1 / 16

XACML

XACML. Gyanasekaran Radhakrishnan. Raviteja Kadiyam. What is XACML?. XACML is a general-purpose access control policy language . I t provides a syntax (defined in XML) for managing access to resources . XACML is an OASIS standard.

saxon
Download Presentation

XACML

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

  2. What is XACML? • XACML is a general-purpose access control policy language. • It provides a syntax (defined in XML) for managing access to resources. • XACML is an OASIS standard. • The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. • The request/response language lets you form a query to ask whether or not a given action should be allowed, and interpret the result. • The response always includes an answer about whether the request should be allowed using one of four values: Permit, Deny, Indeterminate or Not Applicable.

  3. XACML – General Usage Scenario. • A subject (e.g. human user, workstation) wants to take some action on a particular resource. • The subject submits its query to the entity protecting the resource (e.g. file system, web server). This entity is called a Policy Enforcement Point (PEP).

  4. Request and Response Context • Request Context • Attributes of: • Subjects – requester, intermediary, recipient, etc. • Resource – name, can be hierarchical • Resource Content – specific to resource type, e.g. XML document • Action – e.g. Read • Environment – other, e.g. time of request • Response Context • Resource ID • Decision • Status (error values) • Obligations

  5. Policies and Policy Sets • Policy • Smallest element PDP can evaluate • Contains: Description, Defaults, Target, Rules, Obligations, Rule Combining Algorithm • Policy Set • Allows Policies and Policy Sets to be combined • Use not required • Contains: Description, Defaults, Target, Policies, Policy Sets, Policy References, Policy Set References, Obligations, Policy Combining Algorithm • Combining Algorithms: Deny-overrides, Permit-overrides, First-applicable, Only-one-applicable

  6. Rules • Smallest unit of administration, cannot be evaluated alone • Elements • Description – documentation • Target – select applicable policies • Condition – boolean decision function • Effect – either “Permit” or “Deny” • Results • If condition is true, return Effect value • If not, return NotApplicable • If error or missing data return Indeterminate • Plus status code

  7. *

  8. Targets • Designed to efficiently find the elements (policies, rules) that apply to a request • Makes it feasible to have very complex Conditions • Attributes of Subjects, Resources and Actions • Matches against value, using match function • Regular expression • RFC822 (email) name • X.500 name • User defined • Attributes specified by Id or XPath expression

  9. Advantages: • ONE STANDARD access control policy language for ALL organizations. • Administrators save time and money because they don't need to rewrite their policies in many different languages. • Developers save time and money because they don't have to invent new policy languages and write code to support them. They can reuse existing code.

  10. Disadvantages: • XACML does not explicitly require the specification of purpose or intent which is often associated with a privacy policy. • XACML is complex in some ways and verbose. Interactions involving PAP, PIP, etc., are not standardized. • Policy administration, policy versioning, etc., are not standardized. • No feature of temporary authorization.

  11. References: • [1] OASIS XACML Technical Committee, Core Specification: eXtensible Access Control Markup Language (XACML), 2005. • [2] OASIS XACML v3.0 Administration and Delegation Profile Version 1.0, http://www.oasis-open.org, 2009. • [3] SAML 2.0 profile of XACML, version 2.July 2007. http://www.oasis-open.org/committees/download.php/24681/xacml-profile-saml2.0-v2-spec-wd-5-en.pdf. • [4] Dieter Spahni, "Managing Access to Distributed Resources," hicss, vol. 4, pp.40094b, Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 4, 2004

  12. [5] IETF RFC 3198 - Terminology for Policy-Based Management http://tools.ietf.org/html/rfc3198 • [6] M. Satyanarayanan. A survey of distributed file systems. Annual review of Computer Science, 1989. • [7] PrathimaRao, Dan Lin, and Elisa Bertino. 2007. XACML Function Annotations. In Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks(POLICY '07). IEEE Computer Society, Washington, DC, USA, 178-182. • * - diagram borrowed from: courses.cs.vt.edu/~cs5204/fall08.../Oct21-Authorization-XACML.ppt.

  13. Thank You.

More Related