Access Control: Understanding XACML for Resource Protection, Slides of Information Security and Markup Languages

Download Access Control: Understanding XACML for Resource Protection and more Slides Information Security and Markup Languages in PDF only on Docsity!

^ Access Control^ ◦^ What is it?^ ◦^ Why is it needed?^ ◦^ Privacy^ ◦^ General Terms

^ XACML^ ◦^ About^ ◦^ General Usage Scenario^ ◦^ Advantages and Limitations^ ◦^ Structure^ ^ Components^ ^ Request^ ^ Policies^ ^ Response^ ◦^ Practical Implementation

CodersGroup 1^ Coders CodersGroup 3Group 2

^ Consider^

three^ usergroups who^ mustshare resourcesamongst themselves.

^ Requirement

of^ a

generic^ method

to

address^

such

situations where datamust^ be^ shared

and

also^ hidden

from

other^ users

for

various reasons.

^ Consider^

the

hierarchal^

structure

of an organization.  Different members ofdifferent groups haveaccess^ to^

different

amounts of data.  Again such access toresources^

must^ be

cleverly dealt with.

CEO Manager System Analyst Coder

^ Anaccess control policy can be transformedinto^ aprivacy

aware^ access

control^ policy

with^ the^

association

of^ the^

following

parameters:^ ◦^ Intent or Purpose for access against each resource.^ ◦^ Obligations to be fulfilled on access to certain dataresources^ ◦^ Data Retention Periods.

^ Let us formally define some terms now: ^ Official Definition:^ ◦^ Resource - Data, service or system component ^ Examples:^ ◦^ User Folders in a shared File System^ ◦^ Service to send emails^ ^ Some are allowed to use the service^ ^ Some are not.

eXtensible Access Control MarkupLanguage^ (XACML)

Version^ 2. documentation.

^ Official Definition:^ ◦^ Action- An operation on a resource. ^ Examples:^ ◦^ View^ ◦^ Create^ ◦^ Update^ ◦^ Delete

eXtensible Access Control MarkupLanguage^ (XACML)

Version^ 2. documentation.

^ Official Definition:^ ◦^ Environment - The set of attributes that are relevantto an authorization decision and are independent of aparticular subject, resource or action ^ Examples:^ ◦^ Time of Day^ ◦^ IP address

eXtensible Access Control MarkupLanguage^ (XACML)

Version^ 2. documentation.

^ Official Definition:^ ◦^ Attribute^

-^ Characteristic

of^ a^ subject,

resource,

action or environment that may be referenced

in a

predicate or target.  Examples: ◦ Resource Attribute –^ ^ resource-id –^ ^ “hospital.patient.xray_report”

eXtensible Access Control MarkupLanguage^ (XACML)

Version^ 2. documentation.

^ Official Definition:^ ◦^ Attribute^

-^ Characteristic

of^ a^ subject,

resource,

action or environment that may be referenced

in a

predicate or target.  Examples: ◦ Action Attribute –^ ^ action-id^ ^ “edit”

eXtensible Access Control MarkupLanguage^ (XACML)

Version^ 2. documentation.

^ Official Definition:^ ◦^ Attribute^

-^ Characteristic

of^ a^ subject,

resource,

action or environment that may be referenced

in a

predicate or target.  Examples: ◦ Environment Attribute –^ ^ time^ ^ “9:30 p.m.”

eXtensible Access Control MarkupLanguage^ (XACML)

Version^ 2. documentation.

^ Official Definitions:^ ◦^ Policy decision point (PDP) - The system entitythat evaluates applicable policy and renders anauthorization decision.^ ◦^ Policy enforcement point (PEP) - The system entitythat performs access control, by making decisionrequests and enforcing authorization decisions.

eXtensible Access Control MarkupLanguage^ (XACML)

Version^ 2. documentation.

^ From^ here

onwards^

when^ we^

talk^ about

access control we automatically imply privacyaware access control.

http://dev2dev.bea.com/pub/a/2004/02/xacml.html

^ XACML^ defines

a^ general

policy^ language

used to protect resources as well as an accessdecision language.  Markup^ language

has^ been

approved

and

standardized by OASIS.

http://dev2dev.bea.com/pub/a/2004/02/xacml.html