Authorization The Missing Piece of the Puzzle


Published on

Presented by Srijith Nair from Axiomatics at Nordic APIs in Copenhagen the 21st of May 2013

Published in: Business, Technology
  • Be the first to comment

Authorization The Missing Piece of the Puzzle

  1. 1. © 2013, Axiomatics ABAuthorizationThe Missing Piece of the Puzzle@srijith@axiomaticsSrijith NairDirector, Developer Relations
  2. 2. © 2013, Axiomatics ABShow of Hands:Authorization?XACML?
  3. 3. © 2013, Axiomatics ABIdentity is keyServices need to know who you areYou need to prove who you areSeveral protocols exist to support AuthenticationAuthentication (AuthN)“Authentication is the act of confirming the truthof an attribute of a datum or entity. This mightinvolve confirming the identity of a person orsoftware program (…)”
  4. 4. © 2013, Axiomatics ABIdentity is key, but it is not everythingAuthentication proves your identityIt does not decide what that identity entailsEnter AuthorizationAuthorization (AuthZ)“The authorization function determines whether aparticular entity is authorized to perform a givenactivity, typically inherited from authenticationwhen logging on to an application or service.”
  5. 5. © 2013, Axiomatics ABSome frameworks, stds. confuse both phasesOften AuthN ≡ AuthZIf you have authenticated then you are in…AuthZ is part of a bigger processIdentifyAuthenticateAuthorizeThink of the access to your APIs…AuthN vs. AuthZ
  6. 6. © 2013, Axiomatics ABBusiness-driven authorizationLet “Gold” customers access APIs 1,2 but not 3Let “Platinum” customers access all APIsCompliance-driven authorizationDo not let traders approve transactions theyrequestedPrivacy-driven authorizationDo not disclose medical data to non-employee usersAuthZ addresses various concerns
  7. 7. © 2013, Axiomatics ABMandatory Access Control (MAC)Discretionary Access Control (DAC)Role-Based Access Control (RBAC)It’s widely adoptedIt’s well understood and industry-standardIt’s simpleMost apps support some form of RBACAuthorization Approaches
  8. 8. © 2013, Axiomatics ABInflexible & staticDifficult to define fine-grained access control rulesDoesn’t scaleRole explosionHow to implement the rule:Doctors should be able to view the records of patientsassigned to their unit and edit the records of those patientswith whom they have a care relationshipWhere’s the role? DoctorWhat’s a patient? A record? A care relationship?Problem with RBAC?
  9. 9. © 2013, Axiomatics ABPull out the highlighterWhat if we were not limited to roles?Doctors should be able to view therecords of patients assigned to theirunit and edit the records of thosepatients with whom they have a carerelationshipAttributes, Attributes, Attributes!
  10. 10. © 2013, Axiomatics ABAttribute-Based Access Control (ABAC)uses attributes as building blocksin a structured language used to define access controlrules andto describe access requestsAttributesAre sets of labels or propertiesDescribe all aspects of entities that must be consideredfor authorization purposesEach attribute consists of a key-value pair such as“Class=Gold”, “OS=Windows”Attribute-based access control
  11. 11. © 2013, Axiomatics ABABAC – beyond RBACRole-Based Access Control Attribute-Based Access ControlUser  Role  Permissions User + Action + Resource + ContextAttributesPoliciesExample: doctors can open & edit a patient’s healthrecord in the hospital emergency room at 3PM.Static & pre-defined Dynamic & AdaptiveRole 1Role 2PPPPPP
  12. 12. © 2013, Axiomatics ABeXtensible Authorization – Future ProofingExternal toApplicationsStandards-CompliantAuthorization ServiceFine-GrainedContext-AwareAttribute-based Access Control
  13. 13. © 2013, Axiomatics ABEnter XACML
  14. 14. © 2013, Axiomatics ABPronunciationeXtensible Access Control Markup LanguageOASIS standardV 3.0 approved in January 2013V 1.0 approved in 2003 (10 years ago!)XACML is expressed asA specification document andAn XML schemaREST profile for XACML exists (CSD) is XACML?
  15. 15. © 2013, Axiomatics AB15What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  16. 16. © 2013, Axiomatics AB16XACML-ArchitectureAccess request
  17. 17. © 2013, Axiomatics AB17XACML-ArchitectureEnforcePolicy Enforcement Point
  18. 18. © 2013, Axiomatics AB18XACML-ArchitectureEnforcePolicy Enforcement PointDecidePolicy Decision Point
  19. 19. © 2013, Axiomatics AB19XACML-ArchitectureEnforcePolicy Enforcement PointDecidePolicy Decision PointSupportPolicy Information PointPolicy Retrieval Point
  20. 20. © 2013, Axiomatics AB20XACML-ArchitectureEnforcePolicy Enforcement PointDecidePolicy Decision PointManagePolicy Administration PointSupportPolicy Information PointPolicy Retrieval Point
  21. 21. © 2013, Axiomatics AB21What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  22. 22. © 2013, Axiomatics ABEverything can be described in terms of attributesAttributes can be grouped into categoriesAnd many more… It’s all about Attributes! ABAC22Attributes & CategoriesEnvironmentSubject ActionResource
  23. 23. © 2013, Axiomatics AB23Examples of attributesSubject Action Resource EnvironmentA user … … wants to dosomething …… with aninformation asset …… in a given contextExamples:A claimsadministrator……wants toregister a …… claim receipt for anew claim…… via a secure channelauthenticated using thecorporate smart cardAn adjuster… …wants to approvepayments of …… claim payment … …from his office computerduring regular business hoursA managerwants to …… assign a claim… …to a claimadjuster…… at 2 o’clock at night from ahotel lounge in Chisinau…
  24. 24. © 2013, Axiomatics AB<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" ><xacml-ctx:Attribute AttributeId=”" IncludeInResult="true"><xacml-ctx:AttributeValue DataType=>Laptop</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes><xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" ><xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"><xacml-ctx:AttributeValue DataType="">approve</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes><xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" ><xacml-ctx:Attribute AttributeId=”" IncludeInResult="true"><xacml-ctx:AttributeValue DataType="">Manager</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes><xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" ><xacml-ctx:Attribute AttributeId="location" IncludeInResult="true"><xacml-ctx:AttributeValue DataType="">SE</xacml-ctx:AttributeValue></xacml-ctx:Attribute><xacml-ctx:Attribute AttributeId=”" IncludeInResult="true"><xacml-ctx:AttributeValue DataType="">Purchase Order</xacml-ctx:AttributeValue></xacml-ctx:Attribute></xacml-ctx:Attributes></xacml-ctx:Request>Example XACML 3.0 Request, XML
  25. 25. © 2013, Axiomatics AB<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"><xacml-ctx:Result><xacml-ctx:Decision>Permit</xacml-ctx:Decision><xacml-ctx:Status><xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></xacml-ctx:Status></xacml-ctx:Result></xacml-ctx:Response>Example XACML 3.0 Response
  26. 26. © 2013, Axiomatics AB3 levels of elementsPolicySetPolicyRuleAt root is PolicySet or PolicyPolicySet can contain PolicySetand PolicyPolicy can contain RuleRule evaluation returnsPERMIT, DENY, Indeterminate,NotApplicableRule Combining AlgorithmsPolicy Combining Algorithms26Language Elements of XACMLPolicySetPolicySetPolicyRuleEffectPermitDenyPolicyRuleRule
  27. 27. © 2013, Axiomatics ABAll 3 elements cancontain Target elementsAt the heart of mostRules is a ConditionObligation/Advice canbe specified at all 3levels27Language Structure: Russian dollsPolicySetPolicySetPolicyRuleEffectTargetTTTCPermitDenyOObligationOOO = Obligation / AdviceC = ConditionT = Target
  28. 28. © 2013, Axiomatics AB28What does XACML contain?XACMLReferenceArchitecturePolicyLanguageRequest /ResponseProtocol
  29. 29. © 2013, Axiomatics ABEnvironmentSubject ActionResource EnvironmentActionResourceSubject29XACML ConceptsIt’s all about Attributes!ABAC = Attribute Based Access ControlXACML PoliciesXACML RequestXACML Response
  30. 30. © 2013, Axiomatics AB• SubjectUser id = AliceRole = Manager• ActionAction id = approve• ResourceResource type = Purchase OrderPO #= 12367• EnvironmentDevice Type = Laptop30Structure of a XACML Request / ResponseXACML Request XACML ResponseCan Manager Alice approvePurchase Order 12367?Yes, she can• ResultDecision: PermitStatus: okThe core XACML specification does notdefine any specific transport /communication protocol:-Developers can choose their own.-The SAML profile defines a binding to sendrequests/responses over SAML assertions
  31. 31. © 2013, Axiomatics ABIn addition, XACML response can also contain:Obligation: PEP must comply with the obligation andis required to deny access if it cannot understand orenforce the obligationAdvice: the PEP may comply with the advice and canbe safely ignored if not understood or cannot beacted on31Obligation & Advice
  32. 32. © 2013, Axiomatics ABAuthN is not enough. AuthZ is needed.RBAC is often not enough. ABAC is needed.XACML is a prominent ABAC system.XACML consists of:Reference ArchitecturePolicy LanguageRequest Response ProtocolSummary
  33. 33. © 2013, Axiomatics ABAxiomatics is world’s leading independent providerof dynamic AuthZ solutionsOur products enable efficient XACML-basedauthorizationAPIs, SDKs for system integrationJava and .NET supportAPS Developer Edition provides you with all the powerof our product in a read-to-use package (Axiomatics)
  34. 34. © 2013, Axiomatics ABhttp://developers.axiomatics.com Information
  35. 35. © 2013, Axiomatics ABQuestions?Contact us