xacml - xml amsterdam2011
DESCRIPTION
Presentation about eXtensible Access Control Markup Language (XACML) delivered at XML Amsterdam 2011TRANSCRIPT
1© Copyright 2011 EMC Corporation. All rights reserved.
eXtensible Access ControlMarkup LanguageRémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee –
sinnema313
2© Copyright 2011 EMC Corporation. All rights reserved.
Agenda
• Access Control– Various models– How XACML fits in
• XACML– Architecture– Request/Response Protocol– Policy Language– Optional Profiles– What’s new in 3.0– Implementations
3© Copyright 2011 EMC Corporation. All rights reserved.
Access Control
4© Copyright 2011 EMC Corporation. All rights reserved.
Access Control• Access control is the basis of Information Security:
– Confidentiality: prevent disclosure to unauthorized agents
– Integrity: prevent modification by unauthorized agents– Availability: keep unauthorized agents off the system
• An access request occurs when– a given subject tries to access – a given resource to perform – a given action in – a given environment
5© Copyright 2011 EMC Corporation. All rights reserved.
Access Control List (ACL)• (subject, resource, action, ?)
– Subject is user or group– No environment– Hard to maintain when many users share
privileges
• Widely available, e.g. in operating systems
6© Copyright 2011 EMC Corporation. All rights reserved.
Role-Based Access Control (RBAC)• (role, resource, action, ?)
– Generalizes users into roles– Users can have many roles– Roles can be hierarchical
• A manager is an employee
– No environment– Not granular enough/role explosion
• Commonly available, e.g. in databases
7© Copyright 2011 EMC Corporation. All rights reserved.
Attribute-Based Access Control (ABAC)• (subject, resource, action, environment)
– Generalizes everything into attributes– Adds environment attributes– Subject can be user, group, role, application, …– Subject can be described by more than one attribute
• Matches the definition of identity:– “A person’s identity is built upon an incomplete set
of attributes that we deem sufficient to differentiate one person from everyone else”Identity Management – A Primer, p. 9
• State of the art
8© Copyright 2011 EMC Corporation. All rights reserved.
Policy-Based Access Control (PBAC)• (subject, resource, action, environment)
– Harmonizes attributes across the (extended) organization
• Coming soon…
9© Copyright 2011 EMC Corporation. All rights reserved.
Risk-Adaptive Access Control (RAdAC)• (subject, resource, action, environment)
– Dynamic risk levels as environment attributes– Threat level etc. from outside sources as well
• Not anytime soon
10© Copyright 2011 EMC Corporation. All rights reserved.
Evolution of Access Control Models
Trends:
• Finer granularity
• More policy-based over ad-hoc
11© Copyright 2011 EMC Corporation. All rights reserved.
XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC
One technology for all yourevolving access control needs!
12© Copyright 2011 EMC Corporation. All rights reserved.
eXtensible Access Control Markup Language
13© Copyright 2011 EMC Corporation. All rights reserved.
Architecture
14© Copyright 2011 EMC Corporation. All rights reserved.
Request<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /></Request>
15© Copyright 2011 EMC Corporation. All rights reserved.
Response<Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result></Response>
16© Copyright 2011 EMC Corporation. All rights reserved.
Policy Language (1)• Hierarchical structure: PolicySet → Policy → Rule
17© Copyright 2011 EMC Corporation. All rights reserved.
Policy Language (2)
• Target filters applicable requests– In PolicySet, Policy, and Rule– Using attribute matching
• Condition refines further– Powerful expression language
<Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply></Condition>
18© Copyright 2011 EMC Corporation. All rights reserved.
<Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id </SubjectAttributeDesignator> </SubjectMatch> </Subject> </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule>
Attribute Value
Attribute Matching
Function
Data TypeAttribute ID
Effect
19© Copyright 2011 EMC Corporation. All rights reserved.
Conflict Resolution• Multiple rules can be applicable
• Conflicts are resolved by Combining Algorithms
– Policy has Rule Combining Algorithm– PolicySet has Policy Combining Algorithm
• Standard Combining Algorithms:– permit-overrides– deny-overrides– first-applicable– only-one-applicable– ordered-permit-overrides– ordered-deny-overrides
20© Copyright 2011 EMC Corporation. All rights reserved.
Obligations• Action that PEP must perform
– Email manager, log access, …
• Optional part of the specification
21© Copyright 2011 EMC Corporation. All rights reserved.
X stands for eXtensible• Custom attribute IDs
• Custom functions
• Custom data types
• Custom combining algorithms
22© Copyright 2011 EMC Corporation. All rights reserved.
Optional Profiles• RBAC
• Multiple Resource
• Hierarchical Resource
• Privacy
• SAML
• XML Digital Signature
23© Copyright 2011 EMC Corporation. All rights reserved.
What’s new in 3.0• Subject/Resource/Action/Environment generalized into attribute
categories
• Advice (like obligation but optional)
• Obligations & advice can be dynamic
• More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs)
• XPath improvements (XPath data type)
• Updated profiles– Multi: decision schemes– SAML :pass policies with request
• New profiles– Administration & Delegation (policies about who can change policies)– Export– Intellectual Property (in progress)
24© Copyright 2011 EMC Corporation. All rights reserved.
ImplementationsCommercial
Embedded
Open Source
SunXacml
25© Copyright 2011 EMC Corporation. All rights reserved.
Q&A
sinnema313
26© Copyright 2011 EMC Corporation. All rights reserved.
THANK YOU