Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

Published byRandall Long Modified over 8 years ago

Similar presentations

Presentation on theme: "1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo"— Presentation transcript:

1 1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt jbernhardt@talend.com Zsolt Beothy-Elo zbeothy-elo@talend.com

2 2 © Talend 2014 Agenda ➜ Security Basics Access Management Role Based Access Control (RBAC) ➜ XACML Entities Policy Structure Request / Response Protocol Role Based Access Control (RBAC) Profile ➜ Hands-on

3 3 © Talend 2014 Security Basics

4 4 © Talend 2014 Access Control Definitions ➜ Subject Individual or group of individuals Human user, technical system user Role ➜ Privilege Right to perform a specific action on a resource ➜ Action Read, write, execute, etc. ➜ Resource Information file, database, etc. Process calculation, transformation, etc.

5 5 © Talend 2014 Access Management ➜ Security Policy Management Security Evaluation Identification of available resources Determination of protection needs Identification of possible access channels Security Assessment Evaluation of correct Security Policy enforcement ➜ Authorization Process Installation of adequate authorization solutions ➜ Privilege Management Assigning privileges to certain users

6 6 © Talend 2014 Role Based Access Control (RBAC) ➜ ANSI Standard since 2004 ➜ Role: Business function within a defined context ➜ All privileges of a user depend an the assigned roles 0..n 1 1 Resource Action Privilege User Role Group 0..n Session

7 7 © Talend 2014 XACML

8 8 © Talend 2014 XACML ➜ eXtensible Access Control Markup Language Policy Language XML Schema Definition Policy Evaluation Semantics Request / Response Protocol Profiles (SAML, RBAC, etc.) ➜ Authorization (OASIS) Standard Current Version is 3.0 Implemented Version is 2.0 ➜ Generic / Non-domain specific access control Web Services, Network Access, etc. ➜ Fine-grained access control Attribute Based Access Control (ABAC) ➜ Several Custom Extension Points

9 9 © Talend 2014 XACML Entities

10 10 © Talend 2014 Policy Repository XACML Entities Service Consumer Policy Enforcement Point (PEP) Policy Decision Point (PDP) Policy Administration Point (PAP) Service Provider

11 11 © Talend 2014 Service Consumer Policy Repository XACML Entities PEP Policy Decision Point Policy Administration Point Service Provider

12 12 © Talend 2014 XACML Policy Set ➜ Policy Set Restricted to a defined target Policy (Reference) Container Supports Distributed Policy Management ➜ Combining Algorithms Final result determination 7 predefined algorithms Deny overrides, first applicable, etc. Custom extension possible ➜ Obligations Additional instructions for PEP PolicySet Policy Combining Algorithm Policy PolicySet Reference PolicySet Target Policy Reference Obligations

13 13 © Talend 2014 XACML Policy ➜ Target Subject Attributes of the Requestor (e.g. User-Role) Resource Resource Identifier (e.g. Service-Name) Action Operation to be performed (e.g. Execute) Environment Additional context information (e.g. Time) ➜ Rule Effect if applicable Allow or Deny Additional target restrictions Fine grained conditions Can include complex functions Custom functions possible Policy Target Rule Subject Resource Action Environment Rule Combining Algorithm Effect Target Condition Obligations

14 14 © Talend 2014 XACML Policy <Policy PolicyId="policy-001" RuleCombiningAlgId="...:rule-combining-algorithm:deny-overrides"> Optional text that explains the purpose of the policy admin <SubjectAttributeDesignator DataType=".../XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" />...... Rule combining algorithm Attribute from request Scope of this policy

15 15 © Talend 2014 XACML Policy Rule Optional text that explains the purpose of this rule {http://services.talend.org/ReservationService}ReservationServiceProvider <ResourceAttributeDesignator DataType=".../XMLSchema#string" AttributeId="urn:cxf:apache:org:wsdl:service-id" /> execute <ActionAttributeDesignator DataType=".../XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" /> Rule Effect Scope of this Rule Service Name match Default WS Operation

16 16 © Talend 2014 XACML Request ➜ Subject Attributes ➜ Resource Attributes ➜ Action Attributes ➜ Environment Attributes Request Subject (1..n) Attribute (0..n) Resource (1..n) Attribute (0..n) Action Attribute (0..n) Environment Attribute (0..n) Content Attribute ID DataType Issuer Value (0..n)

17 17 © Talend 2014 XACML Request <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" Issuer="sts@tesbext.sopera.org"> CN=alice,O=Talend,L=CGN,ST=NRW,C=DE <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#anyURI" Issuer="sts@tesbext.sopera.org"> manager employee......... Default Subject ID User Roles

18 18 © Talend 2014 XACML Request... <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"> {http://talend.org/greeter}GreeterService#greetMe <Attribute AttributeId="urn:cxf:apache:org:wsdl:service-id" DataType="http://www.w3.org/2001/XMLSchema#string"> {http://talend.org/greeter}GreeterService <Attribute AttributeId="urn:cxf:apache:org:wsdl:operation-id" DataType="http://www.w3.org/2001/XMLSchema#string"> {http://talend.org/greeter}greetMe <Attribute AttributeId="urn:cxf:apache:org:wsdl:endpoint" DataType="http://www.w3.org/2001/XMLSchema#string"> /services/GreeterServiceProvider... Default Resource ID Additional Resource IDs

19 19 © Talend 2014 XACML Request... <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> execute <Attribute AttributeId="urn:...:xacml:1.0:environment:current-dateTime" DataType="http://www.w3.org/2001/XMLSchema#dateTime"> 2014-03-11T15:44:17.870+01:00 Default Action ID Environment Information

20 20 © Talend 2014 XACML Response ➜ Response encapsulates the authorization decision ➜ Decision Permit : Access allowed Deny : Access denied Indeterminate : Internal Server Error Not Applicable : No matching policy found ➜ Status Additional decision information Example: Error message ➜ Obligation Instructions for PEP Response Result (1..n) Decision Status Obligations

21 21 © Talend 2014 XACML Response ➜ Successful Authorization ➜ No matching Policy available Permit NotApplicable Evaluation successful

22 22 © Talend 2014 XACML RBAC Profile ➜ Role Each Role references a single corresponding Permission ➜ Permission actual permissions associated with a given role, references to Permission s associated with other roles that are junior to the given role ➜ Role Assignment or which roles can be enabled or assigned to which subjects ➜ HasPrivilegesOfRole a in a Permission that supports requests asking whether a subject has a certain role. Role is defined as the Resource

23 23 © Talend 2014 Secondary Policy Primary Policy XACML RBAC Profile Role PolicySet Role PolicySet Privilege PolicySet Privilege PolicySet Privilege Policy Privilege Policy 1 1 0..n Role Admin Role Admin Privileges Role Admin Privileges Role Admin Privilege Service ABC Privilege Service ABC 1 1 0..n

24 24 © Talend 2014 XACML RBAC Policy ➜ Role Policy <PolicySet PolicySetId="org.talend.xacml.role.manager“ PolicyCombiningAlgId="...:policy-combining-algorithm:permit-overrides"> manager <SubjectAttributeDesignator DataType=".../XMLSchema#anyURI" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" /> org.talend.xacml.permissions.role.manager Role matching Reference to Permission Policy

25 25 © Talend 2014 XACML RBAC Policy ➜ Permission Policy <PolicySet PolicySetId="org.talend.xacml.permissions.role.manager" PolicyCombiningAlgId="...:policy-combining-algorithm:permit-overrides"> <Policy PolicyId="Permissions:for:demo" RuleCombiningAlgId="...:rule-combining-algorithm:permit-overrides">... « Service Name »...... Execute... org.talend.xacml.permissions.role.employee Combination of multiple policy results Role Hierarchy Permissions Empty Target

26 26 © Talend 2014 Big Picture STSLDAP Service Provider Service Consumer PDP 4: Authorization Request 1: Request SAML Token 2: Lookup Claims 3: Invoke Service Policy Store 5: Lookup Policies PEP

27 27 © Talend 2014 Quiz ➜ Access Management includes… Definition of Security Policies Enforcement of Security Policies Privilege Management ➜ Privileges should only be assigned to… Roles and not individual Users ➜ XACML Requests contain information about… Subject, Resource, Action and Environment

28 28 © Talend 2014 Hands-on

29 29 © Talend 2014 Hands-on: CXF PEP ➜ Prepare XACML Policies Role Policy, Permission Policy ➜ Setup Security Infrastructure STS, XKMS, LDAP Install XACML Services ➜ Enable Service Authorization Add Policy Assertion Update Provider Configuration Install Service Provider & Consumer ➜ Perform Tests Use Wireshark to monitor network traffic

30 30 © Talend 2014 Hands-on: Big Picture STSLDAP Service Provider Service Consumer PDP 4: Authorization Request 1: Request SAML Token 2: Lookup Claims 3: Invoke Service Policy Store 5: Lookup Policies PEP

31 31 © Talend 2014 Thank You!

Download ppt "1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo"

Similar presentations

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Authorization Brian Garback.

Authorization Brian Garback.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
1 © Talend 2014 Service Locator Talend ESB Training 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 Service Locator Talend ESB Training 2014 Jan Bernhardt Zsolt Beothy-Elo
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
NAC 2007 Spring Conference OASIS XACML Update

NAC 2007 Spring Conference OASIS XACML Update
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.

XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.

Similar presentations

Ads by Google