1 / 17

XACML Briefing for PMRM TC

XACML Briefing for PMRM TC. Hal Lockhart July 8, 2014. What is XACML?. XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any available information Superset of Permissions, ACLs, RBAC, etc Scales from PDA to Internet

deo
Download Presentation

XACML Briefing for PMRM TC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XACML Briefing forPMRM TC Hal Lockhart July 8, 2014

  2. What is XACML? • XML language for access control • Coarse or fine-grained • Extremely powerful evaluation logic • Ability to use any available information • Superset of Permissions, ACLs, RBAC, etc • Scales from PDA to Internet • Federated policy administration • OASIS and ITU-T Standard

  3. OASIS XACML Standardspecifies: • An Architecture • Aka: Attribute-based Access Control (ABAC) • A Policy Language • Format and Evaluation Semantics • Request Formats • XML/SOAP • JSON/REST • Programatic (OpenAz Project)

  4. Client PDP PDP Administration PDP Decision PDP Resources PEP Enforcement Attribute Repositories Policy Repository Authorities XACML Architecture Application

  5. Powerful Policy Expression • “Anyone can use web servers with the ‘spare’ property between 12:00 AM and 4:00 AM” • “Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve” • “Anyone view their own 401K information, but nobody else’s” • “The print formatting service can access printers and temporary storage on behalf of any user with the print attribute” • “The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.”

  6. Key XACML Features • Federated Policy Administration • Multiple policies applicable to same situation • Combining rules to resolve conflicts • Decision may include Obligations and Advice • More than just Permit or Deny • Obligation can specify present or future action • Examples: Log request, require human approval, delete data after 30 days • Protect any resource • Web Server, Java or C++ Object, Room in building, Network Access, Web Service, Geographic Data, Health Records, etc.

  7. XACML Benefits • Standard Policy Language • Investment protection • Skills reuse • Leverage XML tools • Policy not in application code • Reduce cost of changes • Consistent application • Enable audit

  8. Policy Evaluation in Brief - 1 • Attribute-based access control (ABAC) • Attributes associated with Subject(s), Action, Resource or Environment • Attributes may represent static (Group) or dynamic (# of accesses) properties • PDP is stateless

  9. Policy Evaluation in Brief - 2 • Policies contain Boolean expressions • If false, policy is not applicable • If true, Effect (Permit or Deny) is returned

  10. Policy Evaluation in Brief - 3 • Combining Algorithms resolve conflicting policy results • Typical: Deny Overrides • Obligations which are associated with final Effect are also returned • Policies are tree structured to simplify management

  11. XACML Concepts Target Target Target Condition Effect Rules Obligations Policies Obligations PolicySet

  12. XACML Policy Tree Policy Set Policy Set Policy Set Policy Policy Policy Policy Rule Rule Rule Rule Rule Rule Rule Rule

  13. Decision Request Interfaces • Abstract Interface defined in XML • Profiled as real protocol over SOAP • Programmatic Interfaces permitted, but unspecified • JavascriptObject Notation (JSON) format • Functionally equivalent to XML/SOAP format • xacml+json MIME type approved by IANA • REST-based communications • Can carry JSON or XML format requests

  14. Prior XACML Privacy work • Privacy Profile • Defines 2 Attributes – “Purpose” Category = Action or Resource • Rule to match Purposes • XSPA XACML Profile • OASIS Standard in 2009 • Based on prior work at HL7 • Defines 53 Attributes (14 Normative) • Several public interops • New Profile in progress

  15. Referencing XACML in other Standards • Attributes • What ones may be needed • Category (Subject, Resource, etc.) • Precise semantics (data-type, legal values) • Policy • Agreed upon policies – normative • Example policies – illustrate potential use of attributes

  16. Useful Links • XACML core specification http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc • Privacy Profile http://docs.oasis-open.org/xacml/3.0/privacy/v1.0/xacml-3.0-privacy-v1.0.doc • XSPA Standard http://docs.oasis-open.org/xacml/xspa/v1.0/xacml-xspa-1.0-os.doc • Interop Policies https://www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip https://www.oasis-open.org/committees/download.php/32225/HIMSS-OASIS-Interop-documents.zip

  17. Discussion

More Related