1. XACML By Ganesh Godavari Craig Peltier

2. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities involved in information sharing –Subject –Resource –Action Allow student access to Eng. Lab computers

3. Introduction XACML –eXtensible Access Control Markup Language –XML schema for expressing authorization and entitlement policies

4. Terms Policy enforcement point (PEP) - system entity that performs access control, by making decision requests and enforcing authorization decisions. Policy decision point (PDP) - system entity that evaluates applicable policy and renders an authorization decision Policy administration point (PAP) - system entity that creates a policy or policy set Policy information point (PIP) - system entity that acts as a source of attribute values

5. XACML Data Flow Model

6. Condition represents a Boolean expression that defines the applicability of the rule implied by its target effect represents the consequence evaluation of the rule of a "True". Two values are allowed: "Permit" and "Deny” target defines set of –resources; –subjects; –actions; –environment to be applied on the rule

7. A rule is the most elementary unit of policy. A rule is evaluated on the basis of its contents. components of a rule are: –Description (documentation) –target; –Condition –Effect If condition is true return Effect value Else return NotApplicable If error or missing data return Indeterminate + status code

8. rule-combining algorithm defines a procedure for combining decisions from multiple rules Obligations are actions that should be performed by the PEP along with the enforcement of an authorization decision A policy comprises four main components: – target –set of rules –obligations –rule-combining algorithm- identifier

9. XACML Context

10. Questions ?

11. Reference http://www.oasis- open.org/committees/tc_home.php?wg_abbrev=xacml#XACML20