![Page 2: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/2.jpg)
Outline Overview & Theory XACML Charter and Objectives Concepts and processing Rules, Policies and Policy Sets Request and Response Contexts XACML Status
![Page 3: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/3.jpg)
First a Little Theory
AuthenticationAuthority
AttributeAuthority
PolicyDecisionPoint
PolicyEnforcement
Point
Credentials
AuthenticationAssertion
SystemEntity
AttributeAssertion
AuthorizationDecisionAssertion
Policy Policy Policy
CredentialsCollector
CredentialsAssertion
ApplicationRequest
![Page 4: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/4.jpg)
Types of Authorization Info - 1 Attribute Assertion
• Properties of a system entity (typically a person)• Relatively abstract – business context• Same attribute used in multiple resource
decisions• Examples: X.509 Attribute Certificate, SAML
Attribute Statement, XrML PossessProperty Authorization Policy
• Specifies all the conditions required for access• Specifies the detailed resources and actions
(rights)• Can apply to multiple subjects, resources,
times…• Examples: XACML Policy, XrML License, X.509
Policy Certificate
![Page 5: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/5.jpg)
Types of Authorization Info - 2 AuthZ Decision
• Expresses the result of a policy decision• Specifies a particular access that is
allowed• Intended for immediate use• Example: SAML AuthZ Decision
Statement, IETF COPS
![Page 6: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/6.jpg)
Implications of this Model Benefits
• Improved scalability• Separation of concerns• Enables federation
Distinctions not absolute• Attributes can seem like rights• A policy may apply to one principal,
resource• Systems with a single construct tend to
evolve to treating principal or resource as abstraction
![Page 7: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/7.jpg)
XACML TC Charter Define a core XML schema for
representing authorization and entitlement policies
Target - any object - referenced using XML
Fine grained control, characteristics - access requestor, protocol, classes of activities, and content introspection
Consistent with and building upon SAML
![Page 8: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/8.jpg)
XACML Membership Affinitex Crosslogix Entegrity Solutions Entrust Hitachi (Quadrasis) IBM OpenNetworks Overxeer, inc. Pervasive Security Systems Sterling Commerce Sun Microsystems Xtradyne Various individual members
![Page 9: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/9.jpg)
XACML Objectives Ability to locate policies in distributed
environment Ability to federate administration of
policies about the same resource Base decisions on wide range of inputs
• Multiple subjects, resource properties Decision expressions of unlimited
complexity Ability to do policy-based delegation Usable in many different environments
• Types of Resources, Subjects, Actions• Policy location and combination
![Page 10: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/10.jpg)
General Characteristics Defined using XML Schema Strongly typed language Extensible in multiple dimensions Borrows from many other specifications Features requiring XPath are optional Obligation feature optional (IPR issue) Language is very “wordy”
• Many long URLs Expect it to be generated by programs Complex enough that there is more
than one way to do most things
![Page 11: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/11.jpg)
XACML Concepts Policy & PolicySet – combining of
applicable policies using CombiningAlgorithm
Target – Rapidly index to find applicable Policies or Rules
Conditions – Complex boolean expression with many operands, arithmetic & string functions
Effect – “Permit” or “Deny” Obligations – Other required actions Request and Response Contexts – Input
and Output Bag – unordered list which may contain
duplicates
![Page 12: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/12.jpg)
XACML Concepts
PolicySet
PoliciesObligations
Rules
Target
Obligations
Condition
Effect
Target
Target
![Page 13: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/13.jpg)
Request and Response Context
domain-specificinputs
domain-specificoutputs
xacml Context/Request.xml
xacml Context/Response.xmlPDP
xacmlPolicy.xml
![Page 14: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/14.jpg)
Rules Smallest unit of administration, cannot be
evaluated alone Elements
• Description – documentation• Target – select applicable policies• Condition – boolean decision function• Effect – either “Permit” or “Deny”
Results• If condition is true, return Effect value• If not, return NotApplicable• If error or missing data return Indeterminate
• Plus status code
![Page 15: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/15.jpg)
Target Designed to efficiently find the policies that
apply to a request Makes it feasible to have very complex
Conditions Attributes of Subjects, Resources and Actions Matches against value, using match function
• Regular expression• RFC822 (email) name• X.500 name• User defined
Attributes specified by Id or XPath expression Normally use Subject or Resource, not both
![Page 16: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/16.jpg)
Condition Boolean function to decide if Effect applies Inputs come from Request Context Values can be primitive, complex or bags Can be specified by id or XPath expression Fourteen primitive types Rich array of typed functions defined Functions for dealing with bags Order of evaluation unspecified Allowed to quit when result is known Side effects not permitted
![Page 17: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/17.jpg)
Datatypes From XML Schema
• String, boolean• Integer, double• Time, date• dateTime• anyURI• hexBinary• base64Binary
From Xquery• dayTimeDuration• yearMonthDuration
Unique to XACML• rfc822Name• x500Name
![Page 18: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/18.jpg)
Functions Equality predicates Arithmetic functions String conversion functions Numeric type conversion functions Logical functions Arithmetic comparison functions Date and time arithmetic functions Non-numeric comparison functions Bag functions Set functions Higher-order bag functions Special match functions XPath-based functions Extension functions and primitive types
![Page 19: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/19.jpg)
Policies and Policy Sets Policy
• Smallest element PDP can evaluate• Contains: Description, Defaults, Target,
Rules, Obligations, Rule Combining Algorithm Policy Set
• Allows Policies and Policy Sets to be combined
• Use not required• Contains: Description, Defaults, Target,
Policies, Policy Sets, Policy References, Policy Set References, Obligations, Policy Combining Algorithm
Combining Algorithms: Deny-overrides, Permit-overrides, First-applicable, Only-one-applicable
![Page 20: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/20.jpg)
Request and Response Context Request Context
• Attributes of:• Subjects – requester, intermediary, recipient, etc.• Resource – name, can be hierarchical• Resource Content – specific to resource type, e.g.
XML document• Action – e.g. Read• Environment – other, e.g. time of request
Response Context• Resource ID• Decision• Status (error values)• Obligations
![Page 21: OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart](https://reader035.vdocuments.us/reader035/viewer/2022062402/5a4d1bae7f8b9ab0599cb9b7/html5/thumbnails/21.jpg)
XACML Status First Meeting – 21 May 2001 Weekly or bi-weekly calls – 7 F2F Meetings Requirements from: Healthcare, DRM, Registry,
Financial, Online Web, XML Docs, Fed Gov, Workflow, Java, Policy Analysis, WebDAV
Deliverables: Glossary, Usecases & Requirements, Domain Model, 2 Schemas, Policy Semantics, Conformance Tests, Profiles, Security & Privacy Considerations, Extensibility Points
Committee Specification – 7 November 2002 Public Comment Period 8 November – 8
December Submit to OASIS – Possibly December 12