XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam. What is XACML? • XACML is a general-purpose access control policy language. • It provides a syntax (defined in XML) for managing access to resources. • XACML is an OASIS standard. • The policy language is used to describe general access control requirements, and has standard extension points for defining new functions, data types, combining logic, etc. • The request/response language lets you form a query to ask whether or not a given action should be allowed, and interpret the result. • The response always includes an answer about whether the request should be allowed using one of four values: Permit, Deny, Indeterminate or Not Applicable. XACML – General Usage Scenario. • A subject (e.g. human user, workstation) wants to take some action on a particular resource. • The subject submits its query to the entity protecting the resource (e.g. file system, web server). This entity is called a Policy Enforcement Point (PEP). Request and Response Context • Request Context • Attributes of: • Subjects – requester, intermediary, recipient, etc. • Resource – name, can be hierarchical • Resource Content – specific to resource type, e.g. XML document • Action – e.g. Read • Environment – other, e.g. time of request • Response Context • • • • Resource ID Decision Status (error values) Obligations Policies and Policy Sets • Policy • Smallest element PDP can evaluate • Contains: Description, Defaults, Target, Rules, Obligations, Rule Combining Algorithm • Policy Set • Allows Policies and Policy Sets to be combined • Use not required • Contains: Description, Defaults, Target, Policies, Policy Sets, Policy References, Policy Set References, Obligations, Policy Combining Algorithm • Combining Algorithms: Deny-overrides, Permit-overrides, First-applicable, Only-one-applicable Rules • Smallest unit of administration, cannot be evaluated alone • Elements • • • • Description – documentation Target – select applicable policies Condition – boolean decision function Effect – either “Permit” or “Deny” • Results • If condition is true, return Effect value • If not, return NotApplicable • If error or missing data return Indeterminate • Plus status code * Targets • Designed to efficiently find the elements (policies, rules) that apply to a request • Makes it feasible to have very complex Conditions • Attributes of Subjects, Resources and Actions • Matches against value, using match function • • • • Regular expression RFC822 (email) name X.500 name User defined • Attributes specified by Id or XPath expression Advantages: • ONE STANDARD access control policy language for ALL organizations. • Administrators save time and money because they don't need to rewrite their policies in many different languages. • Developers save time and money because they don't have to invent new policy languages and write code to support them. They can reuse existing code. Disadvantages: • XACML does not explicitly require the specification of purpose or intent which is often associated with a privacy policy. • XACML is complex in some ways and verbose. Interactions involving PAP, PIP, etc., are not standardized. • Policy administration, policy versioning, etc., are not standardized. • No feature of temporary authorization. References: • [1] OASIS XACML Technical Committee, Core Specification: eXtensible Access Control Markup Language (XACML), 2005. • [2] OASIS XACML v3.0 Administration and Delegation Profile Version 1.0, http://www.oasis-open.org, 2009. • [3] SAML 2.0 profile of XACML, version 2.July 2007. http://www.oasisopen.org/committees/download.php/24681/xacml-profilesaml2.0-v2-spec-wd-5-en.pdf. • [4] Dieter Spahni, "Managing Access to Distributed Resources," hicss, vol. 4, pp.40094b, Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 4, 2004 • [5] IETF RFC 3198 - Terminology for Policy-Based Management http://tools.ietf.org/html/rfc3198 • [6] M. Satyanarayanan. A survey of distributed file systems. Annual review of Computer Science, 1989. • [7] Prathima Rao, Dan Lin, and Elisa Bertino. 2007. XACML Function Annotations. In Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks(POLICY '07). IEEE Computer Society, Washington, DC, USA, 178-182. • * - diagram borrowed from: courses.cs.vt.edu/~cs5204/fall08.../Oct21-AuthorizationXACML.ppt. Thank You.