Presentation is loading. Please wait.

Presentation is loading. Please wait.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

Published byAmos Fletcher Modified over 8 years ago

Similar presentations

Presentation on theme: "XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006."— Presentation transcript:

1 XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006 - STA-201

2 Agenda What is XACML? XACML Policies XACML 2.0 Specification Set Sample Policies Vocabularies and Applications AAPML: A XACML Profile Deployment Models Challenges Conclusions

3 What is XACML? eXtensible Access Control Markup Language Provides — a common language for expressing security policy — a request / response language to obtain access control decisions the request asks whether or not the requesting user (Subject) should be allowed to perform a specific action (Action) on a particular resource (Resource) under a given set of environmental (Environment) conditions the response includes a decision whether the request should be allowed (Permit, Deny, Indeterminate or Not Applicable) and obligations associated with the decision the data elements of request and response are intimately tied to the expressions in the policy language

4 XACML Overview XACML Policies are contained in a PolicySet — A Policy is expressed through a set of Rules — a PolicySet may contain multiple Policies or PolicySets, each of which may evaluate to different access control decisions (XACML uses algorithms to reconcile the decisions each Policy or Rule makes) Targets — A Target is a set of conditions for the Subject, Resource, Action, and Environment that must be met for a PolicySet, Policy, or Rule to apply to a given request Attributes — Attributes are characteristics of the Subject, Resource, Action, or Environment in which the access request is made (attributes may be the username, employment level, the resource to be accessed, etc.)

5 XACML Rules Rules are the atomic elements of Policy decisions – the smallest elements within the XACML Policy structure that render a decision — Each Rule identifies the set of Subjects, Resources, and Actions that are covered by the Rule – this collection is referred to as the Target — Each Rule is evaluated in isolation against a decision request (RequestContext) and determines whether or not to allow the Subject to execute the specified Action against the Resource The Rule examines the RequestContext to determine if the Subjects, Resources, and Actions match those covered by the Target The Rule then evaluates Conditions, which are functional tests against the data elements in the Target and RequestContext — Each Rule renders a decision based on the evaluation which can be one of: Permit, Deny, Indeterminate, NotApplicable

6 XACML Request Response Model RequestContext is normative structure for submitting a decision request — RequestContext contains Subject, Resource, Action, and Environment elements — A Policy is evaluated only in terms of its contents in relation to the RequestContext contents — Evaluation of the Policy results in an authorization decision: Permit, Deny, Indeterminate, or NotApplicable ResponseContext is normative structure for returning an authorization decision — ResponseContext contains Result element, which contains Decision element plus optional ResourceId, Status, and Obligations elements

7 XACML RequestContext Example The RequestContext contains the inputs that the PDP evaluates against the applicable Policy CN=Homer Simpson https://med.example.com/BartSimpsonRecord.jws read

8 XACML 2.0 Specifications XACML Core Specification: — “eXtensible Access Control Markup Language (XACML) Version 2.0” XACML Resource Support: — “Multiple resource profile of XACML v2.0” — “Hierarchical resource profile of XACML v2.0” — “Privacy policy profile of XACML v2.0” XACML Subject Support: — “Core and hierarchical role based access control (RBAC) profile of XACML v2.0” XACML Protocol Support: — “SAML 2.0 Profile of XACML v2.0” (AuthZ req/rsp, Policy distribution, and Attribute query protocols) — “XML Digital Signature profile of XACML v2.0”

9 XACML Strengths XACML is a standardized Policy evaluation model that abstracts the major features of modern enterprise access control systems New access control areas of focus are regularly emerging and we examine XACML strengths in two of these areas — Fine-grained authorization Enabled by rich Attribute Expression Model Selection, Functions, VariableReferences Enriched using domain-specific vocabularies — Control over use of accessed resources Enabled by Attribute assignment model of Obligations

10 XACML Attribute Expression Model 1 Entity Matching within Rules Match, AttributeDesignator, AttributeValue Example (is the requested resource the PatientRecords web service?): <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI" >https://med.example.com/PatientRecords.jws

11 XACML Attribute Expression Model 2 Functional Expressions in Rules Fine-grained authorization enabled with resource attributes Function, Subject/ResourceAttributeDesignators, VariableReference Example (Is Subject parent-guardian and (by VarRef) is patient under 16): <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:parent-guardian-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>

12 XACML Attribute Expression Model 3 Variable Definitions - reusable Function, Environment/ResoureAttributeSelectors, AttributeValue Example (is patient under 16 years old based on date today): <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-date" DataType="http://www.w3.org/2001/XMLSchema#date"/> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:example:attribute:patientDOB" DataType="http://www.w3.org/2001/XMLSchema#string"/> P16Y

13 XACML Vocabularies and Obligations XACML domain-specific vocabularies and constraints can be readily defined with existing XACML 2.0 — http://www.fedora.info/ — http://www.fedora.info/download/2.2/userdocs/server/security/XACMLPolicyGuide.htmhttp://www.fedora.info/download/2.2/userdocs/server/security/XACMLPolicyGuide.htm — Identity Governance Framework (AAPML) http://www.oracle.com/goto/igf — Specify constants and URIs that describe additional attribute values and matching rules for use in subject, resource, environment, action and obligation containers XACML Obligations can be used to direct PEP to enforce specific constraints on requests, such as privacy requirements

14 XACML Vocabulary Example AAPML: Attribute Authority Policy Markup Language — http://www.oracle.com/technology/tech/standards/idm/igf/pdf/IGF- AAPML-spec-08.pdf — XACML profile designed to allow owners of “identity-related” data to specify conditions under which information may be used by other applications — Vocabulary namespace: “urn:aapml:1.0:names” — AAPML attributes used to constrain Subjects, Resources, Actions, identify Rules, and to specify Obligations that PEP must apply to requests

15 AAPML Example 1 Subject constraints: known accessing service, user with authentication attribute <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-regexp-match"> <SubjectAttributeDesignator AttributeId="urn:aapml:1.0:names:subject:service-name" DataType="http://www.w3.org/2001/XMLSchema#string"/> http://www.example.com/marketing/* <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-regexp-match"> <SubjectAttributeDesignator AttributeId="urn:aapml:1.0:names:subject:user-auth" DataType="http://www.w3.org/2001/XMLSchema#string"/> *

16 AAPML Example 2 Resource constraints (specific data elements): <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <ResourceAttributeDesignator AttributeId="urn:aapml:1.0:names:resource:generic" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" >EmailAddress <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <ResourceAttributeDesignator AttributeId="urn:aapml:1.0:names:resource:generic" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" >FirstName...

17 AAPML Example 3 Action and Rule constraints: <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" >urn:aapml:1.0:names:action:read <ActionAttributeDesignator AttributeId="urn:aapml:1.0:names:action" DataType="http://www.w3.org/2001/XMLSchema#string"/> <Rule RuleId="urn:aapml:1.0:names:rule-id:permit-if-consent-available" Effect="Permit"> Marketing apps can access user information if explicit consent is available.

18 AAPML Example 4 Obligations: <Obligation ObligationId="urn:aapml:1.0:names:obligation:consent" FulfillOn="Permit"> <AttributeAssignment AttributeId="urn:aapml:1.0:names:obligation:consent:agreement-identifier" DataType="http://www.w3.org/2001/XMLSchema#anyURI" >http://www.state.gov/userdata#PublicGenLaw2005 <Obligation ObligationId="urn:aapml:1.0:names:obligation:do-not-cache" FulfillOn="Permit"/> <Obligation ObligationId="urn:aapml:1.0:names:obligation:do-not-propagate" FulfillOn="Permit"/>

19 Agenda XACML Enterprise Deployment

20 XACML Actors PAP – Policy Administration Point — The (logical) system entity that creates a policy or policy set PEP – Policy Enforcement Point — The (logical) system entity that performs access control, by making decision requests and enforcing authorization decisions PDP – Policy Decision Point — The (logical) system entity that evaluates applicable policy and renders an authorization decision PIP – Policy Information Point — The (logical) system entity that acts as a source of attribute values — Attributes describing the subject (user), resource, environment (context)

21 Actor Relationships Extended PDP

22 Enterprise Requirements 1 Policy Administration Point – — Many distinct entities may act as PAPs – enterprise IT policy, department policy, application-level policy — Each entity independently manages its own policies but policies may be linked or depend upon other policies Policy Repository (PR) — Aggregation and distribution point for policies Policy Enforcement Point — There may be 100s or even 1000s of PEPs in an enterprise — Embedded in devices or applications or infrastructure — Performance constraints - some applications require may require 100s of authorization decision per second with low latency, others only a few decisions

23 Enterprise Requirements 2 Policy Decision Point — For performance and connectivity reasons, there may be multiple PDP instances — Need for fail-over and horizontal scalability — Some PDPs may need to function “in disconnected” mode Interaction between attribute sources, policy and pdp — How does the context handler obtain needed additional attributes for Resources, Subject, Environment? — How to distinguish between attributes originating from the PEP vs. additional attributes needed for policy evaluation? — Under what conditions does the PDP and PEP participate in a multi-step interaction?

24 Understanding XACML Deployments Policy Repository PAPPAP PDP PEP Note: each component may be sourced from a different vendor PDPAttribute Sources

25 Multiple PAPs and the Policy Repositorie (PR) Ability to bind administrator identity to policy — Accomplished via trust model between PAP and PR — Could take the form of TLS/SSL or use of digital signatures — No real expansion of specifications required here Policy repository ensures that only policy originators can edit or delete existing policy Administrators should be able to browse and refer to existing policies in new policies — Ability to reference existing policies available via element but processing rules undefined — May need some profiling to be useful in an interoperable fashion

26 Policy Repository and PDP PDP provisioning presents significant challenges — Download only relevant policy to PDP Bulk upload is also needed — Some PDPs may operate in disconnected mode Network outage Disconnected device — With large policy set, prefer to propagate only updates SAML 2.0 Profile of XACML 2.0 —, allows PDP to query Policy Repository and obtain policies Partial solution is available — Should we look outside XACML for missing pieces?

27 PDP and PEP relationship The main challenge here is performance — Some applications need to make 100s of authorization decisions with low latency requirement It may not be acceptable to make a network call for each authorization decision XML Marshalling and unmarshalling of and may be too expensive Strategies to lower costs — Define a language-specific binding for the authorization interface Should we pursue a JSR in this space? — Other ways of minimizing costs include returning generalized results to the PEP and caching

28 Access to attributes Attributes originating from the PEP could be specified using new metadata specification — Especially helpful when using vocabularies outside XACML — Include information whether multi-step interactions are supported — Types of obligations accepted — Would aid in PDP  PEP interoperability Standard interfaces for attribute access would also be helpful — IGF includes an identity service for access to identity attributes — What about resource and environment attributes?

29 Conclusion Promising technology – single framework for access policy across the enterprise — Single format for policy specification — Request/Response protocol for PEPs and applications Policy language is expressive and supports fine-grained authorization — IGF and Fedora demonstrate creation of XACML vocabularies Enterprise deployments require solution of several problems — Specification set may need to be extended — Oracle products have already implemented some of these

30

31

Download ppt "XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006."

Similar presentations

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.

XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.

Similar presentations

Ads by Google