Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses
© Copyright Entrust, Inc Rule taxonomy Distributed authorship XACML v2.0 evaluation Limitations Sample application Proposed solution Overview
© Copyright Entrust, Inc Proposition Organizations have a variety of applications for a rule expression language There are advantages to using a common language XACML v2.0 was designed for expressing authorization rules Generalization would allow XACML to serve a broader range of applications
© Copyright Entrust, Inc Rule taxonomy Conclusion is an action Rules Reaction rules Authorization rules Business rules Transformation rules Derivation rules FactsQueries Action is a procedure Action is permit | deny Rule: The combination of a premise and a conclusion Source: RuleML
© Copyright Entrust, Inc XACML v2.0 rule PDP PEP Decision request (Premise) Decision response (Conclusion) 3 2 Access request 1 5 Attributes Decision, Obligations rule Transforms attributes into a decision and obligations PEP fulfills obligations 4 PDP – Policy Decision Point PEP – Policy Enforcement Point
© Copyright Entrust, Inc PDP may evaluate multiple rules Applicable rules may have conflicting conclusions PDP must return a single consistent conclusion Solution:- –Define an algorithm for combining conclusions Distributed authorship and combining algorithms
© Copyright Entrust, Inc Sample XACML v2.0 … Attributes … Attributes imperative imperative
© Copyright Entrust, Inc Transform attributes to decision … Attributes … Attributes imperative imperative Decision f
© Copyright Entrust, Inc Transform attributes to obligations … Attributes … Attributes imperative imperative Decision f f Obligations 6 7 8
© Copyright Entrust, Inc Limitations XACML’s “Effect” is specific to a Boolean conclusion There is no way to resolve conflicts between obligations Obligation combining is not defined by the combining algorithm There is a need to express prohibitions, as well as imperatives There is a need to express sequences of imperatives Solutions are constrained by the need to combine conclusions, in order to support distributed authorship
© Copyright Entrust, Inc Sample application (message gateway) Message Gateway (PEP) PDP Request (Premise) Response (Conclusion) message proceed | reject | delete | quarantine | audit | reconsider | scan & resubmit rule AttributesImperatives
© Copyright Entrust, Inc Eliminate the “Effect” attribute Add a element to the, and elements Define separate elements for the “True”, “False”, “Indeterminate” and “NotApplicable” results Treat “Decision” as an imperative Proposed solution
© Copyright Entrust, Inc Solution … Attributes imperative … Attributes imperative f Conclusions including Decision
© Copyright Entrust, Inc Example recipient Imperative
© Copyright Entrust, Inc Prohibit-overrides –If an action is prohibited by one conclusion, then it is prohibited, even if another conclusion permits it –Duplicate instances of an imperative may be eliminated –If the PEP does nothing unless explicitly instructed, then prohibitions may be eliminated Combining algorithms
© Copyright Entrust, Inc Organizations need a common language for expressing their authorization rules AND their business rules XACML v2.0 attempts to provide support for “business rules” through its element This solution is inadequate An alternative is proposed Conclusions