SlideShare a Scribd company logo

Authorization The Missing Piece of the Puzzle

Nordic APIs, profile picture
Nordic APIs

XACML (eXtensible Access Control Markup Language) is an OASIS standard for defining and interpreting access control policies across multiple security domains. It provides a policy language and request/response protocol for making authorization decisions based on attributes. XACML policies can be defined in terms of attributes for subjects, resources, actions, and the environment, allowing for fine-grained and context-aware access control (ABAC). The XACML architecture separates policy enforcement from decision making and includes policy administration, information, and retrieval points.

BusinessTechnology
1 of 35
Downloaded 55 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
© 2013, Axiomatics AB Authorization The Missing Piece of the Puzzle @srijith @axiomatics Srijith Nair Director, Developer Relations
© 2013, Axiomatics AB Show of Hands: Authorization? XACML?
© 2013, Axiomatics AB Identity is key Services need to know who you are You need to prove who you are Several protocols exist to support Authentication Authentication (AuthN) “Authentication is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program (…)”
© 2013, Axiomatics AB Identity is key, but it is not everything Authentication proves your identity It does not decide what that identity entails Enter Authorization Authorization (AuthZ) “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”
© 2013, Axiomatics AB Some frameworks, stds. confuse both phases Often AuthN ≡ AuthZ If you have authenticated then you are in… AuthZ is part of a bigger process Identify Authenticate Authorize Think of the access to your APIs… AuthN vs. AuthZ
© 2013, Axiomatics AB Business-driven authorization Let “Gold” customers access APIs 1,2 but not 3 Let “Platinum” customers access all APIs Compliance-driven authorization Do not let traders approve transactions they requested Privacy-driven authorization Do not disclose medical data to non-employee users AuthZ addresses various concerns
© 2013, Axiomatics AB Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-Based Access Control (RBAC) It’s widely adopted It’s well understood and industry-standard It’s simple Most apps support some form of RBAC Authorization Approaches
© 2013, Axiomatics AB Inflexible & static Difficult to define fine-grained access control rules Doesn’t scale Role explosion How to implement the rule: Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship Where’s the role? Doctor What’s a patient? A record? A care relationship? Problem with RBAC?
© 2013, Axiomatics AB Pull out the highlighter What if we were not limited to roles? Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship Attributes, Attributes, Attributes!
© 2013, Axiomatics AB Attribute-Based Access Control (ABAC) uses attributes as building blocks in a structured language used to define access control rules and to describe access requests Attributes Are sets of labels or properties Describe all aspects of entities that must be considered for authorization purposes Each attribute consists of a key-value pair such as “Class=Gold”, “OS=Windows” Attribute-based access control
© 2013, Axiomatics AB ABAC – beyond RBAC Role-Based Access Control Attribute-Based Access Control User  Role  Permissions User + Action + Resource + Context Attributes Policies Example: doctors can open & edit a patient’s health record in the hospital emergency room at 3PM. Static & pre-defined Dynamic & Adaptive Role 1 Role 2 P P P P P P
© 2013, Axiomatics AB eXtensible Authorization – Future Proofing External to Applications Standards- Compliant Authorization Service Fine- Grained Context-Aware Attribute-based Access Control
© 2013, Axiomatics AB Enter XACML
© 2013, Axiomatics AB Pronunciation eXtensible Access Control Markup Language OASIS standard V 3.0 approved in January 2013 V 1.0 approved in 2003 (10 years ago!) XACML is expressed as A specification document and An XML schema REST profile for XACML exists (CSD) http://www.oasis-open.org/committees/xacml/ 14 What is XACML?
© 2013, Axiomatics AB 15 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol
© 2013, Axiomatics AB 16 XACML-Architecture Access request
© 2013, Axiomatics AB 17 XACML-Architecture Enforce Policy Enforcement Point
© 2013, Axiomatics AB 18 XACML-Architecture Enforce Policy Enforcement Point Decide Policy Decision Point
© 2013, Axiomatics AB 19 XACML-Architecture Enforce Policy Enforcement Point Decide Policy Decision Point Support Policy Information Point Policy Retrieval Point
© 2013, Axiomatics AB 20 XACML-Architecture Enforce Policy Enforcement Point Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point
© 2013, Axiomatics AB 21 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol
© 2013, Axiomatics AB Everything can be described in terms of attributes Attributes can be grouped into categories And many more… It’s all about Attributes! ABAC 22 Attributes & Categories Environment Subject Action Resource
© 2013, Axiomatics AB 23 Examples of attributes Subject Action Resource Environment A user … … wants to do something … … with an information asset … … in a given context Examples: A claims administrator… …wants to register a … … claim receipt for a new claim… … via a secure channel authenticated using the corporate smart card An adjuster… …wants to approve payments of … … claim payment … …from his office computer during regular business hours A manager wants to … … assign a claim… …to a claim adjuster… … at 2 o’clock at night from a hotel lounge in Chisinau…
© 2013, Axiomatics AB <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > <xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/tmp/env/devicetype" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string>Laptop</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/acs/role" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">Manager</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="location" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SE</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> <xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/asm/entity/type" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Purchase Order</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> Example XACML 3.0 Request, XML
© 2013, Axiomatics AB <xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Result> <xacml-ctx:Decision>Permit</xacml-ctx:Decision> <xacml-ctx:Status> <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </xacml-ctx:Status> </xacml-ctx:Result> </xacml-ctx:Response> Example XACML 3.0 Response
© 2013, Axiomatics AB 3 levels of elements PolicySet Policy Rule At root is PolicySet or Policy PolicySet can contain PolicySet and Policy Policy can contain Rule Rule evaluation returns PERMIT, DENY, Indeterminate, NotApplicable Rule Combining Algorithms Policy Combining Algorithms 26 Language Elements of XACML PolicySet PolicySet Policy Rule Effect Permit Deny Policy Rule Rule
© 2013, Axiomatics AB All 3 elements can contain Target elements At the heart of most Rules is a Condition Obligation/Advice can be specified at all 3 levels 27 Language Structure: Russian dolls PolicySet PolicySet Policy Rule Effect Target T T TC Permit Deny O Obligation O O O = Obligation / Advice C = Condition T = Target
© 2013, Axiomatics AB 28 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol
© 2013, Axiomatics AB Environment Subject Action Resource Environment Action Resource Subject 29 XACML Concepts It’s all about Attributes! ABAC = Attribute Based Access Control XACML Policies XACML Request XACML Response
© 2013, Axiomatics AB • Subject User id = Alice Role = Manager • Action Action id = approve • Resource Resource type = Purchase Order PO #= 12367 • Environment Device Type = Laptop 30 Structure of a XACML Request / Response XACML Request XACML Response Can Manager Alice approve Purchase Order 12367? Yes, she can • Result Decision: Permit Status: ok The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions
© 2013, Axiomatics AB In addition, XACML response can also contain: Obligation: PEP must comply with the obligation and is required to deny access if it cannot understand or enforce the obligation Advice: the PEP may comply with the advice and can be safely ignored if not understood or cannot be acted on 31 Obligation & Advice
© 2013, Axiomatics AB AuthN is not enough. AuthZ is needed. RBAC is often not enough. ABAC is needed. XACML is a prominent ABAC system. XACML consists of: Reference Architecture Policy Language Request Response Protocol Summary
© 2013, Axiomatics AB Axiomatics is world’s leading independent provider of dynamic AuthZ solutions Our products enable efficient XACML-based authorization APIs, SDKs for system integration Java and .NET support APS Developer Edition provides you with all the power of our product in a read-to-use package http://axiomatics.com/aps-developer-edition.html Summary (Axiomatics)
© 2013, Axiomatics AB http://developers.axiomatics.com http://www.technicalprivacytraining.org/ https://www.oasis-open.org/committees/xacml/ http://docs.oasis-open.org/xacml/xacml- rest/v1.0/xacml-rest-v1.0.pdf http://www.webfarmr.eu/ http://analyzingidentity.com/ More Information
© 2013, Axiomatics AB Questions? Contact us at info@axiomatics.com

More Related Content

PDF
Launching a Successful and Secure API
Nordic APIs
 
PDF
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
 
PPTX
Incorporating OAuth
Twobo Technologies
 
PDF
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Twobo Technologies
 
PDF
Neo-security Stack
Twobo Technologies
 
PDF
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
PDF
Designing an API
Twobo Technologies
 
PDF
Nordic APIs - Building a Secure API
Twobo Technologies
 
Launching a Successful and Secure API
Nordic APIs
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Nordic APIs
 
Incorporating OAuth
Twobo Technologies
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Twobo Technologies
 
Neo-security Stack
Twobo Technologies
 
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
Designing an API
Twobo Technologies
 
Nordic APIs - Building a Secure API
Twobo Technologies
 

What's hot (20)

PPTX
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
Nordic APIs
 
PDF
OAuth and OpenID Connect for Microservices
Twobo Technologies
 
PDF
Synergies of Cloud Identity: Putting it All Together
Twobo Technologies
 
PDF
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
PDF
Twobo LDAP Attribute Store for ADFS
Twobo Technologies
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
PPTX
OAuth Assisted Token Flow for Single Page Applications
Nordic APIs
 
PDF
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
PPTX
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
Nordic APIs
 
PDF
GHC18 Abstract - API Security, a Grail Quest
PaulaPaulSlides
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PPTX
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
PDF
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
PDF
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
PPTX
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
PPTX
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
PDF
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
PDF
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
Nordic APIs
 
OAuth and OpenID Connect for Microservices
Twobo Technologies
 
Synergies of Cloud Identity: Putting it All Together
Twobo Technologies
 
Integrated social solutions, the power and pitfalls of mashups
Nordic APIs
 
Twobo LDAP Attribute Store for ADFS
Twobo Technologies
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
OAuth Assisted Token Flow for Single Page Applications
Nordic APIs
 
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to Scopes
Nordic APIs
 
GHC18 Abstract - API Security, a Grail Quest
PaulaPaulSlides
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Enterprise Access Control Patterns for Rest and Web APIs
CA API Management
 
OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk
Nov Matake
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
LASCON 2017: SAML v. OpenID v. Oauth
Mike Schwartz
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Why Assertion-based Access Token is preferred to Handle-based one?
Hitachi, Ltd. OSS Solution Center.
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
Ad

Viewers also liked (20)

PPTX
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
David Brossard
 
PDF
Running an API 24/365
Nordic APIs
 
PDF
State of APIs: API trends from Nordic APIs Copenhagen & Sundsvall
Andreas Krohn
 
PPTX
Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)
Nordic APIs
 
PPTX
Public Transport APIs – How we are using and creating long lasting APIs at No...
Nordic APIs
 
PDF
API Creation to Iteration without the Frustration
Nordic APIs
 
PPTX
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
Nordic APIs
 
PDF
Why should i care about hypermedia
Nordic APIs
 
PDF
Automotive Grade APIs – designing for longevity
Nordic APIs
 
PDF
The end of polling (Audrey Neveu)
Nordic APIs
 
PDF
Versioning strategy for a complex internal API (Konstantin Yakushev)
Nordic APIs
 
PPTX
API Management - The Value of the Management Part
Menno Abbink
 
PDF
Apinf Open Api Management
Taija Björklund
 
PDF
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Nordic APIs
 
PDF
TDD for APIs in a Microservice World (Michael Kuehne Schlinkert)
Nordic APIs
 
PPTX
Platform Security that will Last for Decades (Travis Spencer)
Nordic APIs
 
PDF
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)
Nordic APIs
 
PPTX
Microservices architecture overview v2
Dmitry Skaredov
 
PPTX
APIs as The Source of Truth (Zane Claes)
Nordic APIs
 
PDF
Building a serverless API in the cloud
Nordic APIs
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
David Brossard
 
Running an API 24/365
Nordic APIs
 
State of APIs: API trends from Nordic APIs Copenhagen & Sundsvall
Andreas Krohn
 
Pie for Sale: Timeless Lessons in API Advocacy (Adam DuVander)
Nordic APIs
 
Public Transport APIs – How we are using and creating long lasting APIs at No...
Nordic APIs
 
API Creation to Iteration without the Frustration
Nordic APIs
 
Lean and Mean – Authorization for kick-ass APIs (Jonas Markström)
Nordic APIs
 
Why should i care about hypermedia
Nordic APIs
 
Automotive Grade APIs – designing for longevity
Nordic APIs
 
The end of polling (Audrey Neveu)
Nordic APIs
 
Versioning strategy for a complex internal API (Konstantin Yakushev)
Nordic APIs
 
API Management - The Value of the Management Part
Menno Abbink
 
Apinf Open Api Management
Taija Björklund
 
Lessons Learned from Building Enterprise APIs (Gustaf Nyman)
Nordic APIs
 
TDD for APIs in a Microservice World (Michael Kuehne Schlinkert)
Nordic APIs
 
Platform Security that will Last for Decades (Travis Spencer)
Nordic APIs
 
Introduction to The 6 Insights of API Practice (Bill Doerrfeld)
Nordic APIs
 
Microservices architecture overview v2
Dmitry Skaredov
 
APIs as The Source of Truth (Zane Claes)
Nordic APIs
 
Building a serverless API in the cloud
Nordic APIs
 
Ad

Similar to Authorization The Missing Piece of the Puzzle (20)

PDF
Axiomatics webinar 13 june 2013 shared
Finn Frisch
 
PDF
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CloudIDSummit
 
PDF
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
ggebel
 
PPTX
Authorization - it's not just about who you are
David Brossard
 
PDF
CIS14: The Very Latest in Authorization Standards
CloudIDSummit
 
PPTX
Fine grained access control for cloud-based services using ABAC and XACML
David Brossard
 
PPTX
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
David Brossard
 
PPTX
AccessControlMgmt_EKT_1709_FPS01_version1pptx
DevendraPhate1
 
PDF
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET Journal
 
PDF
Opa in the api management world
Red Hat
 
PDF
Aws well architected-framework
saifam
 
PPTX
Re:cap día 2 del Aws Re:Invent 2023 - AWS UG Chile
Alvaro Garcia
 
PPT
SSO Strategy Implementation Considerations
John Bauer
 
PDF
Microsoft certified azure fundamentals exam code az-900
Zabeel Institute
 
PPTX
Exploring_agents_with_Amazon_Bedrock.pptx
Pavanhc7
 
PPTX
Top Ten Reasons Why Developers Don't Adopt ABAC
ForgeRock
 
PDF
18 checklists, actions, and workforce predictions
mohamed refaei
 
PDF
Advanced Controls access and user security for superusers con8824
Oracle
 
PDF
CSDM Presentation and Naming Conventions
wyservices66
 
PDF
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Karim Vaes
 
Axiomatics webinar 13 june 2013 shared
Finn Frisch
 
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CloudIDSummit
 
Twin Cities IAM Meet Up - May 2014 - The latest in authorization trends and s...
ggebel
 
Authorization - it's not just about who you are
David Brossard
 
CIS14: The Very Latest in Authorization Standards
CloudIDSummit
 
Fine grained access control for cloud-based services using ABAC and XACML
David Brossard
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
David Brossard
 
AccessControlMgmt_EKT_1709_FPS01_version1pptx
DevendraPhate1
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET Journal
 
Opa in the api management world
Red Hat
 
Aws well architected-framework
saifam
 
Re:cap día 2 del Aws Re:Invent 2023 - AWS UG Chile
Alvaro Garcia
 
SSO Strategy Implementation Considerations
John Bauer
 
Microsoft certified azure fundamentals exam code az-900
Zabeel Institute
 
Exploring_agents_with_Amazon_Bedrock.pptx
Pavanhc7
 
Top Ten Reasons Why Developers Don't Adopt ABAC
ForgeRock
 
18 checklists, actions, and workforce predictions
mohamed refaei
 
Advanced Controls access and user security for superusers con8824
Oracle
 
CSDM Presentation and Naming Conventions
wyservices66
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
Karim Vaes
 

More from Nordic APIs (20)

PPTX
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
PPTX
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
PDF
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
PPTX
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
PPTX
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
PDF
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
PPTX
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
PPTX
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
PPTX
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
PPTX
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
PPTX
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
PPTX
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
PPTX
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
PPTX
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
PPTX
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
PPTX
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
PPTX
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
PPTX
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
PDF
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
PPTX
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 
How to Choose the Right API Platform - We Have the Tool You Need! - Mikkel Iv...
Nordic APIs
 
Bulletproof Backend Architecture: Building Adaptive Services with Self-Descri...
Nordic APIs
 
Implementing Zero Trust Security in API Gateway with Cilium - Pubudu Gunatila...
Nordic APIs
 
Event-Driven Architecture the Cloud-Native Way - Manuel Ottlik, HDI Global SE
Nordic APIs
 
Navigating the Post-OpenAPI Era with Innovative API Design Frameworks - Danie...
Nordic APIs
 
Using Typespec for Open Finance Standards - Chris Wood, Ozone API
Nordic APIs
 
Schema-first API Design Using Typespec - Cailin Smith, Microsoft
Nordic APIs
 
Avoiding APIpocalypse; API Resiliency Testing FTW! - Naresh Jain, Xnsio
Nordic APIs
 
How to Build an Integration Platform with Open Source - Magnus Hedner, Benify
Nordic APIs
 
API Design First in Practise – An Experience Report - Hari Krishnan, Specmatic
Nordic APIs
 
The Right Kind of API – How To Choose Appropriate API Protocols and Data Form...
Nordic APIs
 
Why Frequent API Hackathons Are Key to Product Market Feedback and Go-to-Mark...
Nordic APIs
 
Maximizing API Management Efficiency: The Power of Shifting Down with APIOps ...
Nordic APIs
 
APIs Vs Events - Bala Bairapaka, Sandvik AB
Nordic APIs
 
GraphQL in the Post-Hype Era - Daniel Hervas, Reckon Digital
Nordic APIs
 
From Good API Design to Secure Design - Axel Grosse, 42Crunch
Nordic APIs
 
API Revolution in IoT: How Platform Engineering Streamlines API Development -...
Nordic APIs
 
Unlocking the ROI of API Platforms: What Success Actually Looks Like - Budhad...
Nordic APIs
 
Increase Your Productivity with No-Code GraphQL Mocking - Hugo Guerrero, Red Hat
Nordic APIs
 
Securely Boosting Any Product with Generative AI APIs - Ruben Sitbon, Theodo ...
Nordic APIs
 

Recently uploaded (20)

PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PPTX
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
PDF
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
PPT
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
PDF
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
PDF
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
PDF
How to Get Business Funding for Small Business Fast
Jake Thornhill
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PPT
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
DOCX
Business Management - unit 1 and 2
anithak410
 
PDF
Business model innovation report 2022.pdf
pradvapal
 
PDF
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
PDF
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PPTX
Principles of Marketing, Industrial, Consumers,
efranciscaantoinette
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
IFRS Notes in your pocket for study all the time
jjj81507
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
Solara Labs: Empowering Health through Innovative Nutraceutical Solutions
The lifescience magaizne
 
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
How to Get Business Funding for Small Business Fast
Jake Thornhill
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
Business Management - unit 1 and 2
anithak410
 
Business model innovation report 2022.pdf
pradvapal
 
SIMNET Inc – 2023’s Most Trusted IT Services & Solution Provider
sidnik500
 
Types of control:Qualitative vs Quantitative
reshmaaslm06
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
Principles of Marketing, Industrial, Consumers,
efranciscaantoinette
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 

Authorization The Missing Piece of the Puzzle

  • 1. © 2013, Axiomatics AB Authorization The Missing Piece of the Puzzle @srijith @axiomatics Srijith Nair Director, Developer Relations
  • 2. © 2013, Axiomatics AB Show of Hands: Authorization? XACML?
  • 3. © 2013, Axiomatics AB Identity is key Services need to know who you are You need to prove who you are Several protocols exist to support Authentication Authentication (AuthN) “Authentication is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program (…)”
  • 4. © 2013, Axiomatics AB Identity is key, but it is not everything Authentication proves your identity It does not decide what that identity entails Enter Authorization Authorization (AuthZ) “The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”
  • 5. © 2013, Axiomatics AB Some frameworks, stds. confuse both phases Often AuthN ≡ AuthZ If you have authenticated then you are in… AuthZ is part of a bigger process Identify Authenticate Authorize Think of the access to your APIs… AuthN vs. AuthZ
  • 6. © 2013, Axiomatics AB Business-driven authorization Let “Gold” customers access APIs 1,2 but not 3 Let “Platinum” customers access all APIs Compliance-driven authorization Do not let traders approve transactions they requested Privacy-driven authorization Do not disclose medical data to non-employee users AuthZ addresses various concerns
  • 7. © 2013, Axiomatics AB Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-Based Access Control (RBAC) It’s widely adopted It’s well understood and industry-standard It’s simple Most apps support some form of RBAC Authorization Approaches
  • 8. © 2013, Axiomatics AB Inflexible & static Difficult to define fine-grained access control rules Doesn’t scale Role explosion How to implement the rule: Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship Where’s the role? Doctor What’s a patient? A record? A care relationship? Problem with RBAC?
  • 9. © 2013, Axiomatics AB Pull out the highlighter What if we were not limited to roles? Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship Attributes, Attributes, Attributes!
  • 10. © 2013, Axiomatics AB Attribute-Based Access Control (ABAC) uses attributes as building blocks in a structured language used to define access control rules and to describe access requests Attributes Are sets of labels or properties Describe all aspects of entities that must be considered for authorization purposes Each attribute consists of a key-value pair such as “Class=Gold”, “OS=Windows” Attribute-based access control
  • 11. © 2013, Axiomatics AB ABAC – beyond RBAC Role-Based Access Control Attribute-Based Access Control User  Role  Permissions User + Action + Resource + Context Attributes Policies Example: doctors can open & edit a patient’s health record in the hospital emergency room at 3PM. Static & pre-defined Dynamic & Adaptive Role 1 Role 2 P P P P P P
  • 12. © 2013, Axiomatics AB eXtensible Authorization – Future Proofing External to Applications Standards- Compliant Authorization Service Fine- Grained Context-Aware Attribute-based Access Control
  • 13. © 2013, Axiomatics AB Enter XACML
  • 14. © 2013, Axiomatics AB Pronunciation eXtensible Access Control Markup Language OASIS standard V 3.0 approved in January 2013 V 1.0 approved in 2003 (10 years ago!) XACML is expressed as A specification document and An XML schema REST profile for XACML exists (CSD) http://www.oasis-open.org/committees/xacml/ 14 What is XACML?
  • 15. © 2013, Axiomatics AB 15 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol
  • 16. © 2013, Axiomatics AB 16 XACML-Architecture Access request
  • 17. © 2013, Axiomatics AB 17 XACML-Architecture Enforce Policy Enforcement Point
  • 18. © 2013, Axiomatics AB 18 XACML-Architecture Enforce Policy Enforcement Point Decide Policy Decision Point
  • 19. © 2013, Axiomatics AB 19 XACML-Architecture Enforce Policy Enforcement Point Decide Policy Decision Point Support Policy Information Point Policy Retrieval Point
  • 20. © 2013, Axiomatics AB 20 XACML-Architecture Enforce Policy Enforcement Point Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point
  • 21. © 2013, Axiomatics AB 21 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol
  • 22. © 2013, Axiomatics AB Everything can be described in terms of attributes Attributes can be grouped into categories And many more… It’s all about Attributes! ABAC 22 Attributes & Categories Environment Subject Action Resource
  • 23. © 2013, Axiomatics AB 23 Examples of attributes Subject Action Resource Environment A user … … wants to do something … … with an information asset … … in a given context Examples: A claims administrator… …wants to register a … … claim receipt for a new claim… … via a secure channel authenticated using the corporate smart card An adjuster… …wants to approve payments of … … claim payment … …from his office computer during regular business hours A manager wants to … … assign a claim… …to a claim adjuster… … at 2 o’clock at night from a hotel lounge in Chisinau…
  • 24. © 2013, Axiomatics AB <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > <xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/tmp/env/devicetype" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string>Laptop</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/acs/role" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">Manager</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="location" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SE</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> <xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/asm/entity/type" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Purchase Order</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> Example XACML 3.0 Request, XML
  • 25. © 2013, Axiomatics AB <xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Result> <xacml-ctx:Decision>Permit</xacml-ctx:Decision> <xacml-ctx:Status> <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </xacml-ctx:Status> </xacml-ctx:Result> </xacml-ctx:Response> Example XACML 3.0 Response
  • 26. © 2013, Axiomatics AB 3 levels of elements PolicySet Policy Rule At root is PolicySet or Policy PolicySet can contain PolicySet and Policy Policy can contain Rule Rule evaluation returns PERMIT, DENY, Indeterminate, NotApplicable Rule Combining Algorithms Policy Combining Algorithms 26 Language Elements of XACML PolicySet PolicySet Policy Rule Effect Permit Deny Policy Rule Rule
  • 27. © 2013, Axiomatics AB All 3 elements can contain Target elements At the heart of most Rules is a Condition Obligation/Advice can be specified at all 3 levels 27 Language Structure: Russian dolls PolicySet PolicySet Policy Rule Effect Target T T TC Permit Deny O Obligation O O O = Obligation / Advice C = Condition T = Target
  • 28. © 2013, Axiomatics AB 28 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol
  • 29. © 2013, Axiomatics AB Environment Subject Action Resource Environment Action Resource Subject 29 XACML Concepts It’s all about Attributes! ABAC = Attribute Based Access Control XACML Policies XACML Request XACML Response
  • 30. © 2013, Axiomatics AB • Subject User id = Alice Role = Manager • Action Action id = approve • Resource Resource type = Purchase Order PO #= 12367 • Environment Device Type = Laptop 30 Structure of a XACML Request / Response XACML Request XACML Response Can Manager Alice approve Purchase Order 12367? Yes, she can • Result Decision: Permit Status: ok The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions
  • 31. © 2013, Axiomatics AB In addition, XACML response can also contain: Obligation: PEP must comply with the obligation and is required to deny access if it cannot understand or enforce the obligation Advice: the PEP may comply with the advice and can be safely ignored if not understood or cannot be acted on 31 Obligation & Advice
  • 32. © 2013, Axiomatics AB AuthN is not enough. AuthZ is needed. RBAC is often not enough. ABAC is needed. XACML is a prominent ABAC system. XACML consists of: Reference Architecture Policy Language Request Response Protocol Summary
  • 33. © 2013, Axiomatics AB Axiomatics is world’s leading independent provider of dynamic AuthZ solutions Our products enable efficient XACML-based authorization APIs, SDKs for system integration Java and .NET support APS Developer Edition provides you with all the power of our product in a read-to-use package http://axiomatics.com/aps-developer-edition.html Summary (Axiomatics)
  • 34. © 2013, Axiomatics AB http://developers.axiomatics.com http://www.technicalprivacytraining.org/ https://www.oasis-open.org/committees/xacml/ http://docs.oasis-open.org/xacml/xacml- rest/v1.0/xacml-rest-v1.0.pdf http://www.webfarmr.eu/ http://analyzingidentity.com/ More Information
  • 35. © 2013, Axiomatics AB Questions? Contact us at info@axiomatics.com