XACML (eXtensible Access Control Markup Language) is an OASIS standard for defining and interpreting access control policies across multiple security domains. It provides a policy language and request/response protocol for making authorization decisions based on attributes. XACML policies can be defined in terms of attributes for subjects, resources, actions, and the environment, allowing for fine-grained and context-aware access control (ABAC). The XACML architecture separates policy enforcement from decision making and includes policy administration, information, and retrieval points.

1. © 2013, Axiomatics AB
Authorization
The Missing Piece of the Puzzle
@srijith
@axiomatics
Srijith Nair
Director, Developer Relations

2. © 2013, Axiomatics AB
Show of Hands:
Authorization?
XACML?

3. © 2013, Axiomatics AB
Identity is key
Services need to know who you are
You need to prove who you are
Several protocols exist to support Authentication
Authentication (AuthN)
“Authentication is the act of confirming the truth
of an attribute of a datum or entity. This might
involve confirming the identity of a person or
software program (…)”

4. © 2013, Axiomatics AB
Identity is key, but it is not everything
Authentication proves your identity
It does not decide what that identity entails
Enter Authorization
Authorization (AuthZ)
“The authorization function determines whether a
particular entity is authorized to perform a given
activity, typically inherited from authentication
when logging on to an application or service.”

5. © 2013, Axiomatics AB
Some frameworks, stds. confuse both phases
Often AuthN ≡ AuthZ
If you have authenticated then you are in…
AuthZ is part of a bigger process
Identify
Authenticate
Authorize
Think of the access to your APIs…
AuthN vs. AuthZ

6. © 2013, Axiomatics AB
Business-driven authorization
Let “Gold” customers access APIs 1,2 but not 3
Let “Platinum” customers access all APIs
Compliance-driven authorization
Do not let traders approve transactions they
requested
Privacy-driven authorization
Do not disclose medical data to non-employee users
AuthZ addresses various concerns

7. © 2013, Axiomatics AB
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
It’s widely adopted
It’s well understood and industry-standard
It’s simple
Most apps support some form of RBAC
Authorization Approaches

8. © 2013, Axiomatics AB
Inflexible & static
Difficult to define fine-grained access control rules
Doesn’t scale
Role explosion
How to implement the rule:
Doctors should be able to view the records of patients
assigned to their unit and edit the records of those patients
with whom they have a care relationship
Where’s the role? Doctor
What’s a patient? A record? A care relationship?
Problem with RBAC?

9. © 2013, Axiomatics AB
Pull out the highlighter
What if we were not limited to roles?
Doctors should be able to view the
records of patients assigned to their
unit and edit the records of those
patients with whom they have a care
relationship
Attributes, Attributes, Attributes!

10. © 2013, Axiomatics AB
Attribute-Based Access Control (ABAC)
uses attributes as building blocks
in a structured language used to define access control
rules and
to describe access requests
Attributes
Are sets of labels or properties
Describe all aspects of entities that must be considered
for authorization purposes
Each attribute consists of a key-value pair such as
“Class=Gold”, “OS=Windows”
Attribute-based access control

11. © 2013, Axiomatics AB
ABAC – beyond RBAC
Role-Based Access Control Attribute-Based Access Control
User  Role  Permissions User + Action + Resource + Context
Attributes
Policies
Example: doctors can open & edit a patient’s health
record in the hospital emergency room at 3PM.
Static & pre-defined Dynamic & Adaptive
Role 1
Role 2
P
P
P
P
P
P

12. © 2013, Axiomatics AB
eXtensible Authorization – Future Proofing
External to
Applications
Standards-
Compliant
Authorization Service
Fine-
Grained
Context-Aware
Attribute-based Access Control

13. © 2013, Axiomatics AB
Enter XACML

14. © 2013, Axiomatics AB
Pronunciation
eXtensible Access Control Markup Language
OASIS standard
V 3.0 approved in January 2013
V 1.0 approved in 2003 (10 years ago!)
XACML is expressed as
A specification document and
An XML schema
REST profile for XACML exists (CSD)
http://www.oasis-open.org/committees/xacml/
14
What is XACML?

15. © 2013, Axiomatics AB
15
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol

16. © 2013, Axiomatics AB
16
XACML-Architecture
Access request

17. © 2013, Axiomatics AB
17
XACML-Architecture
Enforce
Policy Enforcement Point

18. © 2013, Axiomatics AB
18
XACML-Architecture
Enforce
Policy Enforcement Point
Decide
Policy Decision Point

19. © 2013, Axiomatics AB
19
XACML-Architecture
Enforce
Policy Enforcement Point
Decide
Policy Decision Point
Support
Policy Information Point
Policy Retrieval Point

20. © 2013, Axiomatics AB
20
XACML-Architecture
Enforce
Policy Enforcement Point
Decide
Policy Decision Point
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point

21. © 2013, Axiomatics AB
21
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol

22. © 2013, Axiomatics AB
Everything can be described in terms of attributes
Attributes can be grouped into categories
And many more… It’s all about Attributes! ABAC
22
Attributes & Categories
Environment
Subject Action
Resource

23. © 2013, Axiomatics AB
23
Examples of attributes
Subject Action Resource Environment
A user … … wants to do
something …
… with an
information asset …
… in a given context
Examples:
A claims
administrator…
…wants to
register a …
… claim receipt for a
new claim…
… via a secure channel
authenticated using the
corporate smart card
An adjuster… …wants to approve
payments of …
… claim payment … …from his office computer
during regular business hours
A manager
wants to …
… assign a claim… …to a claim
adjuster…
… at 2 o’clock at night from a
hotel lounge in Chisinau…

24. © 2013, Axiomatics AB
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-
ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/tmp/env/devicetype" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string>Laptop</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/acs/role" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">Manager</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="location" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SE</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/asm/entity/type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Purchase Order</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
Example XACML 3.0 Request, XML

25. © 2013, Axiomatics AB
<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
</xacml-ctx:Result>
</xacml-ctx:Response>
Example XACML 3.0 Response

26. © 2013, Axiomatics AB
3 levels of elements
PolicySet
Policy
Rule
At root is PolicySet or Policy
PolicySet can contain PolicySet
and Policy
Policy can contain Rule
Rule evaluation returns
PERMIT, DENY, Indeterminate,
NotApplicable
Rule Combining Algorithms
Policy Combining Algorithms
26
Language Elements of XACML
PolicySet
PolicySet
Policy
Rule
Effect
Permit
Deny
Policy
Rule
Rule

27. © 2013, Axiomatics AB
All 3 elements can
contain Target elements
At the heart of most
Rules is a Condition
Obligation/Advice can
be specified at all 3
levels
27
Language Structure: Russian dolls
PolicySet
PolicySet
Policy
Rule
Effect
Target
T
T
TC
Permit
Deny
O
Obligation
O
O
O = Obligation / Advice
C = Condition
T = Target

28. © 2013, Axiomatics AB
28
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol

29. © 2013, Axiomatics AB
Environment
Subject Action
Resource Environment
Action
Resource
Subject
29
XACML Concepts
It’s all about Attributes!
ABAC = Attribute Based Access Control
XACML Policies
XACML Request
XACML Response

30. © 2013, Axiomatics AB
• Subject
User id = Alice
Role = Manager
• Action
Action id = approve
• Resource
Resource type = Purchase Order
PO #= 12367
• Environment
Device Type = Laptop
30
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approve
Purchase Order 12367?
Yes, she can
• Result
Decision: Permit
Status: ok
The core XACML specification does not
define any specific transport /
communication protocol:
-Developers can choose their own.
-The SAML profile defines a binding to send
requests/responses over SAML assertions

31. © 2013, Axiomatics AB
In addition, XACML response can also contain:
Obligation: PEP must comply with the obligation and
is required to deny access if it cannot understand or
enforce the obligation
Advice: the PEP may comply with the advice and can
be safely ignored if not understood or cannot be
acted on
31
Obligation & Advice

32. © 2013, Axiomatics AB
AuthN is not enough. AuthZ is needed.
RBAC is often not enough. ABAC is needed.
XACML is a prominent ABAC system.
XACML consists of:
Reference Architecture
Policy Language
Request Response Protocol
Summary

33. © 2013, Axiomatics AB
Axiomatics is world’s leading independent provider
of dynamic AuthZ solutions
Our products enable efficient XACML-based
authorization
APIs, SDKs for system integration
Java and .NET support
APS Developer Edition provides you with all the power
of our product in a read-to-use package
http://axiomatics.com/aps-developer-edition.html
Summary (Axiomatics)

34. © 2013, Axiomatics AB
http://developers.axiomatics.com
http://www.technicalprivacytraining.org/
https://www.oasis-open.org/committees/xacml/
http://docs.oasis-open.org/xacml/xacml-
rest/v1.0/xacml-rest-v1.0.pdf
http://www.webfarmr.eu/
http://analyzingidentity.com/
More Information

35. © 2013, Axiomatics AB
Questions?
Contact us at
info@axiomatics.com