Presentation is loading. Please wait.

Presentation is loading. Please wait.

NAC 2007 Spring Conference OASIS XACML Update

Published byJocelin Easter Russell Modified over 8 years ago

Similar presentations

Presentation on theme: "NAC 2007 Spring Conference OASIS XACML Update"— Presentation transcript:

1 NAC 2007 Spring Conference OASIS XACML Update
Hal Lockhart Office of the CTO BEA Systems

2 Hal Lockhart Senior Principal Technologist, OCTO
Co-chair XACML TC, SAML TC Co-chair OASIS TAB Vice Chair WS-I Basic Security Profile Also Member: Provisioning TC, Digital Signature Services TC, Web Services Secure Exchange (WS-SX), WS-I Reliable Secure Profile WG OASIS Coordinator for WSS Interop Demo, OASIS XACML Interop Demo

3 Topics Overview of Policy and Authorization XACML Overview
XACML Concepts Policy Evaluation XACML Profiles XACML 3.0 XACML Interop Demo

4 Information Security Definition
Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary. Suggested by Authorization Applies to all security services Protection against accidents is incidental Suggests four areas of attention

5 Information Security Areas
Policy determination Expression: code, permissions, ACLs, Language Evaluation: semantics, architecture, performance Policy enforcement Maintain integrity of Trusted Computing Base (TCB) Enforce variable policy

6 Infrastructural Service
Consistent enforcement of security policies Minimize user inconvenience Ensure seamless implementation Coherent, interdependent services Not just list of products Avoid reimplementation Simplify management and administration

7 Authorization Theory Authentication Authority Attribute Policy
Decision Point Enforcement Credentials Assertion System Entity Authorization Collector Application Request

8 Types of Authorization Info – 1
Attribute Assertion Properties of a system entity (typically a person) Relatively abstract – business context Same attribute used in multiple resource decisions Examples: X.509 Attribute Certificate, SAML Attribute Statement, XrML PossessProperty Authorization Policy Specifies all the conditions required for access Specifies the detailed resources and actions (rights) Can apply to multiple subjects, resources, times… Examples: XACML Policy, XrML License, X.509 Policy Certificate

9 Types of Authorization Info – 2
AuthZ Decision Expresses the result of a policy decision Specifies a particular access that is allowed Intended for immediate use Example: SAML AuthZ Decision Statement, IETF COPS

10 Implications of this Model
Benefits Improved scalability Separation of concerns Enables federation Distinctions not absolute Attributes can seem like rights A policy may apply to one principal, resource Systems with a single construct tend to evolve to treating principal or resource as abstraction

11 OASIS XACML History First Meeting – 21 May 2001
Requirements from: Healthcare, DRM, Registry, Financial, Online Web, XML Docs, Fed Gov, Workflow, Java, Policy Analysis, WebDAV XACML OASIS Standard – 6 February 2003 XACML 1.1 – Committee Specification – 7 August 2003 XACML 2.0 – OASIS Standard – 1 February 2005 XACML 2.0 – ITU/T Recommendation X.1142

12 XACML TC Charter Define a core XML schema for representing authorization and entitlement policies Target - any object - referenced using XML Fine grained control, characteristics - access requestor, protocol, classes of activities, and content introspection Consistent with and building upon SAML

13 Policy Examples “Anyone can use web servers with the ‘spare’ property between 12:00 AM and 4:00 AM” “Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve” “Anyone view their own 401K information, but nobody else’s” “The print formatting service can access printers and temporary storage on behalf of any user with the print attribute” “The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.”

14 XACML Objectives Ability to locate policies in distributed environment
Ability to federate administration of policies about the same resource Base decisions on wide range of inputs Multiple subjects, resource properties Decision expressions of unlimited complexity Ability to do policy-based delegation Usable in many different environments Types of Resources, Subjects, Actions Policy location and combination

15 General Characteristics
Expect it to be generated by programs Defined using XML Schema Strongly typed language Extensible in multiple dimensions Borrows from many other specifications Features requiring XPath are optional Obligation feature optional Language is very “wordy” Many long URLs Complex enough that there is more than one way to do most things

16 Novel XACML Features Large Scale Environment Request centric
Subjects, Resources, Attributes, etc. not necessarily exist or be known at Policy Creation time Multiple Administrators - potentially conflicting policy results Combining algorithms Request centric Use any information available at access request time Zero, one or more Subjects No invented concepts (privilege, role, etc.) Dynamically bound to request Not limited to Resource binding Only tell what policies apply in context of Request Two stage evaluation

17 XACML Concepts Request and Response Contexts – Input and Output
Policy & PolicySet – combining of applicable policies using CombiningAlgorithm Target – Rapidly index to find applicable Policies or Rules Conditions – Complex boolean expression with many operands, arithmetic & string functions Effect – “Permit” or “Deny” Obligations – Other required actions Bag – unordered list which may contain duplicates

18 XACML Concepts Target Target Target Condition Effect Obligations
Rules Obligations Policies Obligations PolicySet

19 Rules Smallest unit of administration, cannot be evaluated alone
Elements Description – documentation Target – select applicable policies Condition – boolean decision function Effect – either “Permit” or “Deny” Results If condition is true, return Effect value If not, return NotApplicable If error or missing data return Indeterminate Plus status code

20 Target Designed to efficiently find the policies that apply to a request Enables dynamic binding Makes it feasible to have very complex Conditions Attributes of Subjects, Resources, Actions and Environments Matches against value, using match function Regular expression RFC822 ( ) name X.500 name User defined Attributes specified by Id or XPath expression Normally use Subject or Resource, not both

21 Condition Boolean function to decide if Effect applies
Inputs come from Request Context Values can be primitive, complex or bags Can be specified by id or XPath expression Fourteen primitive types Rich array of typed functions defined Functions for dealing with bags Order of evaluation unspecified Allowed to quit when result is known Side effects not permitted

22 Datatypes From XML Schema From Xquery Unique to XACML String, boolean
Integer, double Time, date dateTime anyURI hexBinary base64Binary From Xquery dayTimeDuration yearMonthDuration Unique to XACML rfc822Name x500Name

23 Functions Equality predicates Arithmetic functions
String conversion functions Numeric type conversion functions Logical functions Arithmetic comparison functions Date and time arithmetic functions Non-numeric comparison functions Bag functions Set functions Higher-order bag functions Special match functions XPath-based functions Extension functions and primitive types

24 Policies and Policy Sets
Smallest element PDP can evaluate Contains: Description, Defaults, Target, Rules, Obligations, Rule Combining Algorithm Policy Set Allows Policies and Policy Sets to be combined Use not required Contains: Description, Defaults, Target, Policies, Policy Sets, Policy References, Policy Set References, Obligations, Policy Combining Algorithm Combining Algorithms: Deny-overrides, Permit-overrides, First-applicable, Only-one-applicable

25 Request and Response Context

26 XACML 2.0 Profiles Digital Signature Hierarchical Resources Privacy
Integrity protection of Policies Hierarchical Resources Using XACML to protect files, directory entries, web pages Privacy Determine “purpose” of access RBAC Support ANSI RBAC Profile with XACML SAML Integration XACML-based decision request Fetch applicable policies Attribute alignment

27 XACML 2.0 Uses SAML Features
We’ve already shown examples of XML documents containing SAML assertions. The stuff in the gray box is standardized by the SAML specifications. But something has to produce them, and something has to consume them. The model I’ll flesh out for you here was developed to help the committee understand the basic inputs and outputs. Assertions are produced (issued) by authorities. An authentication authority produces authentication assertions, an attribute authority produces attribute assertions, and a policy decision point or PDP (in other words, an authorization decision authority) produces authorization decision assertions. But these authorities don’t live in a vacuum. They may each get various kinds of data from the “outside”, and this data may reside in a separate or integrated policy store. For example, a PDP might have to look up a policy statement about Joe User and check the current date to know whether Joe can look at the report he wants. And here’s the rest of the picture. This just shows that credential checking happens outside the scope of SAML (this was a big point of contention) and that it all starts with some kind of system entity (a human or program) that wants to accomplish something. Note that the policy enforcement point (PEP) is just a special name for the particular kind of requester that wants the things that a PDP produces.

28 XACML Performance Some public comments based on ignorance
Many optimization opportunities Policy encoding Request context Partial evaluation Decision Caching Precomputed admin chaining Complex policies cost more to evaluate than simple But is the difference more significant that other factors?

29 Current Work - XACML 3.0 Administration/Delegation
Schema generalization WS-XACML Obligation combining rules Policy provisioning Metadata/vocabulary advertisement Closely coupled PDP/PEP

30 Delegation with XACML 2.0 Use of Intermediary Subject Category
Print Format Service can read any file a user wants printed, but not otherwise Access Subject + Intermediary Subject Delegation by modifying attributes User can enable family member’s access Policy protects subject repository Policies protecting each policy repository

31 Administration/Delegation
Two primary use cases “HR-Admins can create policies concerning the Payroll servers” “Jack can approve expenses while Mary is on vacation” Backward compatible Likely to define two compliance levels Policies can contain Issuer Policies can be Access or Admin Admin policies enable policy creation

32 Administration/Delegation
Situation – all information values used as policy inputs If policy issued by trusted issuer – use If not, look for Admin policy for Issuer covering current Situation Chain back to Trusted Issuer Actual processing is complex, because of interplay with policy combining

33 Other 3.0 Work Schema generalization WS-XACML
Improve extensibility WS-XACML Builds on WS-Security Policy – more fine grained Good for privacy policies Obligation combining rules XACML 2.0 accumulates all Obligations Characterize Obligation types – enable different treatments Policy provisioning From repository distribute distinct policy subsets

34 XACML Interop Demo Burton Catalyst Conference Tentative participants
San Francisco, June 25-29, 2007 Tentative participants BEA, IBM, Jericho Systems, Oracle, Redhat, Securent, Symlabs Approach under discussion Two Usecases (Policy Exchange, Decision) Four Stock Trading Scenarios Weekly concalls

35 Policy Exchange Scenario
PDP PAP Policy Policy Policy Policy Policy Repository

36 Decision Request Scenario
PDP PEP

37 Interop Challenges Minimize extraneous components
Agree on items unspecified by XACML Motivating business cases Present understandable demo Repeatable scenarios Human error Opportunity for ad hoc variants

38 Questions?

Download ppt "NAC 2007 Spring Conference OASIS XACML Update"

Similar presentations

Trust and Security for Next Generation Grids, www.gridtrust.eu Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.

Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Understanding Active Directory

Understanding Active Directory
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

Similar presentations

Ads by Google