XACML Briefing for PMRM TC Hal Lockhart July 8, 2014
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
XACML Briefing for PMRM TC
Hal LockhartJuly 8, 2014
What is XACML?
XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any available information Superset of Permissions, ACLs, RBAC, etc Scales from PDA to Internet Federated policy administration OASIS and ITU-T Standard
OASIS XACML Standardspecifies: An Architecture
Aka: Attribute-based Access Control (ABAC) A Policy Language
Format and Evaluation Semantics Request Formats
XML/SOAP JSON/REST Programatic (OpenAz Project)
XACML Architecture
PDP
DecisionApplication
Administration
PolicyRepository
PEP
Enforcement
Client
AuthoritiesAttributeRepositories
PDP
PDP PDP
Resources
Powerful Policy Expression “Anyone can use web servers with the ‘spare’ property
between 12:00 AM and 4:00 AM”
“Salespeople can create orders, but if the total cost is greater that $1M, a supervisor must approve”
“Anyone view their own 401K information, but nobody else’s”
“The print formatting service can access printers and temporary storage on behalf of any user with the print attribute”
“The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.”
Key XACML Features
Federated Policy Administration Multiple policies applicable to same situation Combining rules to resolve conflicts
Decision may include Obligations and Advice More than just Permit or Deny Obligation can specify present or future action Examples: Log request, require human approval,
delete data after 30 days Protect any resource
Web Server, Java or C++ Object, Room in building, Network Access, Web Service, Geographic Data, Health Records, etc.
XACML Benefits
Standard Policy Language Investment protection Skills reuse
Leverage XML tools Policy not in application code
Reduce cost of changes Consistent application Enable audit
Policy Evaluation in Brief - 1
Attribute-based access control (ABAC) Attributes associated with Subject(s),
Action, Resource or Environment Attributes may represent static (Group)
or dynamic (# of accesses) properties PDP is stateless
Policy Evaluation in Brief - 2
Policies contain Boolean expressions If false, policy is not applicable If true, Effect (Permit or Deny) is
returned
Policy Evaluation in Brief - 3
Combining Algorithms resolve conflicting policy results Typical: Deny Overrides
Obligations which are associated with final Effect are also returned
Policies are tree structured to simplify management
XACML Concepts
PolicySet
PoliciesObligations
Rules
Target
Obligations
Condition
Effect
Target
Target
XACML Policy Tree
Policy Set
PolicyPolicy SetPolicy Set
PolicyPolicy PolicyRule
Rule Rule Rule Rule
Rule Rule
Rule
Decision Request Interfaces Abstract Interface defined in XML
Profiled as real protocol over SOAP Programmatic Interfaces permitted, but
unspecified Javascript Object Notation (JSON) format
Functionally equivalent to XML/SOAP format xacml+json MIME type approved by IANA
REST-based communications Can carry JSON or XML format requests
Prior XACML Privacy work Privacy Profile
Defines 2 Attributes – “Purpose” Category = Action or Resource
Rule to match Purposes XSPA XACML Profile
OASIS Standard in 2009 Based on prior work at HL7 Defines 53 Attributes (14 Normative) Several public interops New Profile in progress
Referencing XACML in other Standards Attributes
What ones may be needed Category (Subject, Resource, etc.) Precise semantics (data-type, legal values)
Policy Agreed upon policies – normative Example policies – illustrate potential use
of attributes
Useful Links
XACML core specificationhttp://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc
Privacy Profilehttp://docs.oasis-open.org/xacml/3.0/privacy/v1.0/xacml-3.0-privacy-v1.0.doc
XSPA Standardhttp://docs.oasis-open.org/xacml/xspa/v1.0/xacml-xspa-1.0-os.doc
Interop Policieshttps://
www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip
https://www.oasis-open.org/committees/download.php/32225/HIMSS-OASIS-Interop-documents.zip
Discussion
Related Documents
