XACML OASIS eXtensible Access Control Markup Language

1
XACMLOASIS eXtensible Access Control Markup
Language

• Steve Carmody
• July 10, 2003

2
Outline

• What is the Problem.
• The XACML Model
• Some Examples
• Implementation Status

3
Authz Landscape
Business Systems (HR, Student. Admissions)
Assigning Roles
Provisioning
Attribute Release
Policy Store
Transport Of Attributes
PEP
PDP
4
Requirements

1. To provide a method for combining individual
   rules and policies into a single policy set that
   applies to a particular decision request.
2. To provide a method for flexible definition of
   the procedure by which rules and policies are
   combined.
3. To provide a method for dealing with multiple
   subjects acting in different capacities.
4. To provide a method for basing an authorization
   decision on attributes of the subject and
   resource.
5. To provide a method for dealing with multi-valued
   attributes.
6. To provide a method for basing an authorization
   decision on the contents of an information
   resource.
7. To provide a set of logical and mathematical
   operators on attributes of the subject, resource
   and environment.

5
Requirements

• To provide a method for handling a distributed
  set of policy components, while abstracting the
  method for locating, retrieving and
  authenticating the policy components.
• To provide a method for rapidly identifying the
  policy that applies to a given action, based upon
  the values of attributes of the subjects,
  resource and action.
• To provide an abstraction-layer that insulates
  the policy-writer from the details of the
  application environment.
• To provide a method for specifying a set of
  actions that must be performed in conjunction
  with policy enforcement.
• The motivation behind XACML is to express these
  well-established ideas in the field of
  access-control policy using an extension language
  of XML.

6
What Kinds of Questions Do We Want to Ask?

1. Can this entity perform this action on this
   resource?
2. Can these entities perform this action on this
   resource?
3. ? What are all the (resource, action) pairs this
   person is authorized to perform?

7

• What is the Problem.
• The XACML Model
• Some Examples
• Implementation Status

8
The Theoretical Model
9
XACML is an OASIS standard that describes

• A policy language
• used to describe general access control
  requirements, and has standard extension points
  for defining new functions, data types, combining
  logic, etc.
• An access control decision request/response
  language
• lets you form a query to ask whether or not a
  given action should be allowed, and interpret the
  result.
• The response always includes an answer about
  whether the request should be allowed using one
  of four values
• Permit,
• Deny,
• Indeterminate (an error occurred or some required
  value was missing, so a decision cannot be made)
• Not Applicable (the request can't be answered by
  this service).

10
An Access Control Request

• Subject
• A set of attributes associated with the entity
  making the request
• Resource
• The resource to which access is being requested
• Action
• The requested action to be performed on the
  resource
• Environment

11
Top Level Constructs Rule, Policy, and PolicySet

• XACML defines three top-level policy elements
• ltRulegt,
• ltPolicygt
• ltPolicySetgt.
• The ltRulegt element
• contains a boolean expression that can be
  evaluated in isolation
• is not intended to be accessed in isolation by a
  PDP.
• It is not intended to form the basis of an
  authorization decision by itself.
• It may form the basic unit of management, and be
  re-used in multiple policies.

12
Top Level Constructs Rule, Policy, and PolicySet

• The ltPolicygt element
• contains a set of ltRulegt elements and
• a specified procedure for combining the results
  of their evaluation.
• It is the basic unit of policy used by the PDP,
  and so it is intended to form the basis of an
  authorization decision.
• The ltPolicySetgt element
• contains a set of ltPolicygt or other ltPolicySetgt
  elements and
• a specified procedure for combining the results
  of their evaluation.
• It is the standard means for combining separate
  policies into a single combined policy.

13
Policies (more)

• The complete policy applicable to a particular
  decision request may be composed of a number of
  individual rules or policies.
• For instance, in a personal privacy application,
• the owner of the personal information may define
  certain aspects of disclosure policy,
• and the enterprise that is the custodian of the
  information may define certain other aspects.
• In order to render an authorization decision, it
  must be possible to combine the two separate
  policies to form the single policy applicable to
  the request.

14
Attributes

• The currency that XACML deals in is attributes.
• Attributes are named values of known types that
  may include an issuer identifier or an issue date
  and time.
• Specifically, attributes are characteristics of
  the Subject, Resource, Action, or Environment in
  which the access request is made.
• A user's name, their security clearance, the file
  they want to access, and the time of day are all
  attribute values.
• When a request is sent from a PEP to a PDP, that
  request is formed almost exclusively of
  attributes, and they will be compared to
  attribute values in a policy to make the access
  decisions.

15
Making a Decision

1. Find relevant policies and rules
2. Evaluate the Rules
3. Combine the results

16
Targets - Finding a policy that applies to a
given request.

• A Target is associated with a PolicySet, Policy
  or Rule
• The Subject, Resource and Action in a Request are
  matched against Targets, using the Conditions
  specified in the Target
• A Condition is a set of statements about
  Attributes whose truth can be evaluated
• If all the conditions of a Target are met, then
  its associated PolicySet, Policy, or Rule applies
  to the request.
• In addition to being a way to check
  applicability, Target information also provides a
  way to index policies.

17
Policies Based on Resource Contents

• Sometimes, an authorization decision is based on
  data contained in the information resource to
  which access is requested.
• a common component of privacy policy is that a
  person should be allowed to read records for
  which he or she is the subject.
• The corresponding policy must contain a reference
  to the subject identified in the information
  resource itself.
• XACML provides facilities for doing this
• when the information resource can be represented
  as an XML document.
• When the information resource is not an XML
  document, specified attributes of the resource
  can be referenced

18
Evaluating Rules

1. Once a Policy has been found and verified to
   apply to a request, its Rules are evaluated.
2. A policy can have any number of Rules which
   contain the core logic of an XACML policy.
3. The heart of most Rules is a Condition, which is
   a boolean function. If the Condition evaluates to
   true, then the Rule's Effect (a value of Permit
   or Deny that is associated with successful
   evaluation of the Rule) is returned.
4. Evaluation of a Condition can also result in an
   error (Indeterminate) or discovery that the
   Condition doesn't apply to the request
   (NotApplicable).
5. A Condition can be quite complex, built from an
   arbitrary nesting of non-boolean functions and
   attributes.

19
Accumulating a Decision

• A Policy or PolicySet may contain multiple
  policies or Rules,
• each of which may evaluate to different access
  control decisions,
• XACML needs some way of reconciling the decisions
  each makes.
• Rule-Combining and Policy-Combining Algorithms
• Combining Algorithms represent various ways of
  combining multiple decisions into a single
  decision.
• Deny-overrides
• Permit-overrides
• Etc
• Custom Combining algorithms
• Combining Algorithms are used to build up
  increasingly complex policies

20
To be CoveredSome Other Time.

• AttributeDesignator
• AttributeSelector
• Bags

21
A Few More Concepts
22
Obligations - Other required actions

• In many applications, policies specify actions
  that MUST be performed, either instead of, or in
  addition to, actions that MAY be performed.
• XACML provides facilities to specify actions that
  MUST be performed in conjunction with policy
  evaluation in the ltObligationsgt element.
• There are no standard definitions for these
  actions in version 1.0 of XACML.
• Therefore, bilateral agreement between a PAP and
  the PEP that will enforce its policies is
  required for correct interpretation.
• PEPs that conform with v1.0 of XACML are required
  to deny access unless they understand all the
  ltObligationsgt elements associated with the
  applicable policy.
• ltObligationsgt elements are returned to the PEP
  for enforcement.

23
XACML context

• The core language is insulated from the
  application environment by the XACML context, in
  which the scope of the XACML specification is
  indicated by the shaded area.
• The XACML context is defined in XML schema,
  describing a canonical representation for the
  inputs and outputs of the PDP.
• Attributes referenced by an instance of XACML
  policy may be in the form of XPath expressions on
  the context, or attribute designators that
  identify the attribute by subject, resource,
  action or environment and its identifier.
• Implementations must convert between the
  attribute representations in the application
  environment (e.g., SAML, J2SE, CORBA, and so on)
  and the attribute representations in the XACML
  context.
• How this is achieved is outside the scope of the
  XACML specification. In some cases, such as
  SAML, this conversion may be accomplished in an
  automated way through the use of an XSLT
  transformation.

24
(No Transcript)
25

• What is the Problem.
• The XACML Model
• Some Examples
• Implementation Status

26
A Sample Policy

• XACML policy for my Calendar
• A single PolicySet that has several pieces that
  can easily be split out
• and considered on their own

27
The top-level Target says that everything in this
policy applies to my calendar. After that there
are four sub-policies

• .ltPolicySet xmlns"urnoasisnamestcxacml1.0po
  licy" xmlnsxsi"http//www.w3.org/2001/XMLSchema-
  instance" xsischemaLocation"urnoasisnamestcx
  acml1.0policy cs-xacml-schema-policy-01.xsd"
  PolicySetId"stcCalenderPolicy"
  PolicyCombiningAlgId"urnoasisnamestcxacml1.0
  policy-combining-algorithmfirst-applicable"gt
•   ltDescriptiongtThis policy defines all the access
  restrictions on Steve's calendar.lt/Descriptiongt
• lt!-- This policy applies to all accesses to
  Steve's calendar   --gt
• - ltTargetgt
• - ltSubjectsgt
•   ltAnySubject /gt
•   lt/Subjectsgt
• - ltResourcesgt
• - ltResourcegt
• - ltResourceMatch MatchId"urnoasisnamestcxacm
  l1.0functionstring-equal"gt
•   ltAttributeValue DataType"http//www.w3.org/200
  1/XMLSchemastring"gtstc_at_cal.brown.edult/AttributeVa
  luegt
•   ltResourceAttributeDesignator
  DataType"http//www.w3.org/2001/XMLSchemastring"
  AttributeId"urnoasisnamestcxacml1.0resourc
  eresource-id" /gt
•   lt/ResourceMatchgt
•   lt/Resourcegt
•   lt/Resourcesgt
• - ltActionsgt
•   ltAnyAction /gt
•   lt/Actionsgt
•  

28
Policy that applies to Steve, the owner, who has
all rights

• - ltPolicy PolicyId"OwnerPolicy"
  RuleCombiningAlgId"urnoasisnamestcxacml1.0r
  ule-combining-algorithmfirst-applicable"gt
• - ltTargetgt
• - ltSubjectsgt
• - ltSubjectgt
• - ltSubjectMatch MatchId"urnoasisnamestcxacml
  1.0functionrfc822Name-equal"gt
•   ltAttributeValue DataType"urnoasisnamestcxac
  ml1.0data-typerfc822Name"gtstc_at_brown.edult/Attrib
  uteValuegt
•   ltSubjectAttributeDesignator DataType"urnoasis
  namestcxacml1.0data-typerfc822Name"
  AttributeId"principleName" /gt
•   lt/SubjectMatchgt
•   lt/Subjectgt
•   lt/Subjectsgt
• - ltResourcesgt
•   ltAnyResource /gt
•   lt/Resourcesgt
• - ltActionsgt
•   ltAnyAction /gt
•   lt/Actionsgt
•   lt/Targetgt lt!-- If it's the calendar owner, we
  permit anything   --gt
•   ltRule RuleId"OwnerRule" Effect"Permit" /gt

29
A couple policies that are only allowed if the
action is read

• - ltPolicy PolicyId"ReadAccessPolicy"
  RuleCombiningAlgId"urnoasisnamestcxacml1.0r
  ule-combining-algorithmpermit-overrides"gt lt!--
  only use if they're requesting read access   --gt
• - ltTargetgt
• - ltSubjectsgt
•   ltAnySubject /gt
•   lt/Subjectsgt
• - ltResourcesgt
•   ltAnyResource /gt
•   lt/Resourcesgt
• - ltActionsgt
• - ltActiongt
• - ltActionMatch MatchId"urnoasisnamestcxacml1
  .0functionstring-equal"gt
•   ltAttributeValue DataType"http//www.w3.org/2001
  /XMLSchemastring"gtreadlt/AttributeValuegt
•   ltActionAttributeDesignator DataType"http//www.
  w3.org/2001/XMLSchemastring" AttributeId"urnoas
  isnamestcxacml1.0actionaction-id" /gt
•   lt/ActionMatchgt
•   lt/Actiongt
•   lt/Actionsgt
•   lt/Targetgt

30
Allow read access to anyone affiliated with Brown

• - ltRule RuleId"affiliationWithBrown"
  Effect"Permit"gt
• - ltTargetgt
• - ltSubjectsgt
• - ltSubjectgt
• - ltSubjectMatch MatchId"urnoasisnamestcxacml
  1.0functionrfc822Name-match"gt
•   ltAttributeValue DataType"http//www.w3.org/2001
  /XMLSchemastring"gt.brown.edult/AttributeValuegt
•   ltSubjectAttributeDesignator DataType"urnoasis
  namestcxacml1.0data-typerfc822Name"
  AttributeId"scopedAffiliation" /gt
•   lt/SubjectMatchgt
•   lt/Subjectgt
•   lt/Subjectsgt
• - ltResourcesgt
•   ltAnyResource /gt
•   lt/Resourcesgt
• - ltActionsgt
•   ltAnyAction /gt
•   lt/Actionsgt
•   lt/Targetgt
•   lt/Rulegt

31
See if they're in the Brown course cs123 and have
provided an acceptible entitlement

• - ltRule RuleId"acceptibleEntitlements"
  Effect"Permit"gt
• - ltTargetgt
• - ltSubjectsgt
• - ltSubjectgt
• - ltSubjectMatch MatchId"urnoasisnamestcxacml
  1.0functionanyURI-equal"gt
•   ltAttributeValue DataType"http//www.w3.org/2001
  /XMLSchemaanyURI"gturnmacebrown.educoursecs123
  lt/AttributeValuegt
•   ltSubjectAttributeDesignator DataType"http//www
  .w3.org/2001/XMLSchemaanyURI" AttributeId"groupM
  embership" /gt
•   lt/SubjectMatchgt
•   lt/Subjectgt
•   lt/Subjectsgt
• - ltResourcesgt
•   ltAnyResource /gt
•   lt/Resourcesgt
• - ltActionsgt
•   ltAnyAction /gt
•   lt/Actionsgt
•   lt/Targetgt
• - ltCondition FunctionId"urnoasisnamestcxacml
  1.0functionanyURI-is-in"gt
• - ltApply FunctionId"urnoasisnamestcxacml1.0
  functionanyURI-one-and-only"gt

32
Policy that applies to Seth, a friend, who can
schedule events a week or more from now

• - ltPolicy PolicyId"addInOneWeekOrMore"
  RuleCombiningAlgId"urnoasisnamestcxacml1.0r
  ule-combining-algorithmfirst-applicable"gt
• - ltTargetgt
• - ltSubjectsgt
• - ltSubjectgt
• - ltSubjectMatch MatchId"urnoasisnamestcxacml
  1.0functionrfc822Name-equal"gt
•   ltAttributeValue DataType"urnoasisnamestcxac
  ml1.0data-typerfc822Name"gtstp_at_alumni.brown.edult
  /AttributeValuegt
•   ltSubjectAttributeDesignator DataType"urnoasis
  namestcxacml1.0data-typerfc822Name"
  AttributeId"principleName" /gt
•   lt/SubjectMatchgt
•   lt/Subjectgt
•   lt/Subjectsgt
• - ltResourcesgt
•   ltAnyResource /gt
•   lt/Resourcesgt
• - ltActionsgt
• - ltActiongt
• - ltActionMatch MatchId"urnoasisnamestcxacml1
  .0functionstring-equal"gt
•   ltAttributeValue DataType"http//www.w3.org/2001
  /XMLSchemastring"gtaddlt/AttributeValuegt
•   ltActionAttributeDesignator DataType"http//www.
  w3.org/2001/XMLSchemastring" AttributeId"urnoas
  isnamestcxacml1.0actionaction-id" /gt
•   lt/ActionMatchgt

33

• - ltRule RuleId"IsMoreThanOneWeekAhead"
  Effect"Permit"gt
• - ltCondition FunctionId"urnoasisnamestcxacml
  1.0functiondateTime-greater-than"gt
• - ltApply FunctionId"urnoasisnamestcxacml1.0
  functiondateTime-add-dayTimeDuration"gt
• - ltApply FunctionId"urnoasisnamestcxacml1.0
  functiondateTime-one-and-only"gt
•   ltResourceAttributeDesignator DataType"http//ww
  w.w3.org/2001/XMLSchemadateTime"
  AttributeId"calendarEntryDateTime" /gt
•   lt/Applygt
•   ltAttributeValue DataType"http//www.w3.org/TR/x
  query-operatorsdayTimeDuration"gtP7Dlt/AttributeVal
  uegt
•   lt/Applygt
• - ltApply FunctionId"urnoasisnamestcxacml1.0
  functiondateTime-one-and-only"gt
•   ltEnvironmentAttributeDesignator
  DataType"http//www.w3.org/2001/XMLSchemadateTim
  e" AttributeId"urnoasisnamestcxacml1.0envir
  onmentcurrent-dateTime" /gt
•   lt/Applygt
•   lt/Conditiongt
•   lt/Rulegt

34
If we didn't fall into the above categories, then
we deny

• - ltPolicy PolicyId"denyAllOthers"
  RuleCombiningAlgId"urnoasisnamestcxacml1.0r
  ule-combining-algorithmdeny-overrides"gt
• - ltTargetgt
• - ltSubjectsgt
•   ltAnySubject /gt
•   lt/Subjectsgt
• - ltResourcesgt
•   ltAnyResource /gt
•   lt/Resourcesgt
• - ltActionsgt
•   ltAnyAction /gt
•   lt/Actionsgt
•   lt/Targetgt
•   ltRule RuleId"denyOthers" Effect"Deny" /gt
•   lt/Policygt
•   lt/PolicySetgt

35

•  - The first policy checks to see if the subject
  is stc_at_brown.edu. If it is,
•    then the owner is making a request, and is
  therefore allowed to do
•    anything. No other checking is done.
•  - The second policy has a target that checks to
  see if the action is "read"
•    and if it is then there are a couple of rules.
  The first rule says that
•    anyone affiliated with Brown is allowed
  access. The second rule says
•    that anyone in course cs123 who provides an
  acceptible entitlement is
•    allowed access. I tried to use names based on
  our conversation this morning,
•    but again feel free to change things around if
  you'd like. Note that after
•    our talk I decided that the best way to show
  dynamic attribute retrieval
•    was in a rule, so in the second rule here, the
  assumption is that the
•    acceptible entitlements come from some
  attribute source.
•  - The third policy allows stp_at_alumni.brown.edu
  permission to add any event
•    to your calendar, so long as the event is at
  least one week away. I think
•    that's kind of a neat constraint that you
  can't do in the real world, and
•    I wish I could use it on my calendar at work
  (I come in a lot to find that
•    I've been scheduled for that day). Note that I
  also have read access to
•    your calendar since I'm affiliated with Brown,
  per the second policy.
•  - The fourth policy is a default, fall-through
  policy that says if none of

36

• What is the Problem.
• The XACML Model
• Some Examples
• Implementation Status

37
Implementation Status

• Sun has a java based implementation
• They have open-sourced it
• http//sunxacml.sourceforge.net/
• Provides complete support for
• all the mandatory features of XACML as well as a
  number of optional features.
• Specifically, there is full support for
• parsing both policy and request/response
  documents,
• determining applicability of policies, and
• evaluating requests against policies.
• All of the standard attribute types, functions,
  and combining algorithms are supported, and
• There are APIs for adding new functionality as
  needed.
• There are also APIs for writing new retrieval
  mechanisms used for finding things like policies
  and attributes.

38
Using the Sun Implementation

• Sun is funding a summer intern
• She is developing glue between common
  environments and the XACML engine
• A library to build XACML Requests and parse
  Responses
• Apache plugin
• Perl Package (wrapper)
• ? Suggestions ?

39
Questions?