Presentation is loading. Please wait.

Presentation is loading. Please wait.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Published byMartin Johns Modified over 9 years ago

Similar presentations

Presentation on theme: "Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses."— Presentation transcript:

1 Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses

2 © Copyright Entrust, Inc. 20052 Rule taxonomy Distributed authorship XACML v2.0 evaluation Limitations Sample application Proposed solution Overview

3 © Copyright Entrust, Inc. 20053 Proposition Organizations have a variety of applications for a rule expression language There are advantages to using a common language XACML v2.0 was designed for expressing authorization rules Generalization would allow XACML to serve a broader range of applications

4 © Copyright Entrust, Inc. 20054 Rule taxonomy Conclusion is an action Rules Reaction rules Authorization rules Business rules Transformation rules Derivation rules FactsQueries Action is a procedure Action is permit | deny Rule: The combination of a premise and a conclusion Source: RuleML

5 © Copyright Entrust, Inc. 20055 XACML v2.0 rule PDP PEP Decision request (Premise) Decision response (Conclusion) 3 2 Access request 1 5 Attributes Decision, Obligations rule Transforms attributes into a decision and obligations PEP fulfills obligations 4 PDP – Policy Decision Point PEP – Policy Enforcement Point

6 © Copyright Entrust, Inc. 20056 PDP may evaluate multiple rules Applicable rules may have conflicting conclusions PDP must return a single consistent conclusion Solution:- –Define an algorithm for combining conclusions Distributed authorship and combining algorithms

7 © Copyright Entrust, Inc. 20057 Sample XACML v2.0 … Attributes … Attributes imperative imperative

8 © Copyright Entrust, Inc. 20058 Transform attributes to decision … Attributes … Attributes imperative imperative Decision f 1 2 3 5 4

9 © Copyright Entrust, Inc. 20059 Transform attributes to obligations … Attributes … Attributes imperative imperative Decision f f Obligations 6 7 8

10 © Copyright Entrust, Inc. 200510 Limitations XACML’s “Effect” is specific to a Boolean conclusion There is no way to resolve conflicts between obligations Obligation combining is not defined by the combining algorithm There is a need to express prohibitions, as well as imperatives There is a need to express sequences of imperatives Solutions are constrained by the need to combine conclusions, in order to support distributed authorship

11 © Copyright Entrust, Inc. 200511 Sample application (message gateway) Message Gateway (PEP) PDP Request (Premise) Response (Conclusion) message 4 3 2 1 proceed | reject | delete | quarantine | audit | reconsider | scan & resubmit rule AttributesImperatives

12 © Copyright Entrust, Inc. 200512 Eliminate the “Effect” attribute Add a element to the, and elements Define separate elements for the “True”, “False”, “Indeterminate” and “NotApplicable” results Treat “Decision” as an imperative Proposed solution

13 © Copyright Entrust, Inc. 200513 Solution … Attributes imperative … Attributes imperative f Conclusions including Decision 1 3 5 4 2

14 © Copyright Entrust, Inc. 200514 Example complianceofficer@example.com recipient Imperative

15 © Copyright Entrust, Inc. 200515 Prohibit-overrides –If an action is prohibited by one conclusion, then it is prohibited, even if another conclusion permits it –Duplicate instances of an imperative may be eliminated –If the PEP does nothing unless explicitly instructed, then prohibitions may be eliminated Combining algorithms

16 © Copyright Entrust, Inc. 200516 Organizations need a common language for expressing their authorization rules AND their business rules XACML v2.0 attempts to provide support for “business rules” through its element This solution is inadequate An alternative is proposed Conclusions

Download ppt "Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses."

Similar presentations

Decision Structures - If / Else If / Else. Decisions Often we need to make decisions based on information that we receive. Often we need to make decisions.

Decision Structures - If / Else If / Else. Decisions Often we need to make decisions based on information that we receive. Often we need to make decisions.
QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
A Privacy Policy Enforcement System Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK Primelife IFIP Summer.

A Privacy Policy Enforcement System Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK Primelife IFIP Summer.
Existential Graphs and Davis-Putnam April 3, 2002 Bram van Heuveln Department of Cognitive Science.

Existential Graphs and Davis-Putnam April 3, 2002 Bram van Heuveln Department of Cognitive Science.
Distributed Evaluation of XACML Policies Vijayant Dhankhar, George Mason University Saket Kaushik, Oracle and George Mason University Duminda Wijesekera,

Distributed Evaluation of XACML Policies Vijayant Dhankhar, George Mason University Saket Kaushik, Oracle and George Mason University Duminda Wijesekera,
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.
Chapter 1 General Problem Solving Concepts

Chapter 1 General Problem Solving Concepts
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

Similar presentations

Ads by Google