An Introduction to eXtensible Access Control Markup Language XACML - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

An Introduction to eXtensible Access Control Markup Language XACML

Description:

Access control means defining 'who can access what, and under ... AttributeAssignment AttributeId='mailto' DataType='http://www.w3.org/2001/XMLSchema#string' ... – PowerPoint PPT presentation

Number of Views:1106
Avg rating:5.0/5.0
Slides: 44
Provided by: hemant
Category:

less

Transcript and Presenter's Notes

Title: An Introduction to eXtensible Access Control Markup Language XACML


1
An Introduction to eXtensible Access Control
Markup Language XACML
  • Hemant Goyal
  • BE IT NSIT

2
The Plan
  • Access Control
  • What is it?
  • Why is it needed?
  • Privacy
  • General Terms

3
The Plan II
  • XACML
  • About
  • General Usage Scenario
  • Advantages and Limitations
  • Structure
  • Components
  • Request
  • Policies
  • Response
  • Practical Implementation

4
Access Control
  • Wikipedia
  • Access control is the ability to permit or deny
    the use of something by someone.
  • http//sunxacml.sourceforge.net/
  • Access control means defining who can access
    what, and under what conditions?

5
Access Control Need?
  • Consider three user groups who must share
    resources amongst themselves.
  • Requirement of a generic method to address such
    situations where data must be shared and also
    hidden from other users for various reasons.

6
Access Control Need?
  • Consider the hierarchal structure of an
    organization.
  • Different members of different groups have access
    to different amounts of data.
  • Again such access to resources must be cleverly
    dealt with.

7
Access Control AND Privacy
  • who can access what, under what conditions AND
  • for what purpose
  • ?

8
Access Control Privacy
  • An access control policy can be transformed into
    a privacy aware access control policy with the
    association of the following parameters
  • Intent or Purpose for access against each
    resource.
  • Obligations to be fulfilled on access to certain
    data resources
  • Data Retention Periods.

9
General Terms
  • Let us formally define some terms now
  • Official Definition
  • Resource - Data, service or system component
  • Examples
  • User Folders in a shared File System
  • Service to send emails
  • Some are allowed to use the service
  • Some are not.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
10
General Terms
  • Official Definition
  • Subject - An actor whose attributes may be
    referenced by a predicate.
  • (Un) Official explanation
  • Subject An actor who makes a request to access
    certain Resources. Terms that are used to
    describe a subject are called Subject Attributes.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
11
General Terms
  • Official Definition
  • Action - An operation on a resource.
  • Examples
  • View
  • Create
  • Update
  • Delete

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
12
General Terms
  • Official Definition
  • Environment - The set of attributes that are
    relevant to an authorization decision and are
    independent of a particular subject, resource or
    action
  • Examples
  • Time of Day
  • IP address

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
13
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Subject Attribute
  • Username
  • ramesh

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
14
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Resource Attribute
  • resource-id
  • hospital.patient.xray_report

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
15
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Action Attribute
  • action-id
  • edit

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
16
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Environment Attribute
  • time
  • 930 p.m.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
17
General Terms
  • Official Definition
  • Attribute - Characteristic of a subject,
    resource, action or environment that may be
    referenced in a predicate or target.
  • Examples
  • Environment Attribute
  • time
  • 930 p.m.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
18
General Terms
  • Official Definitions
  • Policy decision point (PDP) - The system entity
    that evaluates applicable policy and renders an
    authorization decision.
  • Policy enforcement point (PEP) - The system
    entity that performs access control, by making
    decision requests and enforcing authorization
    decisions.

eXtensible Access Control Markup Language (XACML)
Version 2.0 documentation.
19
Part II
  • eXtensible Access Control Markup Language

20
An Important Note
  • From here onwards when we talk about access
    control we automatically imply privacy aware
    access control.

http//dev2dev.bea.com/pub/a/2004/02/xacml.html
21
XACML - About
  • XACML defines a general policy language used to
    protect resources as well as an access decision
    language.
  • Markup language has been approved and
    standardized by OASIS.

http//dev2dev.bea.com/pub/a/2004/02/xacml.html
22
XACML - About
  • XACML describes
  • an access control policy language
  • a request/response language

http//sunxacml.sourceforge.net/
23
XACML General Usage Scenario
  • Policy Enforcement Point
  • A subject (e.g. human user, workstation) wants to
    take some action on a particular resource.
  • The subject submits its query to the entity
    protecting the resource (e.g. file system, web
    server). This entity is called a Policy
    Enforcement Point (PEP).

http//sunxacml.sourceforge.net/
24
XACML General Usage Scenario
  • Policy Enforcement Point
  • The PEP forms a request (using the XACML request
    language) based on the attributes of the
  • Subject
  • Action
  • Resource
  • Other relevant information privacy parameters

http//sunxacml.sourceforge.net/
25
XACML General Usage Scenario
  • Policy Development Point
  • It does the following
  • Receives and examines the request.
  • Retrieves applicable policies (written in the
    XACML policy language).
  • Determines whether access should be granted.
  • Returns the access decision to the PEP.

http//sunxacml.sourceforge.net/
26
XACML Advantages ?
  • ONE STANDARD access control policy language for
    ALL organizations.
  • Administrators save time and money because they
    don't need to rewrite their policies in many
    different languages.
  • Developers save time and money because they don't
    have to invent new policy languages and write
    code to support them. They can reuse existing code

http//sunxacml.sourceforge.net/
27
XACML Advantages ?
  • Tools supporting easy writing of XACML policies
    and requests would be available
  • UMU-XACML-Editor-v1.2.0
  • .NET based XACML Policy and request editors
  • Provides a lot of flexibility as it is a very
    general purpose language and extremely extensible.

http//sunxacml.sourceforge.net/
28
XACML Limitations ?
  • XACML does not explicitly require the
    specification of purpose or intent which is often
    associated with a privacy policy.
  • The language's flexibility and expressiveness
    comes at the cost of complexity and verbosity.
  • Absence of Semantic Validation Tools.

A Comparison of Two Privacy Policy Languages
EPAL and XACML Anne Anderson Survey on
XML-Based Policy Languages for Open Environments
Mariemma I. Yagüe /
29
XACML Limitations ?
  • Features like policy versioning and management
    are not defined in XACML framework these must be
    incorporated by the application developer.
  • No feature of temporary authorization specified.
  • If an employee must be authorized to access some
    data for 10 15 minutes, then one must create
    the entire policy.

http//sunxacml.sourceforge.net/
30
XACML Structure
http//sunxacml.sourceforge.net/
31
XACML Structure
http//sunxacml.sourceforge.net/
32
XACML Structure
  • ltRequest
  • xmlns"urnoasisnamestcxacml1.0context
  • xmlnsxsihttp//www.w3.org/2001/XMLSchema-instan
    ce
  • xmlnsdb"db_acad"gt

http//sunxacml.sourceforge.net/
33
XACML Structure
  • ltSubjectgt
  • ltAttribute
  • AttributeId"db_acad_users_user_username"
  • DataType"http//www.w3.org/2001/XM
    LSchemastring"gt
  • ltAttributeValuegt
  • student4
  • lt/AttributeValuegt
  • lt/Attributegt
  • lt/Subjectgt

http//sunxacml.sourceforge.net/
34
XACML Structure
  • ltResourcegt
  • ltAttribute
  • AttributeId"urnoasisnamestcxacml1.0resourc
    eresource-id"
  • DataType"http//www.w3.org/2001/X
    MLSchemastring"gt
  • ltAttributeValuegt
  • sub2
  • lt/AttributeValuegt
  • lt/Attributegt
  • lt/Resourcegt

http//sunxacml.sourceforge.net/
35
XACML Structure
  • ltActiongt
  • ltAttribute AttributeId"urnoasisnamestcxac
    ml1.0actionaction-id"
  • DataType"http//www.w3.org/2001/XM
    LSchemastring"gt
  • ltAttributeValuegt
  • view
  • lt/AttributeValuegt
  • lt/Attributegt
  • lt/Actiongt

http//sunxacml.sourceforge.net/
36
XACML Structure
  • ltEnvironmentgt
  • ltAttribute AttributeIdcurrent-time"
  • DataType"http//www.w3.org/2001/XM
    LSchemastring"gt
  • ltAttributeValuegt
  • 940 am
  • lt/AttributeValuegt
  • lt/Attributegt
  • lt/Evironmentgt

http//sunxacml.sourceforge.net/
37
XACML Policy Structure
http//sunxacml.sourceforge.net/
38
XACML Response Structure
http//sunxacml.sourceforge.net/
39
XACML Response Structure
  • ltResponsegt
  • ltResultgt
  • ltDecisiongt
  • Permit
  • lt/Decisiongt
  • ltStatusgt
  • ltStatusCode Value"urnoasisnamestcxacml1.0s
    tatusok"/gt
  • lt/Statusgt
  • lt/Resultgt
  • lt/Responsegt

http//sunxacml.sourceforge.net/
40
XACML Response Structure
  • ltDecisiongt
  • Permit
  • lt/Decisiongt

http//sunxacml.sourceforge.net/
41
XACML Response Structure
  • ltStatusgt
  • ltStatusCode Value"urnoasisnamestcxacml1.0s
    tatusok"/gt
  • lt/Statusgt

http//sunxacml.sourceforge.net/
42
XACML Response Structure
  • ltObligationsgt
  • ltObligation ObligationId"email"
    FulfillOn"Permit"gt
  • ltAttributeAssignment AttributeId"mailto
  • DataType"http//www.w3.org/2001/XMLSchemastring"
    gt
  • //contextResourceContent/dbuser/dbemail
    /text()
  • lt/AttributeAssignmentgt
  • ltAttributeAssignment AttributeId"text
  • DataType"http//www.w3.org/2001/XMLSchemastring"
    gt
  • Your marks have been accessed by the Dean
    for the purpose of Creation of GradeSheet.
  • lt/AttributeAssignmentgt
  • lt/Obligationgt

http//sunxacml.sourceforge.net/
43
References
  • http//sunxacml.sourceforge.net/
  • XACML Core Specification Documents
    access_control-xacml-2.0-core-spec-os.pdf
  • http//dev2dev.bea.com/pub/a/2004/02/xacml.html
  • A Comparison of Two Privacy Policy Languages
    EPAL and XACML Anne Anderson
  • Survey on XML-Based Policy Languages for Open
    Environments Mariemma I. Yagüe
Write a Comment
User Comments (0)
About PowerShow.com