authorization the missing piece of the puzzle

© 2013, Axiomatics AB

Authorization

The Missing Piece of the Puzzle

@srijith @axiomatics

Srijith Nair Director, Developer Relations


Show of Hands: Authorization?

XACML?


Identity is key

Services need to know who you are

You need to prove who you are

Several protocols exist to support Authentication

Authentication (AuthN)

“Authentication is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program (…)”


Identity is key, but it is not everything

Authentication proves your identity

It does not decide what that identity entails

Enter Authorization

Authorization (AuthZ)

“The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”

http://en.wikipedia.org/wiki/Authorization


Some frameworks, stds. confuse both phases

Often AuthN ≡ AuthZ

If you have authenticated then you are in…

AuthZ is part of a bigger process

Identify

Authenticate

Authorize

Think of the access to your APIs…

AuthN vs. AuthZ


Business-driven authorization

Let “Gold” customers access APIs 1,2 but not 3

Let “Platinum” customers access all APIs

Compliance-driven authorization

Do not let traders approve transactions they requested

Privacy-driven authorization

Do not disclose medical data to non-employee users

AuthZ addresses various concerns


Mandatory Access Control (MAC)

Discretionary Access Control (DAC)

Role-Based Access Control (RBAC)

It’s widely adopted

It’s well understood and industry-standard

It’s simple

Most apps support some form of RBAC

Authorization Approaches


Inflexible & static

Difficult to define fine-grained access control rules

Doesn’t scale Role explosion

How to implement the rule: Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship

Where’s the role? Doctor

What’s a patient? A record? A care relationship?

Problem with RBAC?


Pull out the highlighter

What if we were not limited to roles?

Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship

Attributes, Attributes, Attributes!


Attribute-Based Access Control (ABAC) uses attributes as building blocks

in a structured language used to define access control rules and

to describe access requests

Attributes Are sets of labels or properties

Describe all aspects of entities that must be considered for authorization purposes

Each attribute consists of a key-value pair such as “Class=Gold”, “OS=Windows”

Attribute-based access control


ABAC – beyond RBAC

Role-Based Access Control Attribute-Based Access Control

User Role Permissions User + Action + Resource + Context

Attributes

Policies

Example: doctors can open & edit a patient’s health record in the hospital emergency room at 3PM.

Static & pre-defined Dynamic & Adaptive

Role 1

Role 2

P

P

P

P

P

P


eXtensible Authorization – Future Proofing

External to

Applications

Standards-

Compliant

Authorization Service

Fine-

Grained Context-Aware

Attribute-based Access Control


Enter XACML


Pronunciation

eXtensible Access Control Markup Language

OASIS standard V 3.0 approved in January 2013

V 1.0 approved in 2003 (10 years ago!)

XACML is expressed as A specification document and

An XML schema

REST profile for XACML exists (CSD)

http://www.oasis-open.org/committees/xacml/

14

What is XACML?

http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf




© 2013, Axiomatics AB 15

What does XACML contain?

XACML

Reference

Architecture

Policy Language

Request / Response Protocol


XACML-Architecture

Access request


XACML-Architecture

Enforce Policy Enforcement Point


XACML-Architecture


Decide Policy Decision Point


XACML-Architecture



Support Policy Information Point Policy Retrieval Point


20

XACML-Architecture



Manage Policy Administration Point

Support Policy Information Point Policy Retrieval Point



XACML

Reference

Architecture

Policy Language



Everything can be described in terms of attributes

Attributes can be grouped into categories

And many more… It’s all about Attributes! ABAC 22

Attributes & Categories

Environment

Subject Action

Resource


Examples of attributes

Subject Action Resource Environment

A user … … wants to do

something …

… with an

information asset …

… in a given context

Examples:

A claims

administrator…

…wants to

register a …

… claim receipt for a

new claim…

… via a secure channel

authenticated using the

corporate smart card

An adjuster… …wants to approve

payments of …

… claim payment … …from his office computer

during regular business hours

A manager

wants to …

… assign a claim… …to a claim

adjuster…

… at 2 o’clock at night from a

hotel lounge in Chisinau…


<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-

ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">

<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >

<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/tmp/env/devicetype" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string>Laptop</xacml-ctx:AttributeValue>

</xacml-ctx:Attribute>

</xacml-ctx:Attributes>

<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >

<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml-ctx:AttributeValue>



<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >

<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/acs/role" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">Manager</xacml-ctx:AttributeValue>



<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >

<xacml-ctx:Attribute AttributeId="location" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SE</xacml-ctx:AttributeValue>


<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/asm/entity/type" IncludeInResult="true">

<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Purchase Order</xacml-ctx:AttributeValue>



</xacml-ctx:Request>

Example XACML 3.0 Request, XML


<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">

<xacml-ctx:Result>

<xacml-ctx:Decision>Permit</xacml-ctx:Decision>

<xacml-ctx:Status>

<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>

</xacml-ctx:Status>

</xacml-ctx:Result>

</xacml-ctx:Response>

Example XACML 3.0 Response


3 levels of elements

PolicySet

Policy

Rule

At root is PolicySet or Policy

PolicySet can contain PolicySet and Policy

Policy can contain Rule

Rule evaluation returns PERMIT, DENY, Indeterminate, NotApplicable

Rule Combining Algorithms

Policy Combining Algorithms

26

Language Elements of XACML

PolicySet

PolicySet

Policy

Rule

Effect

Permit

Deny

Policy

Rule

Rule


All 3 elements can contain Target elements

At the heart of most Rules is a Condition

Obligation/Advice can be specified at all 3 levels

27

Language Structure: Russian dolls

PolicySet

PolicySet

Policy

Rule

Effect

Target

T

T

T C

Permit

Deny

O

Obligation

O

O

O = Obligation / Advice C = Condition T = Target



XACML

Reference

Architecture

Policy Language



Environment

Subject Action

Resource Environment

Action

Resource

Subject

29

XACML Concepts

It’s all about Attributes! ABAC = Attribute Based Access Control

XACML Policies

XACML Request

XACML Response


• Subject User id = Alice Role = Manager

• Action Action id = approve

• Resource Resource type = Purchase Order PO #= 12367

• Environment Device Type = Laptop

30

Structure of a XACML Request / Response

XACML Request XACML Response

Can Manager Alice approve Purchase Order 12367?

Yes, she can

• Result Decision: Permit Status: ok

The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions


In addition, XACML response can also contain:

Obligation: PEP must comply with the obligation and is required to deny access if it cannot understand or enforce the obligation

Advice: the PEP may comply with the advice and can be safely ignored if not understood or cannot be acted on

31

Obligation & Advice


AuthN is not enough. AuthZ is needed.

RBAC is often not enough. ABAC is needed.

XACML is a prominent ABAC system.

XACML consists of:

Reference Architecture

Policy Language

Request Response Protocol

Summary


Axiomatics is world’s leading independent provider of dynamic AuthZ solutions

Our products enable efficient XACML-based authorization

APIs, SDKs for system integration

Java and .NET support

APS Developer Edition provides you with all the power of our product in a read-to-use package

http://axiomatics.com/aps-developer-edition.html

Summary (Axiomatics)







http://developers.axiomatics.com

http://www.technicalprivacytraining.org/

https://www.oasis-open.org/committees/xacml/

http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.pdf

http://www.webfarmr.eu/

http://analyzingidentity.com/

More Information

http://developers.axiomatics.com

















http://www.webfarmr.eu/





Questions? Contact us at [email protected]

authorization the missing piece of the puzzle

Business

access requestsattributesare

axiomatics abidentity

axiomatics ababac

axiomatics abpull

access controlrules

axiomatics abshow of

axiomatics absome frameworks

records of thosepatients