audumbar. access control and privacy who can access what, under what conditions, and for what...
TRANSCRIPT
![Page 1: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/1.jpg)
Tutorial on XACML
Audumbar
![Page 2: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/2.jpg)
Access control and privacy
Who can access what, under what conditions, and for what purpose
![Page 3: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/3.jpg)
XACML - AboutThe eXtensible Access Control Markup
Language is an OASIS StandardThe XACML standard provides
Policy LanguageRequest and Response LanguageStandard data-types, functions, combining
algorithmsExtensibility Privacy profile, RBAC profileAn architecture defining the major components
in an implementation
![Page 4: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/4.jpg)
General termsResource
Data, system component or serviceSubject
An actor who makes a request to access certain Resources.Action
An operation on resourceEnvironment
The set of attributes that are relevant to an authorization decision and are independent of a particular subject, resource or action
AttributesCharacteristics of a subject, resource, action or environment
TargetDefines conditions that determine whether policy applies to
request
![Page 5: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/5.jpg)
Usage ScenarioPolicy Enforcement
Point (PEP) Entity protecting the
resource(e.g. file system)
Performs access control by making decision requests and enforcing authorization decisions.
PEP
![Page 6: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/6.jpg)
Usage ScenarioPolicy Administration
Point (PAP)
creates security policies and stores these policies in the repository.
PAP
![Page 7: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/7.jpg)
Usage ScenarioContext HandlerA Context is the
canonical representation of a decision request and an authorization decision.
Context Handler can be defined to convert the requests in its native format to the XACML canonical form and to convert the Authorization decisions in the XACML canonical form to the native format.
Context
Handler
![Page 8: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/8.jpg)
Usage ScenarioThe Policy
Decision Point (PDP)
Receives and examines the request
Retrieves applicable policies
evaluates the applicable policy and
Returns the authorization decision to PEP
PDP
![Page 9: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/9.jpg)
Usage ScenarioPolicy
Information Point (PIP)
serves as the source of attribute values, or the data required for policy evaluation.
PIP
![Page 10: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/10.jpg)
How does it work: Data Flow
![Page 11: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/11.jpg)
XACML Policy Structure
![Page 12: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/12.jpg)
Policy Language model
![Page 13: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/13.jpg)
XACML Policy Example<Policy PolicyId="ExamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-
algorithm:permit-overrides"> <Target> <Subjects> <AnySubject/></Subjects> <Resources><Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://
server.example.com/code /docs/developer-guide.html</AttributeValue>
<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch>
</Resource></Resources> <Actions><AnyAction/></Actions> </Target> <Rule RuleId="ReadRule" Effect="Permit"> …
</Rule> </Policy>
![Page 14: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/14.jpg)
Policy Example contd <Rule RuleId="ReadRule" Effect="Permit"> <Target> <Subjects><AnySubject/></Subjects>
<Resources><AnyResource/></Resources><Actions><Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue><ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string” AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>
</ActionMatch></Action></Actions>
</Target><Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"><SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string”
AttributeId="group"/></Apply><AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">developers</AttributeValue> </Condition></Rule>
![Page 15: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/15.jpg)
XACML Request Structure
Request
SubjectAttributes
ActionAttributes
EnvironmentAttributes
ResourceAttributes
![Page 16: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/16.jpg)
Request Example<Request>
<Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <AttributeValue>[email protected]</AttributeValue>
</Attribute> <Attribute AttributeId="group"
DataType=“http://www.w3.org/2001/XMLSchema#string”Issuer="[email protected]"> <AttributeValue>developers</AttributeValue>
</Attribute> </Subject> <Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
<AttributeValue>http://server.example.com/code/docs/developer-guide.html</AttributeValue>
</Attribute> </Resource> <Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute>
</Action> </Request>
![Page 17: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/17.jpg)
XACML Response Structure
Response
Decision Obligations
Status
![Page 18: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/18.jpg)
XACML Response Example<Response>
<Result> <Decision>Permit</Decision> <Status> <StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </Status> </Result>
</Response>
Effect:Permit/Deny/Not Applicable/Indeterminate
![Page 19: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/19.jpg)
Combining Algorithms Deny-overrides –
if any evaluation returns Deny, then the result must be Deny.
If all rules evaluate to Permit, then the result is Permit.
Permit-overrides – if any rule evaluates to Permit, then the result of is
Permit. If any rule evaluates to Deny and all other rules
evaluate to NotApplicable, then the result is Deny. If all rules are found to be NotApplicable, then the
result is NotApplicable.
![Page 20: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/20.jpg)
Combining Algorithms First applicable – rules evaluated in their listing order
For each rule, if the target matches and the condition evaluates to True, then the result of that rule will be the evaluation of the policy (either Permit, Deny, or Indeterminate).
Otherwise, the algorithm goes to the next rule. If no rule applies, then the result is NotApplicable.
Only-one-applicable – For all of policies in the policy set, if no policy applies, then
the result is NotApplicable. If more than one policy applies, then the result is
Indeterminate. If only one policy applies, then the result is the result of
evaluating that policy.
![Page 21: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/21.jpg)
ExtensibilityExtensible XML attribute typesThe following XML attributes with values that are URIs, may be
extended by the creation of new URIs associated with new semantics for these attributes.AttributeId, DataType, FunctionId, MatchId, ObligationId,
PolicyCombiningAlgId, RuleCombiningAlgId, StatusCode, SubjectCategory.
For a given structured data-type, a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types.
A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value. This method may only be used by PDPs that support the new function.
![Page 22: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/22.jpg)
Privacy profileThis profile defines two attributes.
“urn:oasis:names:tc:xacml:2.0:resource:purpose”the purpose for which the data resource was collected
“urn:oasis:names:tc:xacml:2.0:action:purpose”the purpose for which access to the data resource is
requested
Matching purpose ruleDeny-Overridesaccess SHALL be denied unless the purpose for
which access is requested matches, by regular-expression match, the purpose for which the data resource was collected.
![Page 23: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/23.jpg)
RBAC profileScope
If a subject has roles R1 , R2, ... Rn enabled, can subject X access a given resource using a given action?
Is subject X allowed to have role Ri enabled?If a subject has roles R1 , R2, ... Rn enabled,
does that mean the subject will have permissions associated with a given role R'? That is, is role R' either equal to or junior to any of roles R1 , R2, …Rn?
![Page 24: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/24.jpg)
RBAC Profile PoliciesRole <PolicySet>,
Each Role <PolicySet> references a single corresponding Permission <PolicySet>
Permission <PolicySet>, • actual permissions associated with a given role, • references to Permission <PolicySet>s associated with other
roles that are junior to the given roleRole Assignment <Policy> or <PolicySet>
which roles can be enabled or assigned to which subjectsHasPrivilegesOfRole <Policy>
a <Policy> in a Permission <PolicySet> that supports requestsasking whether a subject has the privileges associated with a
given role.
![Page 25: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/25.jpg)
XACML implementationsUsing SUN XACML implementation
Building a PDPBuilding a PEPCreating and Encoding PoliciesValidating policies and requestsSupporting attribute selectors
XACMLight Apache Axis2 Web Service XACML 2.0 PDP/PAP Implementation
XACML Policy editors
![Page 26: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/26.jpg)
LimitationsXACML is verbose and complex in some
ways.Interactions involving PAP, PIP, etc., are not
standardized.Policy administration, policy versioning, etc.,
are not standardized.
![Page 27: Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose](https://reader030.vdocument.in/reader030/viewer/2022033104/56649dd25503460f94ac7fec/html5/thumbnails/27.jpg)
References OASIS XACML Technical Committee Home
Pagehttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Sun's XACML Open Source Implementationhttp://sunxacml.sourceforge.net/