Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why Using XACML as oneM2M Access Control Policy

Similar presentations


Presentation on theme: "Why Using XACML as oneM2M Access Control Policy"— Presentation transcript:

1 Why Using XACML as oneM2M Access Control Policy
Group Name: WG4 Source: Wei Zhou, CATT, Meeting Date: < > Agenda Item: <agenda item topic name>

2 What is XACML eXtensible Access Control Markup Language (XACML) is an XML-based access control language defined by the Organization for the Advancement of Structured Information Standards (OASIS). XACML access control framework conforms to the Attribute Based Access Control (ABAC). (Version 2.0, 2005; Version 3.0, 2013) The oneM2M authorization system shall select XACML as its access control policy description language.

3 XACML Policy Structure

4 XACML <Target> Element Structure
Match function Value in policy <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">physician</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:role" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Match> Value from request

5 XACML <Condition> Element Structure
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example: attribute:physician-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="md:record/md:primaryCarePhysician/md:registrationID/text()" DataType="http://www.w3.org/2001/XMLSchema#string"/>

6 XACML Attribute Categories
Subject attribute category: Originator, Role, … Resource attribute category: Resource URI, Creation time, … Action attribute category: Retrieve, Update, … Environment attribute category: current time, IP Address, … It is extensible

7 XACML Defines 8 Rule and Policy Combining Algorithms
Deny-overrides Ordered-deny-overrides Permit-overrides Ordered-permit-overrides Deny-unless-permit Permit-unless-deny First-applicable Only-one-applicable

8 XACML Defines a lot of Attribute Identifiers
M/O urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name O urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address urn:oasis:names:tc:xacml:1.0:subject:authentication-method urn:oasis:names:tc:xacml:1.0:subject:authentication-time urn:oasis:names:tc:xacml:1.0:subject:key-info urn:oasis:names:tc:xacml:1.0:subject:request-time urn:oasis:names:tc:xacml:1.0:subject:session-start-time urn:oasis:names:tc:xacml:1.0:subject:subject-id urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier urn:oasis:names:tc:xacml:1.0:subject-category:access-subject M urn:oasis:names:tc:xacml:1.0:subject-category:codebase urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine urn:oasis:names:tc:xacml:1.0:resource:resource-location urn:oasis:names:tc:xacml:1.0:resource:resource-id urn:oasis:names:tc:xacml:1.0:resource:simple-file-name urn:oasis:names:tc:xacml:1.0:action:action-id urn:oasis:names:tc:xacml:1.0:action:implied-action

9 XACML Defines a lot of Data Types
M/O M urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name urn:oasis:names:tc:xacml:1.0:data-type:x500Name urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression O urn:oasis:names:tc:xacml:2.0:data-type:ipAddress urn:oasis:names:tc:xacml:2.0:data-type:dnsName

10 XACML Defines a lot of Functions
M/O urn:oasis:names:tc:xacml:1.0:function:string-equal M urn:oasis:names:tc:xacml:1.0:function:boolean-equal urn:oasis:names:tc:xacml:1.0:function:integer-equal urn:oasis:names:tc:xacml:1.0:function:double-equal urn:oasis:names:tc:xacml:1.0:function:date-equal urn:oasis:names:tc:xacml:1.0:function:time-equal urn:oasis:names:tc:xacml:1.0:function:dateTime-equal urn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal urn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case urn:oasis:names:tc:xacml:1.0:function:anyURI-equal urn:oasis:names:tc:xacml:1.0:function:x500Name-equal urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal urn:oasis:names:tc:xacml:1.0:function:integer-add urn:oasis:names:tc:xacml:1.0:function:double-add urn:oasis:names:tc:xacml:1.0:function:integer-subtract urn:oasis:names:tc:xacml:1.0:function:double-subtract urn:oasis:names:tc:xacml:1.0:function:integer-multiply urn:oasis:names:tc:xacml:1.0:function:double-multiply urn:oasis:names:tc:xacml:1.0:function:integer-divide urn:oasis:names:tc:xacml:1.0:function:double-divide urn:oasis:names:tc:xacml:1.0:function:integer-mod

11 XACML Request and Response Contexts
Attribute categories: Subject Resource Action Environment New defined attribute categories (e.g. Token) Authorization decision: "Permit" "Deny" "Indeterminate" "NotApplicable"

12 Using XACML in oneM2M Authorization Architecture

13 Mapping oneM2M request parameters to the XACML request context
Parameter in oneM2M Description Attributes Category in XACML AttributeId in XACML DataType in XACML to URI of target resource urn:oasis:names:tc:xa cml:3.0:attribute- category:resource urn:oasis:names:tc:x acml:1.0:resource:re source-id ttp://www.w3.org/20 01/XMLSchema#any URI fr Identifier representing the originator of the request urn:oasis:names:tc:xa cml:1.0:subject- category:access- subject urn:oasis:names:tc:x acml:1.0:subject:sub ject-id 001/XMLSchema#st ring role Role of the originator urn:oasis:names:tc:xac ml:1.0:subject- category:access-subject TBD 01/XMLSchema#strin g op Requested operation urn:oasis:names:tc:xa cml:3.0:attribute- category:action urn:oasis:names:tc:x acml:1.0:action:actio n-id rq_time Context information urn:oasis:names:tc:xac ml:3.0:attribute- category:environment urn:oasis:names:tc:xa cml:1.0:environment: current-time 01/XMLSchema#time rq_loc rq_ip urn:oasis:names:tc:xa cml:1.0:subject:authn- locality:ip-address urn:oasis:names:tc:xa cml:2.0:data- type:ipAddress fc Filter criteria urn:oasis:names:tc:xac ml:3.0:attribute- category:resource rg/xml/protocols#filte rCriteria

14 Mapping from oneM2M access control decision to XACML authorization decision
Access control decision in oneM2M Description Authorization decision in XACML TRUE or 1 The requested access is permitted. “Permit” FALSE or 0 The requested access is denied. “Deny”

15 XACML is Extensible Example of adding role and token in XACML request context <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute IncludeInResult="false" AttributeId="urn:onem2m:names:attribute:role" Issuer="onem2m.example.com"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" >002-Device Configuration</AttributeValue> </Attribute> <Attribute IncludeInResult="false" AttributeId="urn:onem2m:names:attribute:token" Issuer="onem2m.example.com"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#base64Binary">TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlzIHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2YgdGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGludWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRoZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4= </AttributeValue> </Attributes>

16 What we should do if XACML is used in oneM2M
Defining new attribute IDs, e.g. attribute ID for role Defining new attribute categories, e.g. security token Defining new functions, e.g. functions for location and wildcard matching. And so on…


Download ppt "Why Using XACML as oneM2M Access Control Policy"

Similar presentations


Ads by Google