xacml for developers - updates, new tools, & patterns for the eager #iam developer

#CISNapa - @davidjbrossard - @axiomatics 1

XACML for Developers

Updates, New Tools, & Patterns for the Eager #IAM Developer


eXtensible Access Control Markup Language

What is XACML?

Not guacamole

De facto standard

Defined at OASIS


One of the several standards in the #IAM family

XACML in the IAM spectrum

SAMLSPML

LDAPRBACABAC…

SCIMOpenIDOauth

WS-*


In a web 3.0 world where it’s about small appsand your data…

Why XACML?

Quick, call the plumber:

1-800-GO-XACML

it’s time to get leaks under control


What’s Attribute-based Access Control?


In the olden days, authorization was about

Who?


Authorization should really be about…

When?What? How?Where?Who? Why?


A car retail company has a web application that users can access to create, view, and approve

purchase orders, in accordance with policy rules

Example Scenario: Managing Purchase Orders


Attributes

Resource attributes

Resource type

PO amount

PO location

PO creator

PO Status

Subject attributes

Identity

Department

Location

Approval limit

Role

Action attributes

Action type

Environment attributes

Device type

IP address

Time of day

Profile designed by Sven Gabriel from The Noun ProjectInvisible designed by Andrew Cameron from The Noun Project

Wrench designed by John O’Shea from The Noun ProjectClock designed by Brandon Hopkins from The Noun Project

PO Id


A simple rule

Anyone in the purchasing department

can create purchase orders


A manager in the purchasing department can approve purchase orders

up to their approval limit

if and only if the PO location and the manager location are the same

if and only if the manager is not the PO creator

A richer rule


XACML 101 – The Basics


What does XACML contain?

XACML

ReferenceArchitecture

Policy Language

Request / Response Protocol


XACML Architecture & Flow

DecidePolicy Decision Point

ManagePolicy Administration Point

SupportPolicy Information PointPolicy Retrieval Point

EnforcePolicy Enforcement Point

Access Document #123

Access Document #123

Can Alice access Document #123? Yes, Permit

Load XACML policies

Retrieve user role, clearance and document classification



XACML


Policy Language



3 structural elementsPolicySetPolicyRule

Root: either of PolicySet or PolicyPolicySets contain any number of PolicySets & PoliciesPolicies contain RulesRules contain an Effect: Permit / DenyCombining Algorithms

Language Elements of XACML


Root Policy Set

PolicySet

Policy

Rule

Effect=Permit

Rule

Effect = Deny

PolicySet

Policy

Rule

Effect = Permit

Sample XACML Policy


Language Structure: Russian dolls

PolicySet, Policy & Rule can contain

TargetsObligationsAdvice

Rules can containConditions

Policy Set

Policy

Rule

Effect=Permit

Target

Target

Target

Obligation

Obligation

Obligation

Condition



XACML


Policy Language



• SubjectUser id = AliceRole = Manager

• ActionAction id = approve

• ResourceResource type = Purchase OrderPO #= 12367

• EnvironmentDevice Type = Laptop

Structure of a XACML Request / Response

XACML Request XACML Response

Can Manager Alice approvePurchase Order 12367? Yes, she can

• ResultDecision: PermitStatus: ok

The core XACML specification does not define any specific transport / communication protocol:-Developers can choose their own.-The SAML profile defines a binding to send requests/responses over SAML assertions


So what’s in it for the developer?


#1 A single authorization model & framework


#1.a working across all layers


#1.b and across different technology stacks

JavaCObjective-CC++C#PHPPython(Visual) BasicPerlRubyJavaScriptVisual Basic .NETLispPascalDelphi/Object Pascal

Share of programming languages (Feb 2013)


#2 A rich language to express many scenarios

ACLs

RBAC

Whitelists

Segregation-of-Duty

Relation-based

Trust Elevation

Device-based

Break the glass

Privacy protection

ABAC

Rich business flows

Data redaction


The REST profile of XACMLOASIS XACML profileDesigned by Remon Sinnema of EMC2

#3 Developer-friendly APIs

XML over HTTPXML over HTTP

JSON over HTTPJSON over HTTP


#3. Developer-friendly APIs (cont’d)

Drop the…

Use curl, Perl, and Python with the REST API

curl -X POST -H 'Content-type:text/xml' -T xacml-request.xml http://foo:8443/asm-pdp/pdp


Use the JSON profile of XACMLIdea

Remove the verbose aspects of XACMLFocus on the key pointsMake a request easy to read

#4 Simplified request/response


#4 Sample XACML Before JSON (cont’d)

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes></xacml-ctx:Request>

Can Alice Say

Hello?


#4 Sample XACML using JSON (cont’d)

{"subject":{"attribute":[{

"attributeId":"username","value":"alice"}]},

"resource":{"attribute":[{

"attributeId":"resource-id","value":"hello"}]},

"action":{"attribute":[{

"attributeId":"action-id","value":"say"}]}}


#4 JSON & XML Side-by-side comparison

Word count05

1015202530354045

XMLJSON

Char. Count0

200

400

600

800

1000

1200

1400

XMLJSON

Size of a XACML request


Natural language authoringAxiomatics Language for Authorization (ALFA)Research initiative from TSSGAnd many more coming…

#5 Easy authoring tools


Provide the right tools for

Easy AuthoringOf XACML policies

#5 Axiomatics Language For AuthZ (cont’d)

Plugs into Eclipse IDE

High-level syntax

Auto-complete

Automatic Translation to XACML 3.0


Wrapping up

Benefits for the developer


One consistent authorization modelMany different applicationsDecide once, enforce everywhere

Benefits of using XACML #1


Adios endless if, else statementsHello simple if(authorized())


10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170

0

5000

10000

15000

20000

25000

30000 Developer Happiness Increase

Number of if / else statements terminated

Developer Happiness Index


Security potholes are a thing of the pastXACML is the concrete that fills in the cracks in your authorization wall



Let developers do what they know bestOffload auditing, info security to security architects & auditors by externalizing authorization


Happy developer

Happy auditor


Next steps?

Download XACML SDK

Download ALFA plugin

Download Eclipse

Code in your favorite language

Questions?Contact us at [email protected]&A

xacml for developers - updates, new tools, & patterns for the eager #iam developer

Technology

sample xacml policy

axiomatics access document

policy rules

policy policysets

language elements of

xacml architecture flow

policy decision point

iam family xacml