authorization the missing piece of the puzzle

© 2013, Axiomatics AB

Authorization

The Missing Piece of the Puzzle

@srijith @axiomatics

Srijith Nair Director, Developer Relations

© 2013, Axiomatics AB

Show of Hands: Authorization?

XACML?

© 2013, Axiomatics AB

Identity is key

Services need to know who you are

You need to prove who you are

Several protocols exist to support Authentication

Authentication (AuthN)

“Authentication is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program (…)”

© 2013, Axiomatics AB

Identity is key, but it is not everything

Authentication proves your identity

It does not decide what that identity entails

Enter Authorization

Authorization (AuthZ)

“The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”

© 2013, Axiomatics AB

Some frameworks, stds. confuse both phases

Often AuthN ≡ AuthZ

If you have authenticated then you are in…

AuthZ is part of a bigger process

Identify

Authenticate

Authorize

Think of the access to your APIs…

AuthN vs. AuthZ

© 2013, Axiomatics AB

Business-driven authorization

Let “Gold” customers access APIs 1,2 but not 3

Let “Platinum” customers access all APIs

Compliance-driven authorization

Do not let traders approve transactions they requested

Privacy-driven authorization

Do not disclose medical data to non-employee users

AuthZ addresses various concerns

© 2013, Axiomatics AB

Mandatory Access Control (MAC)

Discretionary Access Control (DAC)

Role-Based Access Control (RBAC)

It’s widely adopted

It’s well understood and industry-standard

It’s simple

Most apps support some form of RBAC

Authorization Approaches

© 2013, Axiomatics AB

Inflexible & static

Difficult to define fine-grained access control rules

Doesn’t scale Role explosion

How to implement the rule: Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship

Where’s the role? Doctor

What’s a patient? A record? A care relationship?

Problem with RBAC?

© 2013, Axiomatics AB

Pull out the highlighter

What if we were not limited to roles?

Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship

Attributes, Attributes, Attributes!

© 2013, Axiomatics AB

Attribute-Based Access Control (ABAC) uses attributes as building blocks

in a structured language used to define access control rules and

to describe access requests

Attributes Are sets of labels or properties

Describe all aspects of entities that must be considered for authorization purposes

Each attribute consists of a key-value pair such as “Class=Gold”, “OS=Windows”

Attribute-based access control

© 2013, Axiomatics AB

ABAC – beyond RBAC

Role-Based Access Control Attribute-Based Access Control

User Role Permissions User + Action + Resource + Context

Attributes

Policies

Example: doctors can open & edit a patient’s health record in the hospital emergency room at 3PM.

Static & pre-defined Dynamic & Adaptive

Role 1

Role 2

P

P

P

P

P

P

© 2013, Axiomatics AB

eXtensible Authorization – Future Proofing

External to

Applications

Standards-

Compliant

Authorization Service

Fine-

Grained Context-Aware

Attribute-based Access Control

© 2013, Axiomatics AB

Enter XACML

© 2013, Axiomatics AB

Pronunciation

eXtensible Access Control Markup Language

OASIS standard V 3.0 approved in January 2013

V 1.0 approved in 2003 (10 years ago!)

XACML is expressed as A specification document and

An XML schema

REST profile for XACML exists (CSD)

http://www.oasis-open.org/committees/xacml/

14

What is XACML?

© 2013, Axiomatics AB 15

What does XACML contain?

XACML

Reference

Architecture

Policy Language

Request / Response Protocol

© 2013, Axiomatics AB 16

XACML-Architecture

Access request

© 2013, Axiomatics AB 17

XACML-Architecture

Enforce Policy Enforcement Point

© 2013, Axiomatics AB 18

XACML-Architecture

Enforce Policy Enforcement Point

Decide Policy Decision Point

© 2013, Axiomatics AB 19

XACML-Architecture

Enforce Policy Enforcement Point

Decide Policy Decision Point

Support Policy Information Point Policy Retrieval Point

© 2013, Axiomatics AB

20

XACML-Architecture

Enforce Policy Enforcement Point

Decide Policy Decision Point

Manage Policy Administration Point

Support Policy Information Point Policy Retrieval Point

© 2013, Axiomatics AB 21

What does XACML contain?

XACML

Reference

Architecture

Policy Language

Request / Response Protocol

© 2013, Axiomatics AB

Everything can be described in terms of attributes

Attributes can be grouped into categories

And many more… It’s all about Attributes! ABAC 22

Attributes & Categories

Environment

Subject Action

Resource

© 2013, Axiomatics AB 23

Examples of attributes

Subject Action Resource Environment

A user … … wants to do

something …

… with an

information asset …

… in a given context

Examples:

A claims

administrator…

…wants to

register a …

… claim receipt for a

new claim…

… via a secure channel

authenticated using the

corporate smart card

An adjuster… …wants to approve

payments of …

… claim payment … …from his office computer

during regular business hours

A manager

wants to …

… assign a claim… …to a claim

adjuster…

… at 2 o’clock at night from a

hotel lounge in Chisinau…

© 2013, Axiomatics AB

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-

ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">

<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >

<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/tmp/env/devicetype" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string>Laptop</xacml-ctx:AttributeValue>

</xacml-ctx:Attribute>

</xacml-ctx:Attributes>

<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >

<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml-ctx:AttributeValue>

</xacml-ctx:Attribute>

</xacml-ctx:Attributes>

<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >

<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/acs/role" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">Manager</xacml-ctx:AttributeValue>

</xacml-ctx:Attribute>

</xacml-ctx:Attributes>

<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >

<xacml-ctx:Attribute AttributeId="location" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SE</xacml-ctx:AttributeValue>

</xacml-ctx:Attribute>

<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/asm/entity/type" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Purchase Order</xacml-ctx:AttributeValue>

</xacml-ctx:Attribute>

</xacml-ctx:Attributes>

</xacml-ctx:Request>

Example XACML 3.0 Request, XML

© 2013, Axiomatics AB

<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">

<xacml-ctx:Result>

<xacml-ctx:Decision>Permit</xacml-ctx:Decision>

<xacml-ctx:Status>

<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>

</xacml-ctx:Status>

</xacml-ctx:Result>

</xacml-ctx:Response>

Example XACML 3.0 Response

© 2013, Axiomatics AB

3 levels of elements

PolicySet

Policy

Rule

At root is PolicySet or Policy

PolicySet can contain PolicySet and Policy

Policy can contain Rule

Rule evaluation returns PERMIT, DENY, Indeterminate, NotApplicable

Rule Combining Algorithms

Policy Combining Algorithms

26

Language Elements of XACML

PolicySet

PolicySet

Policy

Rule

Effect

Permit

Deny

Policy

Rule

Rule

© 2013, Axiomatics AB

All 3 elements can contain Target elements

At the heart of most Rules is a Condition

Obligation/Advice can be specified at all 3 levels

27

Language Structure: Russian dolls

PolicySet

PolicySet

Policy

Rule

Effect

Target

T

T

T C

Permit

Deny

O

Obligation

O

O

O = Obligation / Advice C = Condition T = Target

© 2013, Axiomatics AB 28

What does XACML contain?

XACML

Reference

Architecture

Policy Language

Request / Response Protocol

© 2013, Axiomatics AB

Environment

Subject Action

Resource Environment

Action

Resource

Subject

29

XACML Concepts

It’s all about Attributes! ABAC = Attribute Based Access Control

XACML Policies

XACML Request

XACML Response

© 2013, Axiomatics AB

• Subject User id = Alice Role = Manager

• Action Action id = approve

• Resource Resource type = Purchase Order PO #= 12367

• Environment Device Type = Laptop

30

Structure of a XACML Request / Response

XACML Request XACML Response

Can Manager Alice approve Purchase Order 12367?

Yes, she can

• Result Decision: Permit Status: ok

The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions

© 2013, Axiomatics AB

In addition, XACML response can also contain:

Obligation: PEP must comply with the obligation and is required to deny access if it cannot understand or enforce the obligation

Advice: the PEP may comply with the advice and can be safely ignored if not understood or cannot be acted on

31

Obligation & Advice

© 2013, Axiomatics AB

AuthN is not enough. AuthZ is needed.

RBAC is often not enough. ABAC is needed.

XACML is a prominent ABAC system.

XACML consists of:

Reference Architecture

Policy Language

Request Response Protocol

Summary

© 2013, Axiomatics AB

Axiomatics is world’s leading independent provider of dynamic AuthZ solutions

Our products enable efficient XACML-based authorization

APIs, SDKs for system integration

Java and .NET support

APS Developer Edition provides you with all the power of our product in a read-to-use package

http://axiomatics.com/aps-developer-edition.html

Summary (Axiomatics)

© 2013, Axiomatics AB

http://developers.axiomatics.com

http://www.technicalprivacytraining.org/

https://www.oasis-open.org/committees/xacml/

http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.pdf

http://www.webfarmr.eu/

http://analyzingidentity.com/

More Information

© 2013, Axiomatics AB

Questions? Contact us at info@axiomatics.com