Title: An Introduction to eXtensible Access Control Markup Language XACML
1An Introduction to eXtensible Access Control
Markup Language XACML
2The Plan
- Access Control
- What is it?
- Why is it needed?
- Privacy
- General Terms
3The Plan II
- XACML
- About
- General Usage Scenario
- Advantages and Limitations
- Structure
- Components
- Request
- Policies
- Response
- Practical Implementation
4Access Control
- Wikipedia
- Access control is the ability to permit or deny
the use of something by someone. - http//sunxacml.sourceforge.net/
- Access control means defining who can access
what, and under what conditions?
5Access Control Need?
- Consider three user groups who must share
resources amongst themselves. - Requirement of a generic method to address such
situations where data must be shared and also
hidden from other users for various reasons.
6Access Control Need?
- Consider the hierarchal structure of an
organization. - Different members of different groups have access
to different amounts of data. - Again such access to resources must be cleverly
dealt with.
7Access Control AND Privacy
- who can access what, under what conditions AND
- for what purpose
- ?
8Access Control Privacy
- An access control policy can be transformed into
a privacy aware access control policy with the
association of the following parameters - Intent or Purpose for access against each
resource. - Obligations to be fulfilled on access to certain
data resources - Data Retention Periods.
9General Terms
- Let us formally define some terms now
- Official Definition
- Resource - Data, service or system component
- Examples
- User Folders in a shared File System
- Service to send emails
- Some are allowed to use the service
- Some are not.
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
10General Terms
- Official Definition
- Subject - An actor whose attributes may be
referenced by a predicate. - (Un) Official explanation
- Subject An actor who makes a request to access
certain Resources. Terms that are used to
describe a subject are called Subject Attributes.
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
11General Terms
- Official Definition
- Action - An operation on a resource.
- Examples
- View
- Create
- Update
- Delete
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
12General Terms
- Official Definition
- Environment - The set of attributes that are
relevant to an authorization decision and are
independent of a particular subject, resource or
action - Examples
- Time of Day
- IP address
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
13General Terms
- Official Definition
- Attribute - Characteristic of a subject,
resource, action or environment that may be
referenced in a predicate or target. - Examples
- Subject Attribute
- Username
- ramesh
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
14General Terms
- Official Definition
- Attribute - Characteristic of a subject,
resource, action or environment that may be
referenced in a predicate or target. - Examples
- Resource Attribute
- resource-id
- hospital.patient.xray_report
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
15General Terms
- Official Definition
- Attribute - Characteristic of a subject,
resource, action or environment that may be
referenced in a predicate or target. - Examples
- Action Attribute
- action-id
- edit
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
16General Terms
- Official Definition
- Attribute - Characteristic of a subject,
resource, action or environment that may be
referenced in a predicate or target. - Examples
- Environment Attribute
- time
- 930 p.m.
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
17General Terms
- Official Definition
- Attribute - Characteristic of a subject,
resource, action or environment that may be
referenced in a predicate or target. - Examples
- Environment Attribute
- time
- 930 p.m.
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
18General Terms
- Official Definitions
- Policy decision point (PDP) - The system entity
that evaluates applicable policy and renders an
authorization decision. - Policy enforcement point (PEP) - The system
entity that performs access control, by making
decision requests and enforcing authorization
decisions.
eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
19Part II
- eXtensible Access Control Markup Language
20An Important Note
- From here onwards when we talk about access
control we automatically imply privacy aware
access control.
http//dev2dev.bea.com/pub/a/2004/02/xacml.html
21XACML - About
- XACML defines a general policy language used to
protect resources as well as an access decision
language. - Markup language has been approved and
standardized by OASIS.
http//dev2dev.bea.com/pub/a/2004/02/xacml.html
22XACML - About
- XACML describes
- an access control policy language
- a request/response language
http//sunxacml.sourceforge.net/
23XACML General Usage Scenario
- Policy Enforcement Point
- A subject (e.g. human user, workstation) wants to
take some action on a particular resource. - The subject submits its query to the entity
protecting the resource (e.g. file system, web
server). This entity is called a Policy
Enforcement Point (PEP).
http//sunxacml.sourceforge.net/
24XACML General Usage Scenario
- Policy Enforcement Point
- The PEP forms a request (using the XACML request
language) based on the attributes of the - Subject
- Action
- Resource
- Other relevant information privacy parameters
http//sunxacml.sourceforge.net/
25XACML General Usage Scenario
- Policy Development Point
- It does the following
- Receives and examines the request.
- Retrieves applicable policies (written in the
XACML policy language). - Determines whether access should be granted.
- Returns the access decision to the PEP.
http//sunxacml.sourceforge.net/
26XACML Advantages ?
- ONE STANDARD access control policy language for
ALL organizations. - Administrators save time and money because they
don't need to rewrite their policies in many
different languages. - Developers save time and money because they don't
have to invent new policy languages and write
code to support them. They can reuse existing code
http//sunxacml.sourceforge.net/
27XACML Advantages ?
- Tools supporting easy writing of XACML policies
and requests would be available - UMU-XACML-Editor-v1.2.0
- .NET based XACML Policy and request editors
- Provides a lot of flexibility as it is a very
general purpose language and extremely extensible.
http//sunxacml.sourceforge.net/
28XACML Limitations ?
- XACML does not explicitly require the
specification of purpose or intent which is often
associated with a privacy policy. - The language's flexibility and expressiveness
comes at the cost of complexity and verbosity. - Absence of Semantic Validation Tools.
A Comparison of Two Privacy Policy Languages
EPAL and XACML Anne Anderson Survey on
XML-Based Policy Languages for Open Environments
Mariemma I. Yagüe /
29XACML Limitations ?
- Features like policy versioning and management
are not defined in XACML framework these must be
incorporated by the application developer. - No feature of temporary authorization specified.
- If an employee must be authorized to access some
data for 10 15 minutes, then one must create
the entire policy.
http//sunxacml.sourceforge.net/
30XACML Structure
http//sunxacml.sourceforge.net/
31XACML Structure
http//sunxacml.sourceforge.net/
32XACML Structure
- ltRequest
-
- xmlns"urnoasisnamestcxacml1.0context
- xmlnsxsihttp//www.w3.org/2001/XMLSchema-instan
ce - xmlnsdb"db_acad"gt
http//sunxacml.sourceforge.net/
33XACML Structure
- ltSubjectgt
- ltAttribute
- AttributeId"db_acad_users_user_username"
- DataType"http//www.w3.org/2001/XM
LSchemastring"gt - ltAttributeValuegt
- student4
- lt/AttributeValuegt
-
- lt/Attributegt
- lt/Subjectgt
http//sunxacml.sourceforge.net/
34XACML Structure
- ltResourcegt
- ltAttribute
- AttributeId"urnoasisnamestcxacml1.0resourc
eresource-id" - DataType"http//www.w3.org/2001/X
MLSchemastring"gt -
- ltAttributeValuegt
- sub2
- lt/AttributeValuegt
- lt/Attributegt
-
- lt/Resourcegt
http//sunxacml.sourceforge.net/
35XACML Structure
- ltActiongt
- ltAttribute AttributeId"urnoasisnamestcxac
ml1.0actionaction-id" - DataType"http//www.w3.org/2001/XM
LSchemastring"gt - ltAttributeValuegt
- view
- lt/AttributeValuegt
-
- lt/Attributegt
-
- lt/Actiongt
http//sunxacml.sourceforge.net/
36XACML Structure
- ltEnvironmentgt
- ltAttribute AttributeIdcurrent-time"
- DataType"http//www.w3.org/2001/XM
LSchemastring"gt - ltAttributeValuegt
- 940 am
- lt/AttributeValuegt
-
- lt/Attributegt
-
- lt/Evironmentgt
http//sunxacml.sourceforge.net/
37XACML Policy Structure
http//sunxacml.sourceforge.net/
38XACML Response Structure
http//sunxacml.sourceforge.net/
39XACML Response Structure
- ltResponsegt
- ltResultgt
- ltDecisiongt
- Permit
- lt/Decisiongt
- ltStatusgt
- ltStatusCode Value"urnoasisnamestcxacml1.0s
tatusok"/gt - lt/Statusgt
- lt/Resultgt
- lt/Responsegt
http//sunxacml.sourceforge.net/
40XACML Response Structure
- ltDecisiongt
- Permit
- lt/Decisiongt
http//sunxacml.sourceforge.net/
41XACML Response Structure
- ltStatusgt
- ltStatusCode Value"urnoasisnamestcxacml1.0s
tatusok"/gt - lt/Statusgt
http//sunxacml.sourceforge.net/
42XACML Response Structure
- ltObligationsgt
- ltObligation ObligationId"email"
FulfillOn"Permit"gt - ltAttributeAssignment AttributeId"mailto
- DataType"http//www.w3.org/2001/XMLSchemastring"
gt - //contextResourceContent/dbuser/dbemail
/text() - lt/AttributeAssignmentgt
- ltAttributeAssignment AttributeId"text
- DataType"http//www.w3.org/2001/XMLSchemastring"
gt - Your marks have been accessed by the Dean
for the purpose of Creation of GradeSheet. - lt/AttributeAssignmentgt
- lt/Obligationgt
http//sunxacml.sourceforge.net/
43References
- http//sunxacml.sourceforge.net/
- XACML Core Specification Documents
access_control-xacml-2.0-core-spec-os.pdf - http//dev2dev.bea.com/pub/a/2004/02/xacml.html
- A Comparison of Two Privacy Policy Languages
EPAL and XACML Anne Anderson - Survey on XML-Based Policy Languages for Open
Environments Mariemma I. Yagüe