Access control in CESP is performed by CESP-Access. Once the user
has been uniquely identified his/her ability to access data or application
is checked. The PEP (policy Enforcement Point) is the gatekeeper that
collects data about the caller and the request. This data is the sent to
the Authorization Engine that performs this check. The Authorization
Engine uses the Axiomatic Policy Server to evaluate the policies.
Cgmm presentation on distributed multimedia systems
Cybercom Enhanced Security Platform, CESP-Access
1. CESP-Access
Cybercom Enhanced
Security Platform
Access control in CESP is performed by CESP-Access. Once the user
has been uniquely identified his/her ability to access data or application
is checked. The PEP (policy Enforcement Point) is the gatekeeper that
collects data about the caller and the request. This data is the sent to
the Authorization Engine that performs this check. The Authorization
Engine uses the Axiomatic Policy Server to evaluate the policies.
2. #2-12-2009
Cybercom
CESP-Access
CESP-Access Technical Data
The Access Control is evaluating if an actor has the The components of CESP-Access are built with Mi-
required attributes to get access to a requested crosoft’s .NET technology to ensure efficient integra-
service. An actor can be a physical person or another tion with other .NET based applications. It may also
service that needs access to one or more resources. integrate with legacy systems by using adapters that
interpret log messages stored in text files.
Access is based on the all the user attributes. The ap-
plication can, based on these attributes, grant access Additionally, CESP-Access is built according to the
to the information based on its own access policies. Service Oriented Architecture (SOA) model and
The technique used is ABAC (Attribute Based Access provides Web Service interfaces which enables easy
Control). This way of granting access give much more integration with other applications and technical
flexibility that traditional access control that is based platforms, such as Java based systems.
on groups or roles. This flexible access control system
also reduce the burden of an extensive administration
of groups and roles when a lot of different applica-
tions can be accessed using the CESM-ID Single Sign-
On functionality.
The rules that govern the access policies are managed
using a graphical user interface that makes it very
easy and intuitive to define and test different access
control rules.
Page 2
3. Cybercom
CESP-Access
Axiomatic Policy Server (APS) CESP-Access PEP
Once the user has been uniquely identified his/her All calls to a service always pass a check point that
ability to access data or application is checked. APS helps the service to determine if a request for an
is the authorization engine in CESP. The authoriza- activity should be performed or if the call should be
tion process is performed in the same way across the rejected. This function is called PEP (Policy Enforce-
whole CESP. ment Point).
Access policies are defined using rules that are based The PEP doesn’t take this decision on its own but
on eXtensible Access Control Markup Language rather its task is to collect all facts about the prop-
(XACML). XACML is an OASIS standardized XML erties of the caller, the attribute of the requested
language that besides the possibility to express access resources and other facts about the context in which
control rules also give a possibility to formulize the the call is done. All this information is packed and
way that rules should be interpreted and combined sent to the Access Control service that takes a deci-
based on the attributes of the different entities that sion if the call should be accepted or rejected
they are applied on. The access control policies are
stored in the Access Control Service. CESP-Access PDP
The right to get access to the resources is based on
CESP-Access Authorization Process the attributes of the requestor ant the attributes of
This following sections section gives an overview of the resource that is requested. This function is called
the authorization process and the function of the PEP PDP (Policy Decision Point) and is located in the
(Policy Enforcement Point) and the PDP (Policy Deci- access control service. The information is sent as a
sion Point). XACML Request Context.
The service call delivers a SAML ticket which contains All policies and rules are stored in the access control
the caller’s attribute. This ticket has typically been service. Based on these policies and rules and the
produced by CESM-ID. information from the PEP an access decision is taken.
The decision is sent back to the PEP in a XACML Re-
This ticket is then processes by the PEP and the PDP sponse Context. The service can then get the decision
in accordance with the access policies that is defined from the PEP and depending on the answer allow the
using the XACML language. caller to get access to the requested resources or not.
Page 3
4. Cybercom
CESP-Access
About Cybercom Contact Details
The Cybercom Group is a high-tech consultancy that For further information, please contact:
offers global sourcing for end-to-end solutions. The
Henrik Johansson, Business Unit Manager
Group established itself as a world-class supplier in
henrik.johansson@cybercomgroup.com
these segments: security, portal solutions, mobile
+46 70 825 00 80
services, and embedded systems.
or vistit our website www.cybercom.com
Thanks to its extensive industry and operations ex-
perience, Cybercom can offer strategic and techno-
logical expertise to these markets: telecom, industry,
media, public sector, retail, and banking and financial
services.
The Group employs 2,000 persons and runs projects
worldwide. Cybercom has 28 offices in 11 countries.
Since 1999, Cybercom’s share has been quoted on
the NASDAQ OMX Nordic Exchange. The company
was launched in 1995.
Page 4
Cybercom Group Europe AB (publ.)
P.O. Box 7574 · SE-103 93 Stockholm · Sweden
Phone: +46 8 578 646 00 · www.cybercom.com