Your SlideShare is downloading. ×
XACML - XML Amsterdam2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

XACML - XML Amsterdam2011

1,430

Published on

Presentation about eXtensible Access Control Markup Language (XACML) delivered at XML Amsterdam 2011

Presentation about eXtensible Access Control Markup Language (XACML) delivered at XML Amsterdam 2011

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,430
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Access Control List focuses on ResourceRole-Based Access Control generalizes SubjectAttribute-Based Access Control generalizes all attributesPolicy-Based Access Control standardizes attributesRisk-Adaptive Access Control
  • Transcript

    • 1. eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313© Copyright 2011 EMC Corporation. All rights reserved. 1
    • 2. Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations© Copyright 2011 EMC Corporation. All rights reserved. 2
    • 3. Access Control© Copyright 2011 EMC Corporation. All rights reserved. 3
    • 4. Access Control• Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system• An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment© Copyright 2011 EMC Corporation. All rights reserved. 4
    • 5. Access Control List (ACL)• (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges• Widely available, e.g. in operating systems© Copyright 2011 EMC Corporation. All rights reserved. 5
    • 6. Role-Based Access Control (RBAC)• (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion• Commonly available, e.g. in databases© Copyright 2011 EMC Corporation. All rights reserved. 6
    • 7. Attribute-Based Access Control (ABAC)• (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute• Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9• State of the art© Copyright 2011 EMC Corporation. All rights reserved. 7
    • 8. Policy-Based Access Control (PBAC)• (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization• Coming soon…© Copyright 2011 EMC Corporation. All rights reserved. 8
    • 9. Risk-Adaptive Access Control (RAdAC)• (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well• Not anytime soon© Copyright 2011 EMC Corporation. All rights reserved. 9
    • 10. Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc© Copyright 2011 EMC Corporation. All rights reserved. 10
    • 11. XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs!© Copyright 2011 EMC Corporation. All rights reserved. 11
    • 12. eXtensible Access Control Markup Language© Copyright 2011 EMC Corporation. All rights reserved. 12
    • 13. Architecture© Copyright 2011 EMC Corporation. All rights reserved. 13
    • 14. Request<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /></Request>© Copyright 2011 EMC Corporation. All rights reserved. 14
    • 15. Response<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result></Response>© Copyright 2011 EMC Corporation. All rights reserved. 15
    • 16. Policy Language (1)• Hierarchical structure: PolicySet → Policy → Rule© Copyright 2011 EMC Corporation. All rights reserved. 16
    • 17. Policy Language (2)• Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching• Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition>© Copyright 2011 EMC Corporation. All rights reserved. 17
    • 18. Attribute Matching Effect<Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule>© Copyright 2011 EMC Corporation. All rights reserved. 18
    • 19. Conflict Resolution• Multiple rules can be applicable• Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm• Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides© Copyright 2011 EMC Corporation. All rights reserved. 19
    • 20. Obligations• Action that PEP must perform – Email manager, log access, …• Optional part of the specification© Copyright 2011 EMC Corporation. All rights reserved. 20
    • 21. X stands for eXtensible• Custom attribute IDs• Custom functions• Custom data types• Custom combining algorithms© Copyright 2011 EMC Corporation. All rights reserved. 21
    • 22. Optional Profiles• RBAC• Multiple Resource• Hierarchical Resource• Privacy• SAML• XML Digital Signature© Copyright 2011 EMC Corporation. All rights reserved. 22
    • 23. What’s new in 3.0• Subject/Resource/Action/Environment generalized into attribute categories• Advice (like obligation but optional)• Obligations & advice can be dynamic• More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs)• XPath improvements (XPath data type)• Updated profiles – Multi: decision schemes – SAML :pass policies with request• New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress)© Copyright 2011 EMC Corporation. All rights reserved. 23
    • 24. Implementations Commercial Embedded Open Source SunXac ml© Copyright 2011 EMC Corporation. All rights reserved. 24
    • 25. Q&A sinnema313© Copyright 2011 EMC Corporation. All rights reserved. 25
    • 26. THANK YOU© Copyright 2011 EMC Corporation. All rights reserved. 26

    ×