XACML MAP Authorization Profile Richard Hill, John Tolbert May 16, 2013.

Slides:

Advertisements

Similar presentations

The Replica Location Service In wide area computing systems, it is often desirable to create copies (replicas) of data objects. Replication can be used.

Advertisements

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

1 Authorization XACML – a language for expressing policies and rules.

Asap:// jury-rigged. ClientPEP PDP PolicySet Rule 1 Rule 2 etc Rule 1 Rule 2 etc Rule 1 Rule 2 etc Policy 1 Policy 2 Policy 3.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Authz work in GGF David Chadwick

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

Global Federated Identity & Privilege Management GFIPM John Ruegg, Director LA County ISAB United States Department of Justice.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.

James Cabral, David Webber, Farrukh Najmi, July 2012.

SAML, XACML & the Terrorism Information Sharing Environment “Interoperable Trust Networks” XML Community of Practice February 16, 2005 Martin Smith Program.

Tom Clarke VP, Research & Technology National Center for State Courts.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice The China Digital Museum Project.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

Application Policy on Network Functions (APONF) G. Karagiannis and T.Tsou 1.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

OGSA Security Roadmap Discussion GGF5 – 7/24/02. Outline l Introduction l Architecture Goal l Roadmap Goal l Proposed Specs l Challenges l Next Steps.

1 IF-MAP: Open Standards for Coordinating Security Presentation for SAAG IETF 72, July 31, 2008 Steve Hanna

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

State of e-Authentication in Higher Education August 20, 2004.

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Jun 12, 20071/17 AuthZ Interoperability – Status and Plan Gabriele Garzoglio AuthZ Interoperability Status and Plans June 12, 2007 Middleware Security.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

19 October 2004Enterprise Architecture in WSRP Portal 1 Foreword: Building Enterprise Architecture Through WSRP in Sample EPA Regional Portal FEA Goals:

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Distributed Data Access Control Mechanisms and the SRM Peter Kunszt Manager Swiss Grid Initiative Swiss National Supercomputing Centre CSCS GGF Grid Data.

©Richard L. Goldman Public Key Policies for Windows 2000 ©Richard Goldman December 5, 2001.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,

Continuous Assessment Protocols for SACM draft-hanna-sacm-assessment-protocols-00.txt November 5, 20121IETF 85 - SACM Meeting.

UNICORE and Argus integration Krzysztof Benedyczak ICM / UNICORE Security PT.

Argus EMI Authorization Integration

Presented By: Smriti Bhatt

Security Chapter - Sprint Status

Obligations in the OGSA SAML Authorization Service Interface

OGSA-WG Basic Profile Session #1 Security

A gLite Authorization Framework

XACML and the Cloud.

Introduction to Cisco Identity Services Engine (ISE)

Role Based Access Control Update

Peer-to-Peer Client-server.

Groups and Permissions

SAML/SIP Profiles and Call Initiation

Presentation transcript:

XACML MAP Authorization Profile Richard Hill, John Tolbert May 16, 2013

Why use XACML for MAP Authz? n The MAP server contains highly valued information about the network which needs to be protected n A strong desired to use a standard based policy language n The policy language must provide an expressive, flexible, and fine-grained access control

OASIS – TNC Collaboration n 2010 – Initial XACML TC interest in IF-MAP n Discussed possibility of using XACML for MAP Content Authorization. n Q – TNC & OASIS Collaboration Agreed n Collaboration Approach: l TNC develop the MAP Content Authorization Spec. l Work with OASIS XACML TC represenitive. l OASIS XACML TC develops XACML MAP Authorization Profile.

Where does XACML fit in? The MAP server performs the XACML PEP function. The XACML PDP may be internal or external to the MAP server. MAP authorization policies are written in XACML XACML PAP may be used maintain the lifecycle of the MAP policies

What can the MAP Authorize? IF-MAP Client operations on the MAP Server based on: l The IF-MAP Client’s roles l The metadata type l The identifier type l Top-level attributes of the identifier l Top-level attributes of the metadata item l The action to be performed

XACML MAP Authorization Profile Profile identifier urn:oasis:names:tc:xacml:3.0:if-map:content Subject Attributes n role Resource Attributes n metadata-type n identifier-type n is-map-client-identifier n is-self-identifier n on-link n metadata-attribute n identifier-attribute

XACML MAP Authorization Profile Action Attributes n request-type n delete-metadata-by-other-client n publish-request-subtype Environment Attributes n dry-run No Obligations will be used.

Aids Security Strategy Digital Policy Management Goals n Use a standard policy language n Manage access polices centrally n Distribute policies to access control points. n Ensure XACML capabilities are pushed to the network layer.

Next Steps n Updates based on comment periods: l TNC MAP Content Authorization l OASIS XACML MAP Authorization profile n Testing of MAP content authorization with XACML l Summer of 2013 n Expected stabilization l TNC MAP Content Authorization – Mid July l OASIS XACML MAP Authorization profile – Q n Possible demonstrations of TNC MAP & OASIS XACML in 2014?