SlideShare a Scribd company logo

XACML - XML Amsterdam2011

Download as PPTX, PDF
Ray Sinnema
Ray Sinnema

This document summarizes the eXtensible Access Control Markup Language (XACML). It discusses access control models like ACL, RBAC, ABAC and how XACML supports all of them. The document outlines the key components of XACML including its architecture, request/response protocol, policy language, optional profiles, and what is new in version 3.0. It also briefly mentions some XACML implementations.

1 of 26
eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

Recommended

Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard
 
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CloudIDSummit
 
OData - The Universal REST API
OData - The Universal REST APIOData - The Universal REST API
OData - The Universal REST API
Nishanth Kadiyala
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data Access
Pat Patterson
 
OData, External objects & Lightning Connect
OData, External objects & Lightning ConnectOData, External objects & Lightning Connect
OData, External objects & Lightning Connect
Prasanna Deshpande ☁
 
Odata - Open Data Protocol
Odata - Open Data ProtocolOdata - Open Data Protocol
Odata - Open Data Protocol
Khaled Musaied
 
Modern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataModern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - OData
Nishanth Kadiyala
 
OData for iOS developers
OData for iOS developersOData for iOS developers
OData for iOS developers
Glen Gordon
 

Recommended

Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard
 
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization Standards
CloudIDSummit
 
OData - The Universal REST API
OData - The Universal REST APIOData - The Universal REST API
OData - The Universal REST API
Nishanth Kadiyala
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data Access
Pat Patterson
 
OData, External objects & Lightning Connect
OData, External objects & Lightning ConnectOData, External objects & Lightning Connect
OData, External objects & Lightning Connect
Prasanna Deshpande ☁
 
Odata - Open Data Protocol
Odata - Open Data ProtocolOdata - Open Data Protocol
Odata - Open Data Protocol
Khaled Musaied
 
Modern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataModern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - OData
Nishanth Kadiyala
 
OData for iOS developers
OData for iOS developersOData for iOS developers
OData for iOS developers
Glen Gordon
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
Pat Patterson
 
Restful Services
Restful ServicesRestful Services
Restful Services
SHAKIL AKHTAR
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market Analysis
Nishanth Kadiyala
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014
Joelith
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Framework
andrejusb
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Nishanth Kadiyala
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service Architectures
Chris Muir
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration Architectures
Chris Muir
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaos
Niels de Bruijn
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData Connector
Salesforce Developers
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & Guidelines
Ashish Saxena
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connect
Aaron Dominguez Sanchez
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAP
Niels de Bruijn
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning Connect
Salesforce Developers
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Salesforce Developers
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
NetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataNetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to OData
SAP PartnerEdge program for Application Development
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorials
andrejusb
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14
andrejusb
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC REST
andrejusb
 
Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueur
EMC Nederland
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overview
xKinAnx
 

More Related Content

What's hot

OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
Pat Patterson
 
Restful Services
Restful ServicesRestful Services
Restful Services
SHAKIL AKHTAR
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market Analysis
Nishanth Kadiyala
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014
Joelith
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Framework
andrejusb
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Nishanth Kadiyala
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service Architectures
Chris Muir
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration Architectures
Chris Muir
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaos
Niels de Bruijn
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData Connector
Salesforce Developers
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & Guidelines
Ashish Saxena
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connect
Aaron Dominguez Sanchez
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAP
Niels de Bruijn
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning Connect
Salesforce Developers
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Salesforce Developers
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
NetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataNetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to OData
SAP PartnerEdge program for Application Development
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorials
andrejusb
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14
andrejusb
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC REST
andrejusb
 

What's hot (20)

OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
 
Restful Services
Restful ServicesRestful Services
Restful Services
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market Analysis
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Framework
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service Architectures
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration Architectures
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaos
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData Connector
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & Guidelines
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connect
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAP
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning Connect
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
NetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataNetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to OData
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorials
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC REST
 

Similar to XACML - XML Amsterdam2011

Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueur
EMC Nederland
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overview
xKinAnx
 
RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)
EMC
 
dist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfdist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdf
NohaNagy5
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake
 
EMC Unified Analytics Platform. Gintaras Pelenis
EMC Unified Analytics Platform. Gintaras PelenisEMC Unified Analytics Platform. Gintaras Pelenis
EMC Unified Analytics Platform. Gintaras Pelenis
Lietuvos kompiuterininkų sąjunga
 
Vnx mr presentation kenny pool
Vnx mr presentation kenny poolVnx mr presentation kenny pool
Vnx mr presentation kenny pool
EMC Nederland
 
Transforming Mission Critical Applications
Transforming Mission Critical ApplicationsTransforming Mission Critical Applications
Transforming Mission Critical Applications
Cenk Ersoy
 
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
darach
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
 
Introduction to Web Application Clustering
Introduction to Web Application ClusteringIntroduction to Web Application Clustering
Introduction to Web Application Clustering
Piyush Katariya
 
Mellanox hpc day 2011 kiev
Mellanox hpc day 2011 kievMellanox hpc day 2011 kiev
Mellanox hpc day 2011 kiev
Volodymyr Saviak
 
102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide
Amit Sharma
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityExtending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Jerome Leonard
 
Emc vi pr controller
Emc vi pr controllerEmc vi pr controller
Emc vi pr controller
solarisyougood
 
attachment_3998 (3).pdf
attachment_3998 (3).pdfattachment_3998 (3).pdf
attachment_3998 (3).pdf
ssuser02a37f1
 
Cloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption TechniquesCloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption Techniques
EMC
 
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
Hans A. Kielland Aanesen
 

Similar to XACML - XML Amsterdam2011 (20)

Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueur
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overview
 
RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)
 
dist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfdist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdf
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
EMC Unified Analytics Platform. Gintaras Pelenis
EMC Unified Analytics Platform. Gintaras PelenisEMC Unified Analytics Platform. Gintaras Pelenis
EMC Unified Analytics Platform. Gintaras Pelenis
 
Vnx mr presentation kenny pool
Vnx mr presentation kenny poolVnx mr presentation kenny pool
Vnx mr presentation kenny pool
 
Transforming Mission Critical Applications
Transforming Mission Critical ApplicationsTransforming Mission Critical Applications
Transforming Mission Critical Applications
 
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
 
Introduction to Web Application Clustering
Introduction to Web Application ClusteringIntroduction to Web Application Clustering
Introduction to Web Application Clustering
 
Mellanox hpc day 2011 kiev
Mellanox hpc day 2011 kievMellanox hpc day 2011 kiev
Mellanox hpc day 2011 kiev
 
102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityExtending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
 
Emc vi pr controller
Emc vi pr controllerEmc vi pr controller
Emc vi pr controller
 
attachment_3998 (3).pdf
attachment_3998 (3).pdfattachment_3998 (3).pdf
attachment_3998 (3).pdf
 
Cloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption TechniquesCloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption Techniques
 
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
 

Recently uploaded

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
maazsz111
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 

Recently uploaded (20)

Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 

XACML - XML Amsterdam2011

  • 1. eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
  • 2. Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
  • 3. Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
  • 4. Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
  • 5. Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
  • 6. Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
  • 7. Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
  • 8. Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
  • 9. Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
  • 10. Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
  • 11. XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
  • 12. eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
  • 13. Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
  • 14. Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
  • 15. Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
  • 16. Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
  • 17. Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
  • 18. Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
  • 19. Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
  • 20. Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
  • 21. X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
  • 22. Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
  • 23. What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
  • 24. Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
  • 25. Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
  • 26. THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

Editor's Notes

  1. Access Control List focuses on ResourceRole-Based Access Control generalizes SubjectAttribute-Based Access Control generalizes all attributesPolicy-Based Access Control standardizes attributesRisk-Adaptive Access Control