1 / 9

Fine-Grained Access Control with XACML 2.0: Policy Administration & Powerful Expression

XACML is a powerful XML language enabling fine-grained access control for diverse contexts and robust policy administration. It offers features such as federated policy management, obligation enforcement, and hierarchical resource protection, ensuring secure data access and efficient policy resolution.

Download Presentation

Fine-Grained Access Control with XACML 2.0: Policy Administration & Powerful Expression

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. XACML 2.0 and Earlier Hal Lockhart, Oracle

  2. What is XACML? • XML language for access control • Coarse or fine-grained • Extremely powerful evaluation logic • Ability to use any available information • Superset of Permissions, ACLs, RBAC, etc • Scales from PDA to Internet • Federated policy administration • OASIS and ITU-T Standard

  3. Trends Driving Fine-Grained Access Control • De-perimeterization • No longer just “them and us” • Firewall is no longer sufficient • Service Oriented Architecture • Multiple access contexts for each service • Cloud • Complex interactions of internal and external components • Federated administration

  4. Powerful Policy Expression • “Anyone can use web servers with the ‘spare’ property between 12:00 AM and 4:00 AM” • “Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve” • “Anyone view their own 401K information, but nobody else’s” • “The print formatting service can access printers and temporary storage on behalf of any user with the print attribute” • “The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.”

  5. Key XACML Features • Federated Policy Administration • Multiple policies applicable to same situation • Combining rules to resolve conflicts • Decision may include Obligations • In addition to Permit or Deny • Obligation can specify present or future action • Examples: Log request, require human approval, delete data after 30 days • Protect any resource • Web Server, Java or C++ Object, Room in building, Network Access, Web Service, Geographic Data, Health Records, etc.

  6. Client PDP PDP Administration PDP Decision PDP PEP Enforcement Attribute Repositories Policy Repository Authorities XACML Architecture Application

  7. XACML Concepts Target Target Target Condition Effect Rules Obligations Policies Obligations PolicySet

  8. XACML 2.0 Profiles • Digital Signature • Integrity protection of Policies • Hierarchical Resources • Using XACML to protect files, directory entries, web pages • Privacy • Determine “purpose” of access • RBAC • Support ANSI RBAC Profile with XACML • SAML Integration • XACML-based decision request • Fetch applicable policies • Attribute alignment

  9. XACML Benefits • Standard Policy Language • Investment protection • Skills reuse • Create analysis tools market • Leverage XML tools • Policy not in application code • Reduce cost of changes • Consistent application • Enable audit

More Related