data entitlement with wso2 enterprise middleware platform
DESCRIPTION
TRANSCRIPT
![Page 1: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/1.jpg)
Data Entitlements with the WSO2 Enterprise Middleware Platform
Manoj Fernando Director - Solutions Architecture
![Page 2: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/2.jpg)
About WSO2
• Providing the only complete open source componentized cloud platform
– Dedicated to removing all the stumbling blocks to enterprise agility
– Enabling you to focus on business logic and business value
• Recognized by leading analyst firms as visionaries and
leaders – Gartner cites WSO2 as visionaries in all 3 categories of
application infrastructure
– Forrester places WSO2 in top 2 for API Management
• Global corporation with offices in USA, UK & Sri Lanka – 200+ employees and growing
• Business model of selling comprehensive support &
maintenance for our products
![Page 3: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/3.jpg)
150+ globally positioned support customers
![Page 4: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/4.jpg)
Agenda
• A Classic Use Case
• Need for Data Entitlements
• Data Entitlements - A Traditional Approach
• Challenges and benefits
• Features provided by WSO2 Identity Server
• XACML – Policy Based Access Control
• Using WSO2 Middleware Platform to implement our sample use case
• Mediator Flow
• Summary
• Q&A
![Page 5: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/5.jpg)
A Classic Use Case
Who should provide
entitlements?
DB
Sales Database
Sales
Managers
Sales Team A
Application X
Application Y
Access to ALL sales data
Access to only
sales data
belonging to
specific sales
group
Sales Team B
![Page 6: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/6.jpg)
Need for Data Entitlements
• A responsibility shared between business logic and data layers?
• Use cases often talk about permissions, so who should handle it?
“User with permission X has to be able to read and modify asset Y”.
• But many would agree with the idea of globally manageable application permissions.
• Permissions are not just based on user roles (anymore).
• Growing demand for a unified entitlements framework for all types of applications.
![Page 7: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/7.jpg)
Primary Purpose
Is to provide total transparency to multiple applications when accessing shared assets, so that enterprise-wide data access policies will take effect at the point of data
being queried or manipulated by users.
![Page 8: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/8.jpg)
Data Access Layer – a place for data entitlements?
• Primary purpose is to provide loose coupling between data and application logic.
• A natural choice to place data entitlements logic.
• Data Access components are language specific, hence it falls short to meet the exact expectation on enterprise entitlements within a heterogeneous environment.
• No standard as such to govern enterprise-wide entitlements policies when using DAL.
Business Application A
Business Application B
Data Access Layer
Enterprise Data
Permissions Data
![Page 9: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/9.jpg)
Data Entitlements – A Traditional Approach
Presentation Business Application
Data Access Layer
Data exchange
Data Entitlements
System
Entitlements Repo
Request for permitted access
Response with Filter Meta-data
Au
tho
rized Item
s
Query
Req
uest fo
r da
ta Fi
lter
ed D
ata
(1)
(2)
(3)
(4)
(5)
(6)
![Page 10: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/10.jpg)
Challenges in putting up an Enterprise Data Entitlements System
• Often viewed as an unnecessary task, specially when system designers tend to think around ‘siloed’ applications.
• Usually requires a significant amount of ‘re-wiring’ to the permissions handling logic of existing applications.
• Must be driven by standards!
• Some believe that using an external entitlements system is counterproductive in maintaining ‘lightweight-ness’ of the applications.
• No SOA, No use of data entitlements?
![Page 11: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/11.jpg)
Benefits
• Usually the benefits are more long term than short term.
• Helps organizations adapt to changing business needs, and data security requirements easier.
• Centralized management of platform level policies.
• Ideal for heterogeneous systems – Unified access model to entitlements data.
• Service mindset – everything is a service, including entitlements.
![Page 12: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/12.jpg)
Is SOA/Middleware the foundation for Data Entitlements?
• Seldom you will see that an enterprise using applications developed on a single technology.
• SOA brings the real power of data entitlements into the platform by providing standards driven, loosely coupled architecture.
• Works well with other cross cutting requirements such as enterprise logging, transport and message level security, etc.
• A key enabler for cross-application integration scenarios.
![Page 13: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/13.jpg)
A Conceptual SOA driven Data Entitlements
Application A
Application B
Entitlements Service
Data Service
Data Access Service
Entitlements Store
Entitlements Query Based on User attribute
(i.e. Role)
Request
Request for Filtered Data Filter
Builder
Response
Response
User Group A
User Group B
User Group X
![Page 14: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/14.jpg)
Building an entitlements system with WSO2 Identity Server - Features
• Provides a fully fledged Policy Based Access Control (PBAC) platform.
• Fine-grained policy based access control via XACML
• Advanced entitlement auditing and management
• Entitlement management for any REST or SOAP calls
• Role based access control (RBAC)
![Page 15: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/15.jpg)
XACML – Terminology
XACML stands for eXtensible Access Control Markup Language.
Policy Enforcement Point (PEP)
• Point which intercepts user's access request to a resource, makes a decision request to the PDP to obtain the access decision (i.e. access to the resource is approved or rejected), and acts on the received decision.
Policy Decision Point (PDP)
• Point which evaluates access requests against authorization policies before issuing access decisions
![Page 16: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/16.jpg)
XACML - Terminology (Cont…)
Policy Administration Point (PAP)
• Point which manages access authorization policies
Policy Information Point (PIP)
• The system entity that acts as a source of attribute values (i.e. a resource, subject, environment, etc.)
Policy Retrieval Point (PRP)
• Point where the XACML access authorization policies are stored, typically a database or the file system.
![Page 17: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/17.jpg)
XACML - Policy Based Access Control (PBAC)
• Fine-grained access control policies based on subject, resource, environment and action attributes
• Portable and reusable policies enforceable across multiple platforms
• All aspects of access request are identified by attributes
• Optional Rules Engine Integration
PEP (Policy
Enforce. Point)
PDP (Policy Decision
Point)
PIP (Policy
Information Point)
Policy Store
PAP (Policy
Administration Point)
Attribute Store
Requester
XACML Request
XACML Response
XAML Policy (Policy Retrieval Point –
PRP)
Manage
Data service
![Page 18: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/18.jpg)
XACML 2.0/3.0 Support on WSO2 Identity Server
• Policy decision processing and attribute caching
• Policy distribution to various Policy Decision Points (PDPs)
• Multiple Policy Information Point (PIP) support
• Friendly UI for Policy editing (PAP)
• High performance network protocol (over Thrift) for PEP/PDP interaction
• Policy Administration Point (PAP) to manage multiple Policy Decision Points (PDP)
![Page 19: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/19.jpg)
Back to our sample scenario…
How to leverage WSO2
middleware platform for this?
DB
Sales Store
Sales
Managers
Sales Team A
Application X
Application Y
Access to ALL sales data
Access to only
sales data
belonging to
specific sales
group
Sales Team B
![Page 20: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/20.jpg)
… and our requirement
• Should provide a unified service interface for querying sales info
• Caller applications need not worry about entitlements (they just query for sales info).
• The policy enforcer needs to acquire entitlements for a common user attribute (i.e. username)
• The policy decision maker should return the list of entitlements (or claims) back to the enforcer.
• The enforcer should build the data filtering logic based on the claims and append that to the service call.
• The filtered data set is returned back to caller.
![Page 21: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/21.jpg)
Putting it altogether
ESB
DSS
IS
Entitlements Mediator
Request
+ wsse:UsernameToken
XACML response
with Advices
XACML
request
XACML Policy
Build dynamic query
Using advices (claims)
fault
Response
Dynamic
Query DB
App A
App B
App X
getSalesInfo
Sales Datastore
DB Enterprise User Store
getSalesInfo + entitlements based filtering
Filtered Response PEP
PIP
PDP
PAP
(1)
(2)
(3)
(4)
(5)
(6)
(7)
![Page 22: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/22.jpg)
ESB Mediation Flow
Authenticate User
Call Entitlements
Mediator
Permit? Extract Claims
Build Dynamic
Query
Call Data Service
Send Response
Return Fault
Yes
No
![Page 23: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/23.jpg)
XACML Policy – Making claims be passed with Response
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="CustomerServiceSales"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Target></Target>
<Rule Effect="Permit" RuleId="Rule1">
… </Rule>
<AdviceExpressions>
<AdviceExpression AdviceId="customerService" AppliesTo="Permit">
<AttributeAssignmentExpression AttributeId="employee.role">
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</AttributeAssignmentExpression>
</AdviceExpression> </AdviceExpressions>
</Policy>
In this example we are enforcing that employee role (a PIP entry) is
embedded on to the XACML response
XACML Policy ruleset goes here (omitted)
![Page 24: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/24.jpg)
Claims to Data Service Filter
• Claims received by the Entitlements Mediator exist in the MessageContext object.
• A Class Mediator can be used to extract these claims from the MessageContext and construct the filter logic.
• The ESB Sequence can thereby append the filter logic into a placeholder for filtering (i.e. If you use WSO2 DSS, you can specify this placeholder as a QUERY_STRING type, and use validation logic to avoid potential SQL injection scenarios).
![Page 25: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/25.jpg)
Summary
• Middleware plays a pivotal role in establishing an enterprise grade data entitlements system.
• WSO2 Identity Server provides all necessary features to implement a fully fledged data entitlements system supported by WSO2 ESB for mediating the service calls, and WSO2 DSS for exposing your data as services.
![Page 26: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/26.jpg)
Resources
Blog post
- http://manoj-fernando.blogspot.com/
References
- WSO2 Identity Server : http://docs.wso2.org/display/IS450/WSO2+Identity+Server+Documentation
- XACML : https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
![Page 27: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/27.jpg)
Q&A
![Page 28: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/28.jpg)
Engage with WSO2
• Helping you get the most out of your deployments
• From project evaluation and inception to development
and going into production, WSO2 is your partner in
ensuring 100% project success
![Page 29: Data Entitlement with WSO2 Enterprise Middleware Platform](https://reader033.vdocuments.net/reader033/viewer/2022052504/54b6bf884a7959f51b8b458a/html5/thumbnails/29.jpg)
lean . enterprise . middleware