Data Entitlement with WSO2 Enterprise Middleware Platform

Data Entitlements with the WSO2 Enterprise Middleware Platform

Manoj Fernando Director - Solutions Architecture

About WSO2

• Providing the only complete open source componentized cloud platform

– Dedicated to removing all the stumbling blocks to enterprise agility

– Enabling you to focus on business logic and business value

• Recognized by leading analyst firms as visionaries and

leaders – Gartner cites WSO2 as visionaries in all 3 categories of

application infrastructure

– Forrester places WSO2 in top 2 for API Management

• Global corporation with offices in USA, UK & Sri Lanka – 200+ employees and growing

• Business model of selling comprehensive support &

maintenance for our products

150+ globally positioned support customers

Agenda

• A Classic Use Case

• Need for Data Entitlements

• Data Entitlements - A Traditional Approach

• Challenges and benefits

• Features provided by WSO2 Identity Server

• XACML – Policy Based Access Control

• Using WSO2 Middleware Platform to implement our sample use case

• Mediator Flow

• Summary

• Q&A

A Classic Use Case

Who should provide

entitlements?

DB

Sales Database

Sales

Managers

Sales Team A

Application X

Application Y

Access to ALL sales data

Access to only

sales data

belonging to

specific sales

group

Sales Team B

Need for Data Entitlements

• A responsibility shared between business logic and data layers?

• Use cases often talk about permissions, so who should handle it?

“User with permission X has to be able to read and modify asset Y”.

• But many would agree with the idea of globally manageable application permissions.

• Permissions are not just based on user roles (anymore).

• Growing demand for a unified entitlements framework for all types of applications.

Primary Purpose

Is to provide total transparency to multiple applications when accessing shared assets, so that enterprise-wide data access policies will take effect at the point of data

being queried or manipulated by users.

Data Access Layer – a place for data entitlements?

• Primary purpose is to provide loose coupling between data and application logic.

• A natural choice to place data entitlements logic.

• Data Access components are language specific, hence it falls short to meet the exact expectation on enterprise entitlements within a heterogeneous environment.

• No standard as such to govern enterprise-wide entitlements policies when using DAL.

Business Application A

Business Application B

Data Access Layer

Enterprise Data

Permissions Data

Data Entitlements – A Traditional Approach

Presentation Business Application

Data Access Layer

Data exchange

Data Entitlements

System

Entitlements Repo

Request for permitted access

Response with Filter Meta-data

Au

tho

rized Item

s

Query

Req

uest fo

r da

ta Fi

lter

ed D

ata

(1)

(2)

(3)

(4)

(5)

(6)

Challenges in putting up an Enterprise Data Entitlements System

• Often viewed as an unnecessary task, specially when system designers tend to think around ‘siloed’ applications.

• Usually requires a significant amount of ‘re-wiring’ to the permissions handling logic of existing applications.

• Must be driven by standards!

• Some believe that using an external entitlements system is counterproductive in maintaining ‘lightweight-ness’ of the applications.

• No SOA, No use of data entitlements?

Benefits

• Usually the benefits are more long term than short term.

• Helps organizations adapt to changing business needs, and data security requirements easier.

• Centralized management of platform level policies.

• Ideal for heterogeneous systems – Unified access model to entitlements data.

• Service mindset – everything is a service, including entitlements.

Is SOA/Middleware the foundation for Data Entitlements?

• Seldom you will see that an enterprise using applications developed on a single technology.

• SOA brings the real power of data entitlements into the platform by providing standards driven, loosely coupled architecture.

• Works well with other cross cutting requirements such as enterprise logging, transport and message level security, etc.

• A key enabler for cross-application integration scenarios.

A Conceptual SOA driven Data Entitlements

Application A

Application B

Entitlements Service

Data Service

Data Access Service

Entitlements Store

Entitlements Query Based on User attribute

(i.e. Role)

Request

Request for Filtered Data Filter

Builder

Response

Response

User Group A

User Group B

User Group X

Building an entitlements system with WSO2 Identity Server - Features

• Provides a fully fledged Policy Based Access Control (PBAC) platform.

• Fine-grained policy based access control via XACML

• Advanced entitlement auditing and management

• Entitlement management for any REST or SOAP calls

• Role based access control (RBAC)

XACML – Terminology

XACML stands for eXtensible Access Control Markup Language.

Policy Enforcement Point (PEP)

• Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision.

Policy Decision Point (PDP)

• Point which evaluates access requests against authorization policies before issuing access decisions

XACML - Terminology (Cont…)

Policy Administration Point (PAP)

• Point which manages access authorization policies

Policy Information Point (PIP)

• The system entity that acts as a source of attribute values (i.e. a resource, subject, environment, etc.)

Policy Retrieval Point (PRP)

• Point where the XACML access authorization policies are stored, typically a database or the file system.

XACML - Policy Based Access Control (PBAC)

• Fine-grained access control policies based on subject, resource, environment and action attributes

• Portable and reusable policies enforceable across multiple platforms

• All aspects of access request are identified by attributes

• Optional Rules Engine Integration

PEP (Policy

Enforce. Point)

PDP (Policy Decision

Point)

PIP (Policy

Information Point)

Policy Store

PAP (Policy

Administration Point)

Attribute Store

Requester

XACML Request

XACML Response

XAML Policy (Policy Retrieval Point –

PRP)

Manage

Data service

XACML 2.0/3.0 Support on WSO2 Identity Server

• Policy decision processing and attribute caching

• Policy distribution to various Policy Decision Points (PDPs)

• Multiple Policy Information Point (PIP) support

• Friendly UI for Policy editing (PAP)

• High performance network protocol (over Thrift) for PEP/PDP interaction

• Policy Administration Point (PAP) to manage multiple Policy Decision Points (PDP)

Back to our sample scenario…

How to leverage WSO2

middleware platform for this?

DB

Sales Store

Sales

Managers

Sales Team A

Application X

Application Y

Access to ALL sales data

Access to only

sales data

belonging to

specific sales

group

Sales Team B

… and our requirement

• Should provide a unified service interface for querying sales info

• Caller applications need not worry about entitlements (they just query for sales info).

• The policy enforcer needs to acquire entitlements for a common user attribute (i.e. username)

• The policy decision maker should return the list of entitlements (or claims) back to the enforcer.

• The enforcer should build the data filtering logic based on the claims and append that to the service call.

• The filtered data set is returned back to caller.

Putting it altogether

ESB

DSS

IS

Entitlements Mediator

Request

+ wsse:UsernameToken

XACML response

with Advices

XACML

request

XACML Policy

Build dynamic query

Using advices (claims)

fault

Response

Dynamic

Query DB

App A

App B

App X

getSalesInfo

Sales Datastore

DB Enterprise User Store

getSalesInfo + entitlements based filtering

Filtered Response PEP

PIP

PDP

PAP

(1)

(2)

(3)

(4)

(5)

(6)

(7)

ESB Mediation Flow

Authenticate User

Call Entitlements

Mediator

Permit? Extract Claims

Build Dynamic

Query

Call Data Service

Send Response

Return Fault

Yes

No

XACML Policy – Making claims be passed with Response

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="CustomerServiceSales"

RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"

Version="1.0">

<Target></Target>

<Rule Effect="Permit" RuleId="Rule1">

… </Rule>

<AdviceExpressions>

<AdviceExpression AdviceId="customerService" AppliesTo="Permit">

<AttributeAssignmentExpression AttributeId="employee.role">

<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"

DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>

</AttributeAssignmentExpression>

</AdviceExpression> </AdviceExpressions>

</Policy>

In this example we are enforcing that employee role (a PIP entry) is

embedded on to the XACML response

XACML Policy ruleset goes here (omitted)

Claims to Data Service Filter

• Claims received by the Entitlements Mediator exist in the MessageContext object.

• A Class Mediator can be used to extract these claims from the MessageContext and construct the filter logic.

• The ESB Sequence can thereby append the filter logic into a placeholder for filtering (i.e. If you use WSO2 DSS, you can specify this placeholder as a QUERY_STRING type, and use validation logic to avoid potential SQL injection scenarios).

Summary

• Middleware plays a pivotal role in establishing an enterprise grade data entitlements system.

• WSO2 Identity Server provides all necessary features to implement a fully fledged data entitlements system supported by WSO2 ESB for mediating the service calls, and WSO2 DSS for exposing your data as services.

Resources

Blog post

- http://manoj-fernando.blogspot.com/

References

- WSO2 Identity Server : http://docs.wso2.org/display/IS450/WSO2+Identity+Server+Documentation

- XACML : https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

Q&A

Engage with WSO2

• Helping you get the most out of your deployments

• From project evaluation and inception to development

and going into production, WSO2 is your partner in

ensuring 100% project success

lean . enterprise . middleware