Transcript XACML

XACML
Gyanasekaran Radhakrishnan.
Raviteja Kadiyam.
What is XACML?
• XACML is a general-purpose access control policy language.
• It provides a syntax (defined in XML) for managing access to
resources.
• XACML is an OASIS standard.
• The policy language is used to describe general access control
requirements, and has standard extension points for defining
new functions, data types, combining logic, etc.
• The request/response language lets you form a query to ask
whether or not a given action should be allowed, and
interpret the result.
• The response always includes an answer about whether the
request should be allowed using one of four values: Permit,
Deny, Indeterminate or Not Applicable.
XACML – General Usage
Scenario.
• A subject (e.g. human user, workstation)
wants to take some action on a particular
resource.
• The subject submits its query to the entity
protecting the resource (e.g. file system,
web server). This entity is called a Policy
Enforcement Point (PEP).
Request and Response Context
• Request Context
• Attributes of:
• Subjects – requester, intermediary, recipient, etc.
• Resource – name, can be hierarchical
• Resource Content – specific to resource type, e.g. XML
document
• Action – e.g. Read
• Environment – other, e.g. time of request
• Response Context
•
•
•
•
Resource ID
Decision
Status (error values)
Obligations
Policies and Policy Sets
• Policy
• Smallest element PDP can evaluate
• Contains: Description, Defaults, Target, Rules, Obligations, Rule
Combining Algorithm
• Policy Set
• Allows Policies and Policy Sets to be combined
• Use not required
• Contains: Description, Defaults, Target, Policies, Policy Sets, Policy
References, Policy Set References, Obligations, Policy Combining
Algorithm
• Combining Algorithms: Deny-overrides, Permit-overrides,
First-applicable, Only-one-applicable
Rules
• Smallest unit of administration, cannot be evaluated alone
• Elements
•
•
•
•
Description – documentation
Target – select applicable policies
Condition – boolean decision function
Effect – either “Permit” or “Deny”
• Results
• If condition is true, return Effect value
• If not, return NotApplicable
• If error or missing data return Indeterminate
• Plus status code
*
Targets
• Designed to efficiently find the elements (policies,
rules) that apply to a request
• Makes it feasible to have very complex Conditions
• Attributes of Subjects, Resources and Actions
• Matches against value, using match function
•
•
•
•
Regular expression
RFC822 (email) name
X.500 name
User defined
• Attributes specified by Id or XPath expression
Advantages:
• ONE STANDARD access control policy
language for ALL organizations.
• Administrators save time and money
because they don't need to rewrite their
policies in many different languages.
• Developers save time and money because
they don't have to invent new policy
languages and write code to support them.
They can reuse existing code.
Disadvantages:
• XACML does not explicitly require the
specification of purpose or intent which is
often associated with a privacy policy.
• XACML is complex in some ways and
verbose. Interactions involving PAP, PIP,
etc., are not standardized.
• Policy administration, policy versioning,
etc., are not standardized.
• No feature of temporary authorization.
References:
• [1] OASIS XACML Technical Committee, Core Specification:
eXtensible Access Control Markup Language (XACML), 2005.
• [2] OASIS XACML v3.0 Administration and Delegation Profile
Version 1.0, http://www.oasis-open.org, 2009.
• [3] SAML 2.0 profile of XACML, version 2.July 2007.
http://www.oasisopen.org/committees/download.php/24681/xacml-profilesaml2.0-v2-spec-wd-5-en.pdf.
• [4] Dieter Spahni, "Managing Access to Distributed
Resources," hicss, vol. 4, pp.40094b, Proceedings of the 37th
Annual Hawaii International Conference on System Sciences
(HICSS'04) - Track 4, 2004
• [5] IETF RFC 3198 - Terminology for Policy-Based Management
http://tools.ietf.org/html/rfc3198
• [6] M. Satyanarayanan. A survey of distributed file systems.
Annual review of Computer Science, 1989.
• [7] Prathima Rao, Dan Lin, and Elisa Bertino. 2007. XACML
Function Annotations. In Proceedings of the Eighth IEEE
International Workshop on Policies for Distributed Systems
and Networks(POLICY '07). IEEE Computer Society,
Washington, DC, USA, 178-182.
• * - diagram borrowed from:
courses.cs.vt.edu/~cs5204/fall08.../Oct21-AuthorizationXACML.ppt.
Thank You.