Vai alla Home Page About me Courseware Federica Living Library Federica Federica Podstudio Virtual Campus 3D Le Miniguide all'orientamento Gli eBook di Federica La Corte in Rete
 
 
Il Corso Le lezioni del Corso La Cattedra
 
Materiali di approfondimento Risorse Web Il Podcast di questa lezione

Valentina Casola » 7.XACML: extensible Access Control Markup Language


Introduction to Access Control


Access Control


Introduction to XACML

  • XACML defines a general policy language used to protect resources as well as an access decision language.
  • Markup language has been approved and standardized by OASIS.

Introduction to XACML (follows)

Request Context

<request>
<subject>
<value>John</value>
</subject>
<resource>
<value>PatientRecord1.doc</value>
</resource>
<action>
<value>R</value>
</action>
</request>

Introduction to XACML (follows)

XACML Policy

<rule  effect=”permit”>
<target>
<subject>
<value>John</value>
</subject>
<resource>
<value>PatientRecord1.doc</value>
</resource>
<action>
<value>R</value>
</action>
</target>
</rule>

Introduction to XACML (follows)

Response Context

<response>
<decision>
<value>Permit</value>
</decision>
</response>

Introduction to XACML (follows)

How does XACML Work?

How does XACML Work?


XACML Schemas

Request Schema

Request
Subject
Resource
Action

XACML Schemas (follows)

Policy Schema

PolicySet (Combining Alg)
Policy* (Combining Alg)
Rule* (Effect)
Subject*
Resource*
Action
Condition*
Obligation*

XACML Schemas (follows)

Response Schema

Response
Decision
Obligation*

XACML Framework (Data flow model)


Main Entities

  • Policy decision point (PDP) – The system entity that evaluates applicable policy and renders authorization decision.
  • Policy enforcement point (PEP) – The system entity that performs access control, by making decision requests and enforcing authorization decisions.
  • Policy information point (PIP) – The system entity that acts as a source of attribute values.
  • Context handler - The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format.
  • Policy administration point (PAP) – The system entity that creates a policy or policy set.

Operational steps

  1. PAPs write policies and policy sets and make them available to the PDP. These policies or policy sets represent the complete policy for a specified target.
  2. The access requester sends a request for access to the PEP.
  3. The PEP sends the request for access to the context handler in its native request format, optionally including attributes of the subjects, resource and action. The context handler constructs an XACML request context in accordance with steps 4,5,6 and 7.
  4. Subject, resource and environment attributes may be requested from a PIP.
  5. The PIP obtains the requested attributes.
  6. The PIP returns the requested attributes to the context handler.

Operational steps (follows)

7.   Optionally, the context handler includes the resource in the context.

8. The context handler sends a decision request, including the target, to the PDP. The PDP identifies the applicable policy and retrieves the required attributes and (optionally) the resource from the context handler. The PDP evaluates the policy.

9. The PDP returns the response context (including the authorization decision) to the context handler.

10. The context handler translates the response context to the native response format of the PEP. The context handler returns the response to the PEP.

11. The PEP fulfills the obligations.

12. (Not shown) If access is permitted, then the PEP permits access to the resource; otherwise, denies access.

XACML: usage scenario

Policy Enforcement Point

  • A subject (e.g. human user, workstation) wants to take some action on a particular resource.
  • The subject submits its query to the entity protecting the resource (e.g. file system, web server). This entity is called a Policy Enforcement Point (PEP).

XACML: usage scenario (follows)

Policy Enforcement Point

  • The PEP forms a request (using the XACML request language) based on the attributes of the:
    • Subject.
    • Action.
    • Resource.
    • Other relevant information: privacy parameters.

XACML: usage scenario (follows)

Policy Development Point

  • It does the following:
    • Receives and examines the request.
    • Retrieves applicable policies (written in the XACML policy language).
    • Determines whether access should be granted.
    • Returns the access decision to the PEP.

XACML Framework (Policy Language Model)


Policy languange model

The main components of the language model are:

  • Rule.
  • Policy.
  • Policy Set.

Policy language model: rule

A rule is the most elementary unit of policy.

The main components of a rule are:

  • a target;
  • an effect;
  • a condition.
  • The target defines the resource set, subjects, actions and environment where to apply the rule.
  • The effect of the rule indicates the rule-writer’s intended consequence of a “True” evaluation for the rule. Two values are allowed: “Permit” and “Deny”.
  • Condition represents a boolean expression that refines the applicability predicates implied by its target. Therefore, it may be absent.

Policy language model: policy

  • A policy comprises four main components:
    • a target;
    • a rule-combining algorithm-identifier;
    • a set of rules;
    • obligations.
  • The Target defines the resource set, subjects, actions and environment where to apply the policy.
  • The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined when evaluating the policy.
  • It contains a set of rules or obligations that will be executed by the PEP.

Policy language model: policy set

A policy set comprises four main components:

  • a target;
  • a policy-combining algorithm-identifier;
  • a set of policies;
  • obligations.

Policy & Rule Combining algorithms

Permit Overrides

  • If a single rule permits a request, irrespective of the other rules, the result of the PDP is Permit.

Deny Overrides

  • If a single rule denies a request, irrespective of the other rules, the result of the PDP is deny.

First Applicable

  • The first applicable rule that satisfies the request is the result of the PDP.

Only-one-applicable

  • If there are two rules with different effects for the same request, the result is indeterminate.

Policy & Rule Combining algorithms (follows)

Conditions

  • Declarative use of boolean expressions.
  • Using Environment variables like time, etc..
    • E.g., John can access patientrecord1.doc only between 9am and 4pm.

Obligations

  • An operation performed in a policy or policy set that should be performed in conjunction with the enforcement of an authorization decision.

XACML Structure

<Request

xmlns=”urn:oasis:names:tc:xacml:1.0:context”

xmlns:xsi= http://www.w3.org/2001/XMLSchema-instance

xmlns:db=”db_acad”>


XACML Structure (follows)

<Subject>

<Attribute
AttributeId=”db_acad_users_user_username”
DataType=”http://www.w3.org/2001/XMLSchema#string”>

<AttributeValue>
student4
</AttributeValue>

</Attribute>

</Subject>


XACML Structure (follows)

<Resource>

<Attribute

AttributeId=”urn:oasis:names:tc:xacml:1.0:resource:resource-id”
DataType=”http://www.w3.org/2001/XMLSchema#string”>

<AttributeValue>

sub2

</AttributeValue>

</Attribute>

</Resource>


XACML Structure (follows)

<Action>

<Attribute AttributeId=”urn:oasis:names:tc:xacml:1.0:action:action-id”
DataType=”http://www.w3.org/2001/XMLSchema#string”>

<AttributeValue>

view

</AttributeValue>

</Attribute>

</Action>


XACML Structure (follows)

<Environment>

<Attribute AttributeId=”current-time”
DataType=”http://www.w3.org/2001/XMLSchema#string”>

<AttributeValue>

9:40 am

</AttributeValue>

</Attribute>

</Evironment>


XACML Structure (follows)


XACML – Policy Structure


XACML – Response Structure


XACML – Response Structure (follows)

<Response>
<Result>
<Decision>
Permit
</Decision>
<Status>

<StatusCode Value=”urn:oasis:names:tc:xacml:1.0:status:ok”/>

</Status>
</Result>
</Response>


XACML – Response Structure (follows)

<Decision>
Permit
</Decision>


XACML – Response Structure (follows)

<Status>

<StatusCode Value=”urn:oasis:names:tc:xacml:1.0:status:ok”/>

</Status>


XACML – Response Structure (follows)

<Obligations>

<Obligation ObligationId=”email” FulfillOn=”Permit”>

<AttributeAssignment AttributeId=”mailto”
DataType=”http://www.w3.org/2001/XMLSchema#string”>

//context:ResourceContent/db:user/db:email/text()

</AttributeAssignment>

<AttributeAssignment AttributeId=”text”
DataType=”http://www.w3.org/2001/XMLSchema#string”>

Your marks have been accessed by the Dean for the purpose of Creation of GradeSheet.

</AttributeAssignment>

</Obligation>

</Obligations>


I materiali di supporto della lezione

XACML Core Specification Documents [access_control-xacml-2.0-core-spec-os.pdf]

Survey on XML-Based Policy Languages for Open Environments [Mariemma I. Yagüe]

  • Contenuti protetti da Creative Commons
  • Feed RSS
  • Condividi su FriendFeed
  • Condividi su Facebook
  • Segnala su Twitter
  • Condividi su LinkedIn
Progetto "Campus Virtuale" dell'Università degli Studi di Napoli Federico II, realizzato con il cofinanziamento dell'Unione europea. Asse V - Società dell'informazione - Obiettivo Operativo 5.1 e-Government ed e-Inclusion