XACML Briefing for PMRM TC

Hal LockhartJuly 8, 2014

What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any available information Superset of Permissions, ACLs, RBAC, etc Scales from PDA to Internet Federated policy administration OASIS and ITU-T Standard

OASIS XACML Standardspecifies: An Architecture

Aka: Attribute-based Access Control (ABAC) A Policy Language

Format and Evaluation Semantics Request Formats

XML/SOAP JSON/REST Programatic (OpenAz Project)

XACML Architecture

PDP

DecisionApplication

Administration

PolicyRepository

PEP

Enforcement

Client

AuthoritiesAttributeRepositories

PDP

PDP PDP

Resources

Powerful Policy Expression “Anyone can use web servers with the ‘spare’ property

between 12:00 AM and 4:00 AM” “Salespeople can create orders, but if the total cost is

greater that $1M, a supervisor must approve” “Anyone view their own 401K information, but nobody

else’s” “The print formatting service can access printers and

temporary storage on behalf of any user with the print attribute”

“The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.”

Key XACML Features

Federated Policy Administration Multiple policies applicable to same situation Combining rules to resolve conflicts

Decision may include Obligations and Advice More than just Permit or Deny Obligation can specify present or future action Examples: Log request, require human approval,

delete data after 30 days Protect any resource

Web Server, Java or C++ Object, Room in building, Network Access, Web Service, Geographic Data, Health Records, etc.

XACML Benefits Standard Policy Language

Investment protection Skills reuse

Leverage XML tools Policy not in application code

Reduce cost of changes Consistent application Enable audit

Policy Evaluation in Brief - 1 Attribute-based access control (ABAC) Attributes associated with Subject(s),

Action, Resource or Environment Attributes may represent static (Group)

or dynamic (# of accesses) properties PDP is stateless

Policy Evaluation in Brief - 2

Policies contain Boolean expressions If false, policy is not applicable If true, Effect (Permit or Deny) is

returned

Policy Evaluation in Brief - 3 Combining Algorithms resolve

conflicting policy results Typical: Deny Overrides

Obligations which are associated with final Effect are also returned

Policies are tree structured to simplify management

XACML Concepts

PolicySet

PoliciesObligations

Rules

Target

Obligations

Condition

Effect

Target

Target

XACML Policy Tree

Policy Set

PolicyPolicy SetPolicy Set

PolicyPolicy PolicyRule

Rule Rule Rule Rule

Rule Rule

Rule

Decision Request Interfaces Abstract Interface defined in XML

Profiled as real protocol over SOAP Programmatic Interfaces permitted, but

unspecified Javascript Object Notation (JSON) format

Functionally equivalent to XML/SOAP format xacml+json MIME type approved by IANA

REST-based communications Can carry JSON or XML format requests

Prior XACML Privacy work Privacy Profile

Defines 2 Attributes – “Purpose” Category = Action or Resource

Rule to match Purposes XSPA XACML Profile

OASIS Standard in 2009 Based on prior work at HL7 Defines 53 Attributes (14 Normative) Several public interops New Profile in progress

Referencing XACML in other Standards Attributes

What ones may be needed Category (Subject, Resource, etc.) Precise semantics (data-type, legal values)

Policy Agreed upon policies – normative Example policies – illustrate potential use

of attributes

Useful Links XACML core specification

http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc

Privacy Profilehttp://docs.oasis-open.org/xacml/3.0/privacy/v1.0/xacml-3.0-privacy-v1.0.doc

XSPA Standardhttp://docs.oasis-open.org/xacml/xspa/v1.0/xacml-xspa-1.0-os.doc

Interop Policieshttps://

www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip

https://www.oasis-open.org/committees/download.php/32225/HIMSS-OASIS-Interop-documents.zip

Discussion