Presentation is loading. Please wait.

Presentation is loading. Please wait.

OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart

Published byStewart O’Connor’ Modified over 8 years ago

Similar presentations

Presentation on theme: "OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart"— Presentation transcript:

1 OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart hal.lockhart@entegrity.com

2 Outline n Overview & Theory n XACML Charter and Objectives n Concepts and processing n Rules, Policies and Policy Sets n Request and Response Contexts n XACML Status

3 First a Little Theory Authentication Authority Attribute Authority Policy Decision Point Policy Enforcement Point Credentials Authentication Assertion System Entity Attribute Assertion Authorization Decision Assertion Policy Credentials Collector Credentials Assertion Application Request

4 Types of Authorization Info - 1 n Attribute Assertion Properties of a system entity (typically a person) Relatively abstract – business context Same attribute used in multiple resource decisions Examples: X.509 Attribute Certificate, SAML Attribute Statement, XrML PossessProperty n Authorization Policy Specifies all the conditions required for access Specifies the detailed resources and actions (rights) Can apply to multiple subjects, resources, times… Examples: XACML Policy, XrML License, X.509 Policy Certificate

5 Types of Authorization Info - 2 n AuthZ Decision Expresses the result of a policy decision Specifies a particular access that is allowed Intended for immediate use Example: SAML AuthZ Decision Statement, IETF COPS

6 Implications of this Model n Benefits Improved scalability Separation of concerns Enables federation n Distinctions not absolute Attributes can seem like rights A policy may apply to one principal, resource Systems with a single construct tend to evolve to treating principal or resource as abstraction

7 XACML TC Charter n Define a core XML schema for representing authorization and entitlement policies n Target - any object - referenced using XML n Fine grained control, characteristics - access requestor, protocol, classes of activities, and content introspection n Consistent with and building upon SAML

8 XACML Membership n Affinitex n Crosslogix n Entegrity Solutions n Entrust n Hitachi (Quadrasis) n IBM n OpenNetworks n Overxeer, inc. n Pervasive Security Systems n Sterling Commerce n Sun Microsystems n Xtradyne n Various individual members

9 XACML Objectives n Ability to locate policies in distributed environment n Ability to federate administration of policies about the same resource n Base decisions on wide range of inputs Multiple subjects, resource properties n Decision expressions of unlimited complexity n Ability to do policy-based delegation n Usable in many different environments Types of Resources, Subjects, Actions Policy location and combination

10 General Characteristics n Defined using XML Schema n Strongly typed language n Extensible in multiple dimensions n Borrows from many other specifications n Features requiring XPath are optional n Obligation feature optional (IPR issue) n Language is very “wordy” Many long URLs n Expect it to be generated by programs n Complex enough that there is more than one way to do most things

11 XACML Concepts n Policy & PolicySet – combining of applicable policies using CombiningAlgorithm n Target – Rapidly index to find applicable Policies or Rules n Conditions – Complex boolean expression with many operands, arithmetic & string functions n Effect – “Permit” or “Deny” n Obligations – Other required actions n Request and Response Contexts – Input and Output n Bag – unordered list which may contain duplicates

12 XACML Concepts PolicySet Policies Obligations Rules Target Obligations Condition Effect Target

13 Request and Response Context

14 Rules n Smallest unit of administration, cannot be evaluated alone n Elements Description – documentation Target – select applicable policies Condition – boolean decision function Effect – either “Permit” or “Deny” n Results If condition is true, return Effect value If not, return NotApplicable If error or missing data return Indeterminate Plus status code

15 Target n Designed to efficiently find the policies that apply to a request n Makes it feasible to have very complex Conditions n Attributes of Subjects, Resources and Actions n Matches against value, using match function Regular expression RFC822 (email) name X.500 name User defined n Attributes specified by Id or XPath expression n Normally use Subject or Resource, not both

16 Condition n Boolean function to decide if Effect applies n Inputs come from Request Context n Values can be primitive, complex or bags n Can be specified by id or XPath expression n Fourteen primitive types n Rich array of typed functions defined n Functions for dealing with bags n Order of evaluation unspecified n Allowed to quit when result is known n Side effects not permitted

17 Datatypes n From XML Schema String, boolean Integer, double Time, date dateTime anyURI hexBinary base64Binary n From Xquery dayTimeDuration yearMonthDuration n Unique to XACML rfc822Name x500Name

18 Functions n Equality predicates n Arithmetic functions n String conversion functions n Numeric type conversion functions n Logical functions n Arithmetic comparison functions n Date and time arithmetic functions n Non-numeric comparison functions n Bag functions n Set functions n Higher-order bag functions n Special match functions n XPath-based functions n Extension functions and primitive types

19 Policies and Policy Sets n Policy Smallest element PDP can evaluate Contains: Description, Defaults, Target, Rules, Obligations, Rule Combining Algorithm n Policy Set Allows Policies and Policy Sets to be combined Use not required Contains: Description, Defaults, Target, Policies, Policy Sets, Policy References, Policy Set References, Obligations, Policy Combining Algorithm n Combining Algorithms: Deny-overrides, Permit-overrides, First-applicable, Only-one- applicable

20 Request and Response Context n Request Context Attributes of: Subjects – requester, intermediary, recipient, etc. Resource – name, can be hierarchical Resource Content – specific to resource type, e.g. XML document Action – e.g. Read Environment – other, e.g. time of request n Response Context Resource ID Decision Status (error values) Obligations

21 XACML Status n First Meeting – 21 May 2001 n Weekly or bi-weekly calls – 7 F2F Meetings n Requirements from: Healthcare, DRM, Registry, Financial, Online Web, XML Docs, Fed Gov, Workflow, Java, Policy Analysis, WebDAV n Deliverables: Glossary, Usecases & Requirements, Domain Model, 2 Schemas, Policy Semantics, Conformance Tests, Profiles, Security & Privacy Considerations, Extensibility Points n Committee Specification – 7 November 2002 n Public Comment Period 8 November – 8 December n Submit to OASIS – Possibly December 12

Download ppt "OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart"

Similar presentations

Trust and Security for Next Generation Grids, www.gridtrust.eu Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.

Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Authorization Brian Garback.

Authorization Brian Garback.
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

XML Security Standards — Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
NAC 2007 Spring Conference OASIS XACML Update

NAC 2007 Spring Conference OASIS XACML Update
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

Similar presentations

Ads by Google