{"id":2234,"date":"2011-05-10T14:06:17","date_gmt":"2011-05-10T19:06:17","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=2234"},"modified":"2011-05-10T14:06:17","modified_gmt":"2011-05-10T19:06:17","slug":"xacml-policies","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=2234","title":{"rendered":"XACML Policies"},"content":{"rendered":"

Overview<\/h2><\/span>\n

* XACML stands for eXtensible Access Control Markup Language
\n* It is an OASIS Standard<\/a>
\n– XACML 1.0 approved in 2003
\n– XACML 2.0 approved in 2005
\n– XACML 3.0 approved in 2010<\/p>\n

* Defines
\n– a standard set of XML elements for expressing access control policies
\n– a request and response protocol for issuing requests and responses
\n– a policy language model for processing policy requests
\n* Different <\/strong>from WS-Policy
\n– WS-Policy: applies to services
\n– XACML: applies to access control
\n* XACML 2.0 can work on SAML 2.0 subject attributes<\/p>\n

Key Benefits<\/h3><\/span>\n

* Standardized authorization
\n* Centralized authorization
\n* Open\/robust standards<\/p>\n

Why Use XACML<\/h3><\/span>\n

* Interoperability: it’s an OASIS standard
\n* Compatibility: it’s xml based so can be transformed to\/from other formats easily
\n* Extensibility
\n* Schema independence: it does not required fixed schema and support XPATH
\n* Multiple roles
\n* Grouping of attributes: XACML supports variables to group attributes
\n* Decentralized management: ARPs can be split into multiple distributed parts and managed separately
\n* Flexible conditions
\n* Supports obligations
\n* Optional use of PKI
\n* Existing implementation<\/p>\n

XACML vs SAML<\/h3><\/span>\n

* They complement each other
\n– XACML policy can specify what to do with SAML assertion
\n– XACML based attributes can be expressed in SAML
\n* SAML for coarse grained authentication\/authorization
\n* XACML for fine grained authentication\/authorization<\/p>\n

Structure<\/h3><\/span>\n

* PolicySet
\n– contains a set of Policies
\n* Policy
\n– contains a set of Rules
\n– specifies procedure to combine results of rule evaluations
\n* Rule
\n– contains a Boolean expression
\n– evaluated in isolation<\/p>\n

Combining Algorithms<\/h3><\/span>\n

* Deny Overrides:
\n– return Deny if any<\/em> evaluation returns Deny
\n* Permit Overrides: return
\n– Permit if any<\/em> evaluation returns Permit
\n* First Applicable: return
\n– result from first<\/em> applicable evaluation
\n– NotApplicable if none applies
\n* Only One Applicable: return
\n– result from evaluation if only one<\/em> rule applies
\n– Inderterminate if multiple evaluations apply<\/p>\n

Examples<\/h2><\/span>\n

Example Scenario<\/h3><\/span>\n

* A subject requests to access a resource protected by Policy Enforcement Point (PEP).
\n* PEP creates and sends an XACML request to the Policy Decision Point (PDP).
\n* PDP checks the request against policies and determine whether access should be granted to the subject.
\n* PDP makes an authorization decision
\n* PDP sends one of the following responses to the PEP
\n– Permit,
\n– Deny,
\n– Indeterminate
\n– Not Applicable
\n* The PEP enforces the decision made by the PDP accordingly.<\/p>\n

Example XACML<\/h3><\/span>\n
\r\n\r\n\r\n   \r\n     This is simple XACML policy to illustrate\r\n     some of the language constructs\r\n   <\/Description>\r\n   \r\n     \r\n         \r\n     <\/Subjects>\r\n     \r\n         \r\n     <\/Resources>\r\n     \r\n         \r\n     <\/Actions>\r\n   <\/Target>\r\n   \r\n     \r\n       \r\n         \r\n           \r\n               \r\n                   CN=A User,OU=XYZ User,O=XYZ Corp, C=US\r\n               <\/AttributeValue>\r\n           <\/SubjectMatch>\r\n         <\/Subject>\r\n       <\/Subjects>\r\n     <\/Target>\r\n   <\/Rule> \r\n   \r\n     \r\n         Deny everything not permitted by Simple Rule\r\n     <\/Description>\r\n   <\/Rule>\r\n<\/Policy>\r\n<\/pre>\n
Glossary<\/h2><\/span>\n
PAP: Policy administration Point
\nPEP: Policy enforcement point
\nPDP: Policy decision point
\nPIP: Policy information point<\/p>\n
XACML Vendors<\/h2><\/span>\n
* Axiomatics
\n* BitKoo<\/p>\n
References<\/h2><\/span>\n
* OASIS XACML<\/a>
\n* XACML PPT<\/a>
\n* Anne Anderson XACML PPT<\/a>
\n* Sun XACML Project<\/a>
\n* Enterprise Web Services Security, By: Rickland Hollar; Richard Murphy
\n* Using XACML for Privacy Control in SAML-Based Identity Federations<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Overview * XACML stands for eXtensible Access Control Markup Language * It is an OASIS Standard – XACML 1.0 approved in 2003 – XACML 2.0 approved in 2005 – XACML 3.0 approved in 2010 * Defines – a standard set … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[43],"tags":[],"class_list":["post-2234","post","type-post","status-publish","format-standard","hentry","category-ws-stds"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-A2","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2234"}],"version-history":[{"count":15,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2234\/revisions"}],"predecessor-version":[{"id":2267,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/2234\/revisions\/2267"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}