Access External Data in Real-time with Lightning Connect
bySalesforce Developers
 
PPTX
GoToMeeting Competitive / Market Analysis
byNishanth Kadiyala
 
NetWeaver Gateway- Introduction to OData
bySAP PartnerEdge program for Application Development
 
Con8817 api management - enable your infrastructure for secure mobile and c...
byOracleIDM
 
The_Beauty_And_The_Beast_APEX_and_SAP
byNiels de Bruijn
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
bySalesforce Developers
 
Introduction to External Objects and the OData Connector
bySalesforce Developers
 
SAP ODATA Overview & Guidelines
byAshish Saxena
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
byChris Muir
 
Getting your grips on Excel chaos
byNiels de Bruijn
 
ADF Mythbusters UKOUG'14
byandrejusb
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
byChris Muir
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
byPat Patterson
 
API Gateway - OFM Canberra October 2014
byJoelith
 
Data Caching Strategies for Oracle Mobile Application Framework
byandrejusb
 
ADF Anti-Patterns: Dangerous Tutorials
byandrejusb
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
byNishanth Kadiyala
 
Barcelona salesforce sdg november lightning connect
byAaron Dominguez Sanchez
 
Restful Services
bySHAKIL AKHTAR
 
Oracle JET CRUD and ADF BC REST
byandrejusb
 
Access External Data in Real-time with Lightning Connect
bySalesforce Developers
 
GoToMeeting Competitive / Market Analysis
byNishanth Kadiyala
 

Similar to XACML - XML Amsterdam2011

PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
byWSO2
 
PDF
Axiomatics webinar 13 june 2013 shared
byFinn Frisch
 
PPTX
EMC Documenutm xCP 2.2 vs 1.x
byHaytham Ghandour
 
PPTX
SANS Institute Product Review: Oracle Entitlements Server
byOracleIDM
 
PDF
Uncovering XACML to solve real world business use cases
byWSO2
 
PPT
2. access control
by7wounders
 
PPTX
Authorization - it's not just about who you are
byDavid Brossard
 
PPT
Building an Effective Identity Management Strategy
byNetIQ
 
PDF
CMIS is here, did you know?
bySymphony Software Foundation
 
PPT
Topic 7 access control
byKhawar Nehal khawar.nehal@atrc.net.pk
 
PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
bysureshattanayake
 
PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
bysureshattanayake
 
PDF
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
byKenneth Peeples
 
PPTX
What's new in Exchange 2013?
byMicrosoft TechNet - Belgium and Luxembourg
 
PPT
PCTY 2012, Risk Based Access Control v. Pat Wardrop
byIBM Danmark
 
PPT
Win2KServer Active Directory
byPhil Ashman
 
PPTX
Identity Manager in Cloud with Openflow Switches
byMohammad Faraji
 
PPT
P hallam baker_keynote
byshindeshekhar
 
PPT
Events Logging Markup Language
byConferencias FIST
 
PPT
Verification and change impact analysis of access-control policies
bybdemchak
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
byWSO2
 
Axiomatics webinar 13 june 2013 shared
byFinn Frisch
 
EMC Documenutm xCP 2.2 vs 1.x
byHaytham Ghandour
 
SANS Institute Product Review: Oracle Entitlements Server
byOracleIDM
 
Uncovering XACML to solve real world business use cases
byWSO2
 
2. access control
by7wounders
 
Authorization - it's not just about who you are
byDavid Brossard
 
Building an Effective Identity Management Strategy
byNetIQ
 
CMIS is here, did you know?
bySymphony Software Foundation
 
Topic 7 access control
byKhawar Nehal khawar.nehal@atrc.net.pk
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
bysureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
bysureshattanayake
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
byKenneth Peeples
 
What's new in Exchange 2013?
byMicrosoft TechNet - Belgium and Luxembourg
 
PCTY 2012, Risk Based Access Control v. Pat Wardrop
byIBM Danmark
 
Win2KServer Active Directory
byPhil Ashman
 
Identity Manager in Cloud with Openflow Switches
byMohammad Faraji
 
P hallam baker_keynote
byshindeshekhar
 
Events Logging Markup Language
byConferencias FIST
 
Verification and change impact analysis of access-control policies
bybdemchak
 

Recently uploaded

PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
December Patch Tuesday
byIvanti
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
AI Meets Integration: Delivering AI-Ready Data in Real Time.pdf
byPrecisely
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
API-First Architecture in Financial Systems
bycyy111112
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
December Patch Tuesday
byIvanti
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
AI Meets Integration: Delivering AI-Ready Data in Real Time.pdf
byPrecisely
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 

XACML - XML Amsterdam2011

  • 1.
    eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
  • 2.
    Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
  • 3.
    Access Control © Copyright2011 EMC Corporation. All rights reserved. 3
  • 4.
    Access Control • Accesscontrol is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
  • 5.
    Access Control List(ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
  • 6.
    Role-Based Access Control(RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
  • 7.
    Attribute-Based Access Control(ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
  • 8.
    Policy-Based Access Control(PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
  • 9.
    Risk-Adaptive Access Control(RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
  • 10.
    Evolution of AccessControl Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
  • 11.
    XACML supports allof ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
  • 12.
    eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
  • 13.
    Architecture © Copyright 2011EMC Corporation. All rights reserved. 13
  • 14.
    Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
  • 15.
    Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
  • 16.
    Policy Language (1) •Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
  • 17.
    Policy Language (2) •Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
  • 18.
    Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
  • 19.
    Conflict Resolution • Multiplerules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
  • 20.
    Obligations • Action thatPEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
  • 21.
    X stands foreXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
  • 22.
    Optional Profiles • RBAC •Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
  • 23.
    What’s new in3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
  • 24.
    Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
  • 25.
    Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
  • 26.
    THANK YOU © Copyright2011 EMC Corporation. All rights reserved. 26

Editor's Notes

  • #11 Access Control List focuses on ResourceRole-Based Access Control generalizes SubjectAttribute-Based Access Control generalizes all attributesPolicy-Based Access Control standardizes attributesRisk-Adaptive Access Control