Overview
* XACML stands for eXtensible Access Control Markup Language
* It is an OASIS Standard
– XACML 1.0 approved in 2003
– XACML 2.0 approved in 2005
– XACML 3.0 approved in 2010
* Defines
– a standard set of XML elements for expressing access control policies
– a request and response protocol for issuing requests and responses
– a policy language model for processing policy requests
* Different from WS-Policy
– WS-Policy: applies to services
– XACML: applies to access control
* XACML 2.0 can work on SAML 2.0 subject attributes
Key Benefits
* Standardized authorization
* Centralized authorization
* Open/robust standards
Why Use XACML
* Interoperability: it’s an OASIS standard
* Compatibility: it’s xml based so can be transformed to/from other formats easily
* Extensibility
* Schema independence: it does not required fixed schema and support XPATH
* Multiple roles
* Grouping of attributes: XACML supports variables to group attributes
* Decentralized management: ARPs can be split into multiple distributed parts and managed separately
* Flexible conditions
* Supports obligations
* Optional use of PKI
* Existing implementation
XACML vs SAML
* They complement each other
– XACML policy can specify what to do with SAML assertion
– XACML based attributes can be expressed in SAML
* SAML for coarse grained authentication/authorization
* XACML for fine grained authentication/authorization
Structure
* PolicySet
– contains a set of Policies
* Policy
– contains a set of Rules
– specifies procedure to combine results of rule evaluations
* Rule
– contains a Boolean expression
– evaluated in isolation
Combining Algorithms
* Deny Overrides:
– return Deny if any evaluation returns Deny
* Permit Overrides: return
– Permit if any evaluation returns Permit
* First Applicable: return
– result from first applicable evaluation
– NotApplicable if none applies
* Only One Applicable: return
– result from evaluation if only one rule applies
– Inderterminate if multiple evaluations apply
Examples
Example Scenario
* A subject requests to access a resource protected by Policy Enforcement Point (PEP).
* PEP creates and sends an XACML request to the Policy Decision Point (PDP).
* PDP checks the request against policies and determine whether access should be granted to the subject.
* PDP makes an authorization decision
* PDP sends one of the following responses to the PEP
– Permit,
– Deny,
– Indeterminate
– Not Applicable
* The PEP enforces the decision made by the PDP accordingly.
Example XACML
<?xml version="1.0" ?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicyId=";A Simple Policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule- combining-algorithm:permit-overrides" > <Description> This is simple XACML policy to illustrate some of the language constructs </Description> <Target> <Subjects> <AnySubject /> </Subjects> <Resources> <AnyResource /> </Resources> <Actions> <AnyAction /> </Actions> </Target> <Rule RuleId="Simple Rule" Effect="Permit"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:x500name-equal"> <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500name"> CN=A User,OU=XYZ User,O=XYZ Corp, C=US </AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> <Rule RuleId="Deny Everything Else" Effect="Deny"> <Description> Deny everything not permitted by Simple Rule </Description> </Rule> </Policy>
Glossary
PAP: Policy administration Point
PEP: Policy enforcement point
PDP: Policy decision point
PIP: Policy information point
XACML Vendors
* Axiomatics
* BitKoo
References
* OASIS XACML
* XACML PPT
* Anne Anderson XACML PPT
* Sun XACML Project
* Enterprise Web Services Security, By: Rickland Hollar; Richard Murphy
* Using XACML for Privacy Control in SAML-Based Identity Federations