Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, Meeting Date: Agenda Item:

Similar presentations


Presentation on theme: "Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, Meeting Date: Agenda Item:"— Presentation transcript:

1 Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, Meeting Date: Agenda Item:

2 What is XACML eXtensible Access Control Markup Language (XACML) is an XML-based access control language defined by the Organization for the Advancement of Structured Information Standards (OASIS). XACML access control framework conforms to the Attribute Based Access Control (ABAC). (Version 2.0, 2005; Version 3.0, 2013) The oneM2M authorization system shall select XACML as its access control policy description language.

3 XACML Policy Structure

4 XACML Element Structure physician Value in policyMatch function Value from request

5 XACML Element Structure

6 XACML Attribute Categories Subject attribute category: Originator, Role, … Resource attribute category: Resource URI, Creation time, … Action attribute category: Retrieve, Update, … Environment attribute category: current time, IP Address, … It is extensible

7 XACML Defines 8 Rule and Policy Combining Algorithms 1.Deny-overrides 2.Ordered-deny-overrides 3.Permit-overrides 4.Ordered-permit-overrides 5.Deny-unless-permit 6.Permit-unless-deny 7.First-applicable 8.Only-one-applicable

8 XACML Defines a lot of Attribute Identifiers IdentifierM/O urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-nameO urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-addressO urn:oasis:names:tc:xacml:1.0:subject:authentication-methodO urn:oasis:names:tc:xacml:1.0:subject:authentication-timeO urn:oasis:names:tc:xacml:1.0:subject:key-infoO urn:oasis:names:tc:xacml:1.0:subject:request-timeO urn:oasis:names:tc:xacml:1.0:subject:session-start-timeO urn:oasis:names:tc:xacml:1.0:subject:subject-idO urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifierO urn:oasis:names:tc:xacml:1.0:subject-category:access-subjectM urn:oasis:names:tc:xacml:1.0:subject-category:codebaseO urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subjectO urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subjectO urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machineO urn:oasis:names:tc:xacml:1.0:resource:resource-locationO urn:oasis:names:tc:xacml:1.0:resource:resource-idM urn:oasis:names:tc:xacml:1.0:resource:simple-file-nameO urn:oasis:names:tc:xacml:1.0:action:action-idO urn:oasis:names:tc:xacml:1.0:action:implied-actionO

9 XACML Defines a lot of Data Types Data-typeM/O urn:oasis:names:tc:xacml:1.0:data-type:rfc822NameM urn:oasis:names:tc:xacml:1.0:data-type:x500NameM urn:oasis:names:tc:xacml:3.0:data-type:xpathExpressionO urn:oasis:names:tc:xacml:2.0:data-type:ipAddressM urn:oasis:names:tc:xacml:2.0:data-type:dnsNameM

10 XACML Defines a lot of Functions FunctionM/O urn:oasis:names:tc:xacml:1.0:function:string-equalM urn:oasis:names:tc:xacml:1.0:function:boolean-equalM urn:oasis:names:tc:xacml:1.0:function:integer-equalM urn:oasis:names:tc:xacml:1.0:function:double-equalM urn:oasis:names:tc:xacml:1.0:function:date-equalM urn:oasis:names:tc:xacml:1.0:function:time-equalM urn:oasis:names:tc:xacml:1.0:function:dateTime-equalM urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equalM urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equalM urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-caseM urn:oasis:names:tc:xacml:1.0:function:anyURI-equalM urn:oasis:names:tc:xacml:1.0:function:x500Name-equalM urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equalM urn:oasis:names:tc:xacml:1.0:function:hexBinary-equalM urn:oasis:names:tc:xacml:1.0:function:base64Binary-equalM urn:oasis:names:tc:xacml:1.0:function:integer-addM urn:oasis:names:tc:xacml:1.0:function:double-addM urn:oasis:names:tc:xacml:1.0:function:integer-subtractM urn:oasis:names:tc:xacml:1.0:function:double-subtractM urn:oasis:names:tc:xacml:1.0:function:integer-multiplyM urn:oasis:names:tc:xacml:1.0:function:double-multiplyM urn:oasis:names:tc:xacml:1.0:function:integer-divideM urn:oasis:names:tc:xacml:1.0:function:double-divideM urn:oasis:names:tc:xacml:1.0:function:integer-modM

11 XACML Request and Response Contexts Attribute categories: Subject Resource Action Environment New defined attribute categories (e.g. Token) Authorization decision: "Permit" "Deny" "Indeterminate" "NotApplicable"

12 Using XACML in oneM2M Authorization Architecture

13 Mapping oneM2M request parameters to the XACML request context Parameter in oneM2M DescriptionAttributes Category in XACML AttributeId in XACML DataType in XACML toURI of target resourceurn:oasis:names:tc:xa cml:3.0:attribute- category:resource urn:oasis:names:tc:x acml:1.0:resource:re source-id ttp://www.w3.org/20 01/XMLSchema#any URI frIdentifier representing the originator of the request urn:oasis:names:tc:xa cml:1.0:subject- category:access- subject urn:oasis:names:tc:x acml:1.0:subject:sub ject-id 001/XMLSchema#st ring roleRole of the originatorurn:oasis:names:tc:xac ml:1.0:subject- category:access-subject TBDhttp://www.w3.org/20 01/XMLSchema#strin g opRequested operationurn:oasis:names:tc:xa cml:3.0:attribute- category:action urn:oasis:names:tc:x acml:1.0:action:actio n-id 001/XMLSchema#st ring rq_timeContext informationurn:oasis:names:tc:xac ml:3.0:attribute- category:environment urn:oasis:names:tc:xa cml:1.0:environment: current-time 01/XMLSchema#time rq_locContext informationurn:oasis:names:tc:xac ml:3.0:attribute- category:environment TBD rq_ipContext informationurn:oasis:names:tc:xac ml:3.0:attribute- category:environment urn:oasis:names:tc:xa cml:1.0:subject:authn- locality:ip-address urn:oasis:names:tc:xa cml:2.0:data- type:ipAddress fcFilter criteriaurn:oasis:names:tc:xac ml:3.0:attribute- category:resource TBDhttp://www.onem2m.o rg/xml/protocols#filte rCriteria

14 Mapping from oneM2M access control decision to XACML authorization decision Access control decision in oneM2M DescriptionAuthorization decision in XACML TRUE or 1The requested access is permitted. “Permit” FALSE or 0The requested access is denied.“Deny”

15 XACML is Extensible 002-Device Configuration TWFuIGlzIGR pc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlzIHN pbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Q gb2YgdGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB 0aGUgY29udGludWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2x lZGdlLCBleGNlZWRzIHRoZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGV hc3VyZS4= Example of adding role and token in XACML request context

16 What we should do if XACML is used in oneM2M Defining new attribute IDs, e.g. attribute ID for role Defining new attribute categories, e.g. security token Defining new functions, e.g. functions for location and wildcard matching. And so on…


Download ppt "Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, Meeting Date: Agenda Item:"

Similar presentations


Ads by Google