Tutorial on XACML

Tutorial on XACMLAudumbarAccess control and privacy Who can access what, under what conditions, and for what purposeXACML - AboutThe eXtensible Access Control Markup Language is an OASIS StandardThe XACML standard providesPolicy LanguageRequest and Response LanguageStandard data-types, functions, combining algorithmsExtensibility Privacy profile, RBAC profileAn architecture defining the major components in an implementation

General termsResourceData, system component or serviceSubjectAn actor who makes a request to access certain Resources.ActionAn operation on resourceEnvironment The set of attributes that are relevant to an authorization decision and are independent of a particular subject, resource or actionAttributesCharacteristics of a subject, resource, action or environmentTargetDefines conditions that determine whether policy applies to request

Usage ScenarioPolicy Enforcement Point (PEP) Entity protecting the resource(e.g. file system)Performs access control by making decision requests and enforcing authorization decisions.

PEPUsage ScenarioPolicy Administration Point (PAP) creates security policies and stores these policies in the repository.

PAPUsage ScenarioContext HandlerA Context is the canonical representation of a decision request and an authorization decision.Context Handler can be defined to convert the requests in its native format to the XACML canonical form and to convert the Authorization decisions in the XACML canonical form to the native format.

ContextHandlerUsage ScenarioThe Policy Decision Point (PDP) Receives and examines the requestRetrieves applicable policiesevaluates the applicable policy and Returns the authorization decision to PEP

PDPUsage ScenarioPolicy Information Point (PIP) serves as the source of attribute values, or the data required for policy evaluation.

PIPHow does it work: Data Flow

XACML Policy Structure

Policy Language model

XACML Policy Example

http://server.example.com/code/docs/developer-guide.html Policy Example contd readdevelopers

XACML Request StructureRequestSubjectAttributesActionAttributesEnvironmentAttributesResourceAttributesRequest Example xyz@users.example.com developers http://server.example.com/code/docs/developer-guide.html read XACML Response StructureResponseDecisionObligationsStatusXACML Response Example Permit

Effect:Permit/Deny/Not Applicable/IndeterminateCombining Algorithms Deny-overrides if any evaluation returns Deny, then the result must be Deny. If all rules evaluate to Permit, then the result is Permit.Permit-overrides if any rule evaluates to Permit, then the result of is Permit. If any rule evaluates to Deny and all other rules evaluate to NotApplicable, then the result is Deny. If all rules are found to be NotApplicable, then the result is NotApplicable.Combining Algorithms First applicable rules evaluated in their listing orderFor each rule, if the target matches and the condition evaluates to True, then the result of that rule will be the evaluation of the policy (either Permit, Deny, or Indeterminate). Otherwise, the algorithm goes to the next rule. If no rule applies, then the result is NotApplicable. Only-one-applicable For all of policies in the policy set, if no policy applies, then the result is NotApplicable. If more than one policy applies, then the result is Indeterminate. If only one policy applies, then the result is the result of evaluating that policy.

ExtensibilityExtensible XML attribute typesThe following XML attributes with values that are URIs, may be extended by the creation of new URIs associated with new semantics for these attributes.AttributeId, DataType, FunctionId, MatchId, ObligationId, PolicyCombiningAlgId, RuleCombiningAlgId, StatusCode, SubjectCategory.For a given structured data-type, a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types. A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value. This method may only be used by PDPs that support the new function.Privacy profileThis profile defines two attributes.urn:oasis:names:tc:xacml:2.0:resource:purposethe purpose for which the data resource was collectedurn:oasis:names:tc:xacml:2.0:action:purposethe purpose for which access to the data resource is requestedMatching purpose ruleDeny-Overridesaccess SHALL be denied unless the purpose for which access is requested matches, by regular-expression match, the purpose for which the data resource was collected.RBAC profileScopeIf a subject has roles R1 , R2, ... Rn enabled, can subject X access a given resource using a given action?Is subject X allowed to have role Ri enabled?If a subject has roles R1 , R2, ... Rn enabled, does that mean the subject will have permissions associated with a given role R'? That is, is role R' either equal to or junior to any of roles R1 , R2, Rn?RBAC Profile PoliciesRole , Each Role references a single corresponding Permission Permission , actual permissions associated with a given role, references to Permission s associated with other roles that are junior to the given roleRole Assignment or which roles can be enabled or assigned to which subjectsHasPrivilegesOfRole a in a Permission that supports requestsasking whether a subject has the privileges associated with a given role.

XACML implementationsUsing SUN XACML implementationBuilding a PDPBuilding a PEPCreating and Encoding PoliciesValidating policies and requestsSupporting attribute selectorsXACMLight Apache Axis2 Web Service XACML 2.0 PDP/PAP ImplementationXACML Policy editorsLimitationsXACML is verbose and complex in some ways.Interactions involving PAP, PIP, etc., are not standardized.Policy administration, policy versioning, etc., are not standardized.References OASIS XACML Technical Committee Home Pagehttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacmlSun's XACML Open Source Implementationhttp://sunxacml.sourceforge.net/