In this presentation I introduce the basics of Attribute-based Access Control, XACML, and why it matters to developers. I also focus on the latest XACML TC profiles - the REST profile and the JSON profile that make integration easier and faster.
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer
1. XACML for Developers
Updates, New Tools, & Patterns for
the Eager #IAM Developer
#CISNapa - @davidjbrossard - @axiomatics 1
2. eXtensible Access Control Markup Language
2
What is XACML?
Not guacamole
De facto standard
Defined at OASIS
#CISNapa - @davidjbrossard - @axiomatics
3. One of the several standards in the #IAM family
XACML in the IAM spectrum
SAML
SPML
LDAP
RBAC
ABAC…
SCIM
OpenID
Oauth
WS-*
#CISNapa - @davidjbrossard - @axiomatics 3
4. In a web 3.0 world where
it’s about small apps
and your data…
Why XACML?
it’s time to get leaks
under control
#CISNapa - @davidjbrossard - @axiomatics 4
7. Authorization should really be about…
When?What? How?Where?Who? Why?
7#CISNapa - @davidjbrossard - @axiomatics
8. A car retail company has a web application that
users can access to create, view, and approve
purchase orders, in accordance with policy rules
8
Example Scenario: Managing Purchase Orders
#CISNapa - @davidjbrossard - @axiomatics
9. Attributes
Resource
attributes
Resource type
PO amount
PO location
PO creator
PO Status
Subject
attributes
Identity
Department
Location
Approval limit
Role
Action
attributes
Action type
Environment
attributes
Device type
IP address
Time of day
Profile designed by Sven Gabriel from The Noun Project
Invisible designed by Andrew Cameron from The Noun Project
Wrench designed by John O’Shea from The Noun Project
Clock designed by Brandon Hopkins from The Noun Project
PO Id
#CISNapa - @davidjbrossard - @axiomatics 9
10. A simple rule
Anyone in the purchasing department
can create purchase orders
#CISNapa - @davidjbrossard - @axiomatics 10
11. A manager in the purchasing department can
approve purchase orders
up to their approval limit
if and only if the PO location and the
manager location are the same
if and only if the manager is not the PO creator
11
A richer rule
#CISNapa - @davidjbrossard - @axiomatics
13. 13
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
#CISNapa - @davidjbrossard - @axiomatics
14. XACML Architecture & Flow
14
Decide
Policy Decision Point
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
#CISNapa - @davidjbrossard - @axiomatics
Access
Document #123
Access
Document #123
Can Alice access
Document #123?
Yes, Permit
Load XACML
policies
Retrieve user
role, clearance
and document
classification
15. 15
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
#CISNapa - @davidjbrossard - @axiomatics
16. 3 structural elements
PolicySet
Policy
Rule
Root: either of PolicySet or Policy
PolicySets contain any number of PolicySets &
Policies
Policies contain Rules
Rules contain an Effect: Permit / Deny
Combining Algorithms
16
Language Elements of XACML
#CISNapa - @davidjbrossard - @axiomatics
18. 18
Language Structure: Russian dolls
PolicySet, Policy & Rule
can contain
Targets
Obligations
Advice
Rules can contain
Conditions
Policy Set
Policy
Rule
Effect=Permit
Target
Target
Target
Obligation
Obligation
Obligation
Condition
#CISNapa - @davidjbrossard - @axiomatics
19. 19
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol
#CISNapa - @davidjbrossard - @axiomatics
20. • Subject
User id = Alice
Role = Manager
• Action
Action id = approve
• Resource
Resource type = Purchase Order
PO #= 12367
• Environment
Device Type = Laptop
20
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approve
Purchase Order 12367?
Yes, she can
• Result
Decision: Permit
Status: ok
The core XACML specification does not
define any specific transport /
communication protocol:
-Developers can choose their own.
-The SAML profile defines a binding to send
requests/responses over SAML assertions
#CISNapa - @davidjbrossard - @axiomatics
21. So what’s in it for the
developer?
#CISNapa - @davidjbrossard - @axiomatics 21
22. #1 A single authorization model & framework
#CISNapa - @davidjbrossard - @axiomatics 22
24. #1.b and across different technology stacks
Java
C
Objective-C
C++
C#
PHP
Python
(Visual) Basic
Perl
Ruby
JavaScript
Visual Basic .NET
Lisp
Pascal
Delphi/Object Pascal
Share of programming languages (Feb 2013)
#CISNapa - @davidjbrossard - @axiomatics 24
25. #2 A rich language to express many scenarios
ACLs
RBAC
Whitelists
Segregation-of-Duty
Relation-based
Trust Elevation
Device-based
Break the glass
Privacy protection
ABAC
Rich business flows
Data redaction
#CISNapa - @davidjbrossard - @axiomatics 25
26. The REST profile of XACML
OASIS XACML profile
Designed by Remon Sinnema of EMC2
#3 Developer-friendly APIs
XML over HTTP
XML over HTTP
#CISNapa - @davidjbrossard - @axiomatics 26
JSON over HTTP
JSON over HTTP
27. #3. Developer-friendly APIs (cont’d)
Drop the…
Use curl, Perl, and Python with the REST API
curl -X POST -H 'Content-type:text/xml' -T xacml-request.xml http://foo:8443/asm-pdp/pdp
#CISNapa - @davidjbrossard - @axiomatics 27
28. Use the JSON profile of XACML
Idea
Remove the verbose aspects of XACML
Focus on the key points
Make a request easy to read
#4 Simplified request/response
#CISNapa - @davidjbrossard - @axiomatics 28
31. #4 JSON & XML Side-by-side comparison
0
10
20
30
40
50
Word count
XML
JSON
0
200
400
600
800
1000
1200
1400
Char. Count
XML
JSON
#CISNapa - @davidjbrossard - @axiomatics 31
Size of a XACML request
32. Natural language authoring
Axiomatics Language for Authorization (ALFA)
Research initiative from TSSG
And many more coming…
#5 Easy authoring tools
#CISNapa - @davidjbrossard - @axiomatics 32
33. Provide the right tools for
Easy Authoring
Of XACML policies
#5 Axiomatics Language For AuthZ (cont’d)
Plugs into Eclipse IDE
High-level syntax
Auto-complete
Automatic Translation to XACML 3.0
#CISNapa - @davidjbrossard - @axiomatics 33
35. One consistent authorization model
Many different applications
Decide once, enforce everywhere
Benefits of using XACML #1
#CISNapa - @davidjbrossard - @axiomatics 35
36. Adios endless if, else statements
Hello simple if(authorized())
Benefits of using XACML #2
#CISNapa - @davidjbrossard - @axiomatics 36
0
5000
10000
15000
20000
25000
30000
10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170
Developer Happiness Increase
Number of if / else
statements terminated
Developer
Happiness
Index
37. Security potholes are a thing of the past
XACML is the concrete that fills in the cracks in
your authorization wall
Benefits of using XACML #3
#CISNapa - @davidjbrossard - @axiomatics 37
38. Let developers do what they know best
Offload auditing, info security to security
architects & auditors by externalizing
authorization
#CISNapa - @davidjbrossard - @axiomatics 38
Benefits of using XACML #4
Happy developer
Happy auditor
39. #CISNapa - @davidjbrossard - @axiomatics 39
Next steps?
Download XACML SDK
Download ALFA plugin
Download Eclipse
Code in your favorite language
PronunciationOASIS standardV 3.0 approved in January 2013V 1.0 approved in 2003 (10 years ago!)XACML is expressed asA specification document andAn XML schemahttp://www.oasis-open.org/committees/xacml/
Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O'Sheaclock: Brandon Hopkins
Context attributesdevice typeIPtime of the dayAction attributesAction id: create, approve, view
Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules & conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.
Need to clarify the location constrain. Permit is assuming that Alice location == 12367 location