policy based access control
Post on 19-Jan-2017
773 Views
Preview:
TRANSCRIPT
Policy-based access controlWillem De Groef, iMinds-DistriNet
Willem.DeGroef@kuleuven.be
4
● Software artifact● Declarative specification of access rules● Independent from enforcement mechanism
User Subject Principal
Guard
Protected resource
Action
1. How and where to implement the guard
2. How to encode the access rules 7
General Access Control System
Basic approach: rules in code
[....]
if (! (“manager” in user.roles
and doc.owner == user
and 8h00 < now() < 17h00 )) {
[...]
}
+ straightforward
+ you can encode almost anything
- access rules are code
- no separation of concerns
- no modularity leads to audit challenge
- what if rules change?▪ update application code▪ updates all over the place
8
More advanced approach: modularization
@authz(user, “read”, result)
public Document getDoc(docId) { [...] }
+ central definition of rules
+ easier to audit
- access rules are code
- IT is still in charge
- no separation of concerns
- what if rules change?▪ update application code▪ updates all over the place
9
public boolean authz(
subject, action, resource) {
if (! (“manager” in user.roles and …)) { [...] }
Most advanced approach: policy-based
@authz(user, “read”, result)
public Document getDoc(docId) { [...] }
PolicyDecisionPoint
Policy
+ central authorization logic
+ central definition of rules
+ easy to audit
+ access rules independent artifacts
+ clear separation of concerns
+ rule updates at run-time
10
<Policy PolicyId=“dynamic-separation-of-duty" RuleCombiningAlgId=“deny-overrides"> <Description>Dynamic separation of duty</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="string-equal"> <AttributeValue DataType="string">doc123</AttributeValue> <ResourceAttributeDesignator AttributeId="resource:id" DataType="string"/> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="deny" Effect=“Deny"> <Description>Deny if viewed other doc</Description> <Condition> <Apply FunctionId="string-is-in"> <AttributeValue DataType="string">doc456</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:historyy" DataType="string"/> </Apply> </Condition> </Rule> <Rule RuleId=“default-permit" Effect=“Permit"> </Rule> <Obligations> <Obligation ObligationId="append-attribute" FulfillOn="Permit"> <AttributeAssignment AttributeId="value" DataType="string"> <SubjectAttributeDesignator AttributeId="resource:id" DataType="string"/> </AttributeAssignment> <AttributeAssignment AttributeId="attribute-id" DataType="string">subject:history</AttributeAssignment> </Obligation> </Obligations></Policy>
13
Independent declarative policy specification
Simple Tree-structured Attribute-based Policy Language
17https://goo.gl/F2RE8g
val policy = Policy("e-health example") :=
when ((action.id === "view") &
(resource.type_ === "patient-data") &
("physician" in subject.roles))
apply PermitOverrides to (
Rule("requirement-for-permit") := permit
iff (resource.owner_id in subject.treated),
Rule("default deny") := deny
)
21
Decoupling from application logic is hard
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBuckets", "Resource": "arn:aws:s3:::example_bucket" }}
s3:ListBucket
Open research challenges
● Improve performance & scalability of the PDP
● Interoperability across multiple applications
● Access rules for the database layer
● Conflict resolution in policies
● Management of policies
● Supporting organizational processes
22
Conclusions
24
Policy-based access control
● Enables exciting new opportunities○ Allows decent access management processes○ Keep access control system in sync with your business
● Technology-wise still some hurdles● Be future-proof by modularizing authorization!
Policy-basedaccess control
Any further questions?
Contact us atWillem.DeGroef@kuleuven.be
Interested in our events?
Subscribe herehttp://bit.ly/DistrinetAccessControl
top related