1 / 9

XACML MAP Authorization Profile

XACML MAP Authorization Profile. Richard Hill, John Tolbert May 16, 2013. Why use XACML for MAP Authz?. The MAP server contains highly valued information about the network which needs to be protected A strong desired to use a standard based policy language

claire
Download Presentation

XACML MAP Authorization Profile

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XACML MAP Authorization Profile Richard Hill, John Tolbert May 16, 2013

  2. Why use XACML for MAP Authz? • The MAP server contains highly valued information about the network which needs to be protected • A strong desired to use a standard based policy language • The policy language must provide an expressive, flexible, and fine-grained access control

  3. OASIS – TNC Collaboration • 2010 – Initial XACML TC interest in IF-MAP • 2012 - Discussed possibility of using XACML for MAP Content Authorization. • Q4 2012 – TNC & OASIS Collaboration Agreed • Collaboration Approach: • TNC develop the MAP Content Authorization Spec. • Work with OASIS XACML TC represenitive. • OASIS XACML TC develops XACML MAP Authorization Profile.

  4. Where does XACML fit in? • The MAP server performs the XACML PEP function. • The XACML PDP may be internal or external to the MAP server. • MAP authorization policies are written in XACML • XACML PAP may be used maintain the lifecycle of the MAP policies

  5. What can the MAP Authorize? IF-MAP Client operations on the MAP Server based on: • The IF-MAP Client’s roles • The metadata type • The identifier type • Top-level attributes of the identifier • Top-level attributes of the metadata item • The action to be performed

  6. XACML MAP Authorization Profile Profile identifier urn:oasis:names:tc:xacml:3.0:if-map:content Subject Attributes • role Resource Attributes • metadata-type • identifier-type • is-map-client-identifier • is-self-identifier • on-link • metadata-attribute • identifier-attribute

  7. XACML MAP Authorization Profile Action Attributes • request-type • delete-metadata-by-other-client • publish-request-subtype Environment Attributes • dry-run No Obligations will be used.

  8. Aids Security Strategy Digital Policy Management Goals • Use a standard policy language • Manage access polices centrally • Distribute policies to access control points. • Ensure XACML capabilities are pushed to the network layer.

  9. Next Steps • Updates based on comment periods: • TNC MAP Content Authorization • OASIS XACML MAP Authorization profile • Testing of MAP content authorization with XACML • Summer of 2013 • Expected stabilization • TNC MAP Content Authorization – Mid July • OASIS XACML MAP Authorization profile – Q3 2012 • Possible demonstrations of TNC MAP & OASIS XACML in 2014?

More Related