SlideShare a Scribd company logo

XACML - XML Amsterdam2011

Download as PPTX, PDF
Ray Sinnema, profile picture
Ray Sinnema

This document summarizes the eXtensible Access Control Markup Language (XACML). It discusses access control models like ACL, RBAC, ABAC and how XACML supports all of them. The document outlines the key components of XACML including its architecture, request/response protocol, policy language, optional profiles, and what is new in version 3.0. It also briefly mentions some XACML implementations.

TechnologyBusiness
1 of 26
Downloaded 69 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

More Related Content

PPTX
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard
 
PDF
CIS14: The Very Latest in Authorization Standards
CloudIDSummit
 
PPTX
OData - The Universal REST API
Nishanth Kadiyala
 
PPTX
OData: A Standard API for Data Access
Pat Patterson
 
PPTX
OData, External objects & Lightning Connect
Prasanna Deshpande ☁
 
PPTX
Odata - Open Data Protocol
Khaled Musaied
 
PPTX
Modern REST APIs for Enterprise Databases - OData
Nishanth Kadiyala
 
PPTX
OData for iOS developers
Glen Gordon
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
David Brossard
 
CIS14: The Very Latest in Authorization Standards
CloudIDSummit
 
OData - The Universal REST API
Nishanth Kadiyala
 
OData: A Standard API for Data Access
Pat Patterson
 
OData, External objects & Lightning Connect
Prasanna Deshpande ☁
 
Odata - Open Data Protocol
Khaled Musaied
 
Modern REST APIs for Enterprise Databases - OData
Nishanth Kadiyala
 
OData for iOS developers
Glen Gordon
 

What's hot (20)

PPTX
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
Pat Patterson
 
PDF
Restful Services
SHAKIL AKHTAR
 
PPTX
GoToMeeting Competitive / Market Analysis
Nishanth Kadiyala
 
PPTX
API Gateway - OFM Canberra October 2014
Joelith
 
PPTX
Data Caching Strategies for Oracle Mobile Application Framework
andrejusb
 
PPTX
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Nishanth Kadiyala
 
PDF
Oracle ADF Architecture TV - Design - ADF Service Architectures
Chris Muir
 
PDF
Oracle ADF Architecture TV - Design - Service Integration Architectures
Chris Muir
 
PDF
Getting your grips on Excel chaos
Niels de Bruijn
 
PDF
Introduction to External Objects and the OData Connector
Salesforce Developers
 
PDF
SAP ODATA Overview & Guidelines
Ashish Saxena
 
PPTX
Barcelona salesforce sdg november lightning connect
Aaron Dominguez Sanchez
 
PDF
The_Beauty_And_The_Beast_APEX_and_SAP
Niels de Bruijn
 
PPTX
Access External Data in Real-time with Lightning Connect
Salesforce Developers
 
PDF
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Salesforce Developers
 
PPTX
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
PDF
NetWeaver Gateway- Introduction to OData
SAP PartnerEdge program for Application Development
 
PPTX
ADF Anti-Patterns: Dangerous Tutorials
andrejusb
 
PPTX
ADF Mythbusters UKOUG'14
andrejusb
 
PPTX
Oracle JET CRUD and ADF BC REST
andrejusb
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
Pat Patterson
 
Restful Services
SHAKIL AKHTAR
 
GoToMeeting Competitive / Market Analysis
Nishanth Kadiyala
 
API Gateway - OFM Canberra October 2014
Joelith
 
Data Caching Strategies for Oracle Mobile Application Framework
andrejusb
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Nishanth Kadiyala
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Chris Muir
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Chris Muir
 
Getting your grips on Excel chaos
Niels de Bruijn
 
Introduction to External Objects and the OData Connector
Salesforce Developers
 
SAP ODATA Overview & Guidelines
Ashish Saxena
 
Barcelona salesforce sdg november lightning connect
Aaron Dominguez Sanchez
 
The_Beauty_And_The_Beast_APEX_and_SAP
Niels de Bruijn
 
Access External Data in Real-time with Lightning Connect
Salesforce Developers
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Salesforce Developers
 
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
NetWeaver Gateway- Introduction to OData
SAP PartnerEdge program for Application Development
 
ADF Anti-Patterns: Dangerous Tutorials
andrejusb
 
ADF Mythbusters UKOUG'14
andrejusb
 
Oracle JET CRUD and ADF BC REST
andrejusb
 
Ad

Similar to XACML - XML Amsterdam2011 (20)

PDF
Srm suite technical presentation nrm - tim piqueur
EMC Nederland
 
PDF
Presentation atmos architecture overview
xKinAnx
 
PDF
RESTful SOA and the Spring Framework (EMCWorld 2011)
EMC
 
PDF
dist-access. access control in distributed systemspdf
NohaNagy5
 
PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake
 
PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake
 
PDF
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
 
PDF
EMC Unified Analytics Platform. Gintaras Pelenis
Lietuvos kompiuterininkų sąjunga
 
PDF
Vnx mr presentation kenny pool
EMC Nederland
 
PDF
Transforming Mission Critical Applications
Cenk Ersoy
 
PDF
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
darach
 
PPT
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
 
PPTX
Introduction to Web Application Clustering
Piyush Katariya
 
PDF
Mellanox hpc day 2011 kiev
Volodymyr Saviak
 
PDF
102550121 symmetrix-foundations-student-resource-guide
Amit Sharma
 
PDF
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Jerome Leonard
 
PPTX
Emc vi pr controller
solarisyougood
 
PDF
attachment_3998 (3).pdf
ssuser02a37f1
 
PDF
Cloud Models, Considerations, & Adoption Techniques
EMC
 
PDF
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
Hans A. Kielland Aanesen
 
Srm suite technical presentation nrm - tim piqueur
EMC Nederland
 
Presentation atmos architecture overview
xKinAnx
 
RESTful SOA and the Spring Framework (EMCWorld 2011)
EMC
 
dist-access. access control in distributed systemspdf
NohaNagy5
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
 
EMC Unified Analytics Platform. Gintaras Pelenis
Lietuvos kompiuterininkų sąjunga
 
Vnx mr presentation kenny pool
EMC Nederland
 
Transforming Mission Critical Applications
Cenk Ersoy
 
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
darach
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Praetorian
 
Introduction to Web Application Clustering
Piyush Katariya
 
Mellanox hpc day 2011 kiev
Volodymyr Saviak
 
102550121 symmetrix-foundations-student-resource-guide
Amit Sharma
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Jerome Leonard
 
Emc vi pr controller
solarisyougood
 
attachment_3998 (3).pdf
ssuser02a37f1
 
Cloud Models, Considerations, & Adoption Techniques
EMC
 
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
Hans A. Kielland Aanesen
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
A Presentation on Artificial Intelligence
memembruh336
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 

XACML - XML Amsterdam2011

  • 1. eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
  • 2. Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
  • 3. Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
  • 4. Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
  • 5. Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
  • 6. Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
  • 7. Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
  • 8. Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
  • 9. Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
  • 10. Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
  • 11. XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
  • 12. eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
  • 13. Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
  • 14. Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
  • 15. Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
  • 16. Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
  • 17. Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
  • 18. Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
  • 19. Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
  • 20. Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
  • 21. X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
  • 22. Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
  • 23. What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
  • 24. Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
  • 25. Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
  • 26. THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

Editor's Notes

  • #11: Access Control List focuses on ResourceRole-Based Access Control generalizes SubjectAttribute-Based Access Control generalizes all attributesPolicy-Based Access Control standardizes attributesRisk-Adaptive Access Control