SlideShare a Scribd company logo

Policy based access control

Elimity
Elimity

Externalising or modularising access rules outside of the application in so called policies, represents a fundamental software engineering tactic. In this talk, we discuss ways how application developers can decouple access control rules from the application code and how this is done in current technologies. We also discuss the ways a security expert can express access control policies in an independent format and how he can manage these policies to align them with for example rules from different departments or enterprise-wide regulations.

Technology
1 of 25
Download to read offline
Policy-based access control Willem De Groef, iMinds-DistriNet Willem.DeGroef@kuleuven.be
2
3
4 ● Software artifact ● Declarative specification of access rules ● Independent from enforcement mechanism
PBAC and what it can mean for your business Business policy Employees GovernanceOperational 5
Explaining PBAC 6
User Subject Principal Guard Protected resource Action 1. How and where to implement the guard 2. How to encode the access rules 7 General Access Control System
Basic approach: rules in code [....] if (! (“manager” in user.roles and doc.owner == user and 8h00 < now() < 17h00 )) { [...] } + straightforward + you can encode almost anything - access rules are code - no separation of concerns - no modularity leads to audit challenge - what if rules change? ▪ update application code ▪ updates all over the place 8
More advanced approach: modularization @authz(user, “read”, result) public Document getDoc(docId) { [...] } + central definition of rules + easier to audit - access rules are code - IT is still in charge - no separation of concerns - what if rules change? ▪ update application code ▪ updates all over the place 9 public boolean authz( subject, action, resource) { if (! (“manager” in user.roles and …)) { [...] }
Most advanced approach: policy-based @authz(user, “read”, result) public Document getDoc(docId) { [...] } Policy Decision Point Policy + central authorization logic + central definition of rules + easy to audit + access rules independent artifacts + clear separation of concerns + rule updates at run-time 10
Not all rainbows and unicorns 11
PBAC and what it can mean for your business Business policy Employees GovernanceOperational 12
<Policy PolicyId=“dynamic-separation-of-duty" RuleCombiningAlgId=“deny-overrides"> <Description>Dynamic separation of duty</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="string-equal"> <AttributeValue DataType="string">doc123</AttributeValue> <ResourceAttributeDesignator AttributeId="resource:id" DataType="string"/> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="deny" Effect=“Deny"> <Description>Deny if viewed other doc</Description> <Condition> <Apply FunctionId="string-is-in"> <AttributeValue DataType="string">doc456</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:historyy" DataType="string"/> </Apply> </Condition> </Rule> <Rule RuleId=“default-permit" Effect=“Permit"> </Rule> <Obligations> <Obligation ObligationId="append-attribute" FulfillOn="Permit"> <AttributeAssignment AttributeId="value" DataType="string"> <SubjectAttributeDesignator AttributeId="resource:id" DataType="string"/> </AttributeAssignment> <AttributeAssignment AttributeId="attribute-id" DataType="string">subject:history</AttributeAssignment> </Obligation> 13 Independent declarative policy specification
1. Easy-to-use Policy languages 14
15 XACML policy editor
16 IDE for ALFA policy language
Simple Tree-structured Attribute-based Policy Language 17https://goo.gl/F2RE8g val policy = Policy("e-health example") := when ((action.id === "view") & (resource.type_ === "patient-data") & ("physician" in subject.roles)) apply PermitOverrides to ( Rule("requirement-for-permit") := permit iff (resource.owner_id in subject.treated), Rule("default deny") := deny )
2. Correctness & completeness support 18
19
20 Only syntactically correctness checks
21 Decoupling from application logic is hard { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBuckets", "Resource": "arn:aws:s3:::example_bucket" } } s3:ListBucket
Open research challenges ● Improve performance & scalability of the PDP ● Interoperability across multiple applications ● Access rules for the database layer ● Conflict resolution in policies ● Management of policies ● Supporting organizational processes 22
Conclusions 23
Conclusions 24 Policy-based access control ● Enables exciting new opportunities ○ Allows decent access management processes ○ Keep access control system in sync with your business ● Technology-wise still some hurdles ● Be future-proof by modularizing authorization!
Policy-based access control Any further questions? Contact us at Willem.DeGroef@kuleuven.be Interested in our events? Subscribe here http://bit.ly/DistrinetAccessControl

Recommended

Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
Elimity
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
Hari Pudipeddi
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
Nabeel Yoosuf
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
uncleRhyme
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data PrivateDobler Consulting
 
Database security copy
Database security copyDatabase security copy
Database security copy
fika sweety
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NET
Supriya G
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
gourav kottawar
 

Recommended

Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
Elimity
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
Hari Pudipeddi
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
Nabeel Yoosuf
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
uncleRhyme
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data PrivateDobler Consulting
 
Database security copy
Database security copyDatabase security copy
Database security copy
fika sweety
 
Defending broken access control in .NET
Defending broken access control in .NETDefending broken access control in .NET
Defending broken access control in .NET
Supriya G
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
gourav kottawar
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013
Prosanta Ghosh
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacy
Md. Ahasan Hasib
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and securityNeeharika Nidadavolu
 
Database security
Database securityDatabase security
Database security
Arpana shree
 
Database security
Database securityDatabase security
Database securitykeerthusandeepreddy
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
Chapter23
Chapter23Chapter23
Chapter23
gourab87
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..
Rehan Manzoor
 
Data base security
Data base securityData base security
Data base security
Sara Nazir
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
Alain Huet
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
Pratik Tamgadge
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environmentwebhostingguy
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case
pmcbrideva1
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsTL Technologies - Thoughts Become Things
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
Jerod Brennen
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
Micro Focus
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
Jack Forbes
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - Components
Aidy Tificate
 
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5
Michael Priestley
 

More Related Content

What's hot

Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013
Prosanta Ghosh
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacy
Md. Ahasan Hasib
 
Database security
Database securityDatabase security
Database security
Arpana shree
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
Chapter23
Chapter23Chapter23
Chapter23
gourab87
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..
Rehan Manzoor
 
Data base security
Data base securityData base security
Data base security
Sara Nazir
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
Alain Huet
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
Pratik Tamgadge
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environmentwebhostingguy
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case
pmcbrideva1
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
Jerod Brennen
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
Micro Focus
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
Jack Forbes
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - Components
Aidy Tificate
 

What's hot (20)

Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013
 
Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacy
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and security
 
Database security
Database securityDatabase security
Database security
 
Database security
Database securityDatabase security
Database security
 
Database Security
Database SecurityDatabase Security
Database Security
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
 
Chapter23
Chapter23Chapter23
Chapter23
 
Database and Database Security..
Database and Database Security..Database and Database Security..
Database and Database Security..
 
Data base security
Data base securityData base security
Data base security
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environment
 
2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case2013 12 18 webcast - building the privileged identity management business case
2013 12 18 webcast - building the privileged identity management business case
 
How to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systemsHow to perform critical authorizations and so d checks in sap systems
How to perform critical authorizations and so d checks in sap systems
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Dell Password Manager Architecture - Components
Dell Password Manager Architecture - ComponentsDell Password Manager Architecture - Components
Dell Password Manager Architecture - Components
 

Similar to Policy based access control

apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5
Michael Priestley
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security Features
Trivadis
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
Sage Computing Services
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise Monitor
Ted Wennmark
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom
Doina Draganescu
 
Vpd
VpdVpd
Vpd
Sage Computing Services
 
Practical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UsePractical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UseMichael Cook
 
Building The Agile Database
Building The Agile DatabaseBuilding The Agile Database
Building The Agile Databaseelliando dias
 
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Sergii Khomenko
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5Tieturi Oy
 
01_Team_03_CS_591_Project
01_Team_03_CS_591_Project01_Team_03_CS_591_Project
01_Team_03_CS_591_Projectharsh mehta
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Oracle
 
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Amazon Web Services
 
The way from DB-driven development to DDD
The way from DB-driven development to DDDThe way from DB-driven development to DDD
The way from DB-driven development to DDD
Provectus
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)
Denodo
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Nelson Calero
 

Similar to Policy based access control (20)

apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
apidays LIVE London 2021 - Authorization is on the rise. by Damian Schenkelma...
 
Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5Does DITA need XML? Lightweight DITA and HTML5
Does DITA need XML? Lightweight DITA and HTML5
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security Features
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise Monitor
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom
 
Vpd
VpdVpd
Vpd
 
Practical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_UsePractical_Business_Rules_Development_and_Use
Practical_Business_Rules_Development_and_Use
 
Building The Agile Database
Building The Agile DatabaseBuilding The Agile Database
Building The Agile Database
 
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
Building Ranking Infrastructure: Data-Driven, Lean, Flexible - Sergii Khomenk...
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5TechDays 2013 Jari Kallonen: What's New WebForms 4.5
TechDays 2013 Jari Kallonen: What's New WebForms 4.5
 
01_Team_03_CS_591_Project
01_Team_03_CS_591_Project01_Team_03_CS_591_Project
01_Team_03_CS_591_Project
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
 
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
Expedite the development lifecycle with MongoDB and serverless - DEM02 - Sant...
 
The way from DB-driven development to DDD
The way from DB-driven development to DDDThe way from DB-driven development to DDD
The way from DB-driven development to DDD
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
 
Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)Data Services and the Modern Data Ecosystem (ASEAN)
Data Services and the Modern Data Ecosystem (ASEAN)
 
A lightweight DITA update
A lightweight DITA updateA lightweight DITA update
A lightweight DITA update
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
 

Recently uploaded

Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 

Recently uploaded (20)

Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 

Policy based access control

  • 1. Policy-based access control Willem De Groef, iMinds-DistriNet Willem.DeGroef@kuleuven.be
  • 2. 2
  • 3. 3
  • 4. 4 ● Software artifact ● Declarative specification of access rules ● Independent from enforcement mechanism
  • 5. PBAC and what it can mean for your business Business policy Employees GovernanceOperational 5
  • 7. User Subject Principal Guard Protected resource Action 1. How and where to implement the guard 2. How to encode the access rules 7 General Access Control System
  • 8. Basic approach: rules in code [....] if (! (“manager” in user.roles and doc.owner == user and 8h00 < now() < 17h00 )) { [...] } + straightforward + you can encode almost anything - access rules are code - no separation of concerns - no modularity leads to audit challenge - what if rules change? ▪ update application code ▪ updates all over the place 8
  • 9. More advanced approach: modularization @authz(user, “read”, result) public Document getDoc(docId) { [...] } + central definition of rules + easier to audit - access rules are code - IT is still in charge - no separation of concerns - what if rules change? ▪ update application code ▪ updates all over the place 9 public boolean authz( subject, action, resource) { if (! (“manager” in user.roles and …)) { [...] }
  • 10. Most advanced approach: policy-based @authz(user, “read”, result) public Document getDoc(docId) { [...] } Policy Decision Point Policy + central authorization logic + central definition of rules + easy to audit + access rules independent artifacts + clear separation of concerns + rule updates at run-time 10
  • 11. Not all rainbows and unicorns 11
  • 12. PBAC and what it can mean for your business Business policy Employees GovernanceOperational 12
  • 13. <Policy PolicyId=“dynamic-separation-of-duty" RuleCombiningAlgId=“deny-overrides"> <Description>Dynamic separation of duty</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="string-equal"> <AttributeValue DataType="string">doc123</AttributeValue> <ResourceAttributeDesignator AttributeId="resource:id" DataType="string"/> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="deny" Effect=“Deny"> <Description>Deny if viewed other doc</Description> <Condition> <Apply FunctionId="string-is-in"> <AttributeValue DataType="string">doc456</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:historyy" DataType="string"/> </Apply> </Condition> </Rule> <Rule RuleId=“default-permit" Effect=“Permit"> </Rule> <Obligations> <Obligation ObligationId="append-attribute" FulfillOn="Permit"> <AttributeAssignment AttributeId="value" DataType="string"> <SubjectAttributeDesignator AttributeId="resource:id" DataType="string"/> </AttributeAssignment> <AttributeAssignment AttributeId="attribute-id" DataType="string">subject:history</AttributeAssignment> </Obligation> 13 Independent declarative policy specification
  • 14. 1. Easy-to-use Policy languages 14
  • 16. 16 IDE for ALFA policy language
  • 17. Simple Tree-structured Attribute-based Policy Language 17https://goo.gl/F2RE8g val policy = Policy("e-health example") := when ((action.id === "view") & (resource.type_ === "patient-data") & ("physician" in subject.roles)) apply PermitOverrides to ( Rule("requirement-for-permit") := permit iff (resource.owner_id in subject.treated), Rule("default deny") := deny )
  • 18. 2. Correctness & completeness support 18
  • 19. 19
  • 21. 21 Decoupling from application logic is hard { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBuckets", "Resource": "arn:aws:s3:::example_bucket" } } s3:ListBucket
  • 22. Open research challenges ● Improve performance & scalability of the PDP ● Interoperability across multiple applications ● Access rules for the database layer ● Conflict resolution in policies ● Management of policies ● Supporting organizational processes 22
  • 24. Conclusions 24 Policy-based access control ● Enables exciting new opportunities ○ Allows decent access management processes ○ Keep access control system in sync with your business ● Technology-wise still some hurdles ● Be future-proof by modularizing authorization!
  • 25. Policy-based access control Any further questions? Contact us at Willem.DeGroef@kuleuven.be Interested in our events? Subscribe here http://bit.ly/DistrinetAccessControl