SlideShare ist ein Scribd-Unternehmen logo

Uncovering XACML to solve real world business use cases

WSO2
WSO2

This document discusses XACML (eXtensible Access Control Markup Language), which is an OASIS standard for access control policy language and request/response protocol. It describes key XACML concepts like policy-based access control and attribute-based access control. The document then outlines some advantages of XACML, challenges in using it, and provides examples of how XACML can be used for real-world use cases like controlling access to SOAP/REST APIs, web applications, and databases. Specific business use cases demonstrated include X.509 certificate-based authorization, externalizing authorization for a portal, and building a centralized entitlement system.

1 von 44
Downloaden Sie, um offline zu lesen
Uncovering XACML to solve real world business use cases Asela Pathberiya Associate Technical Lead
About WSO2 ๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source ๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments ๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0. ๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C. ๏ Driven by Innovation ๏ Launched first open source API Management solution in 2012 ๏ Launched App Factory in 2Q 2013 ๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013
What WSO2 Deliver
What is in Today’s Webinar o Introduction to Access Control & XACML o Advantages of XACML o Challenges with XACML o Business use cases implemented with XACML o Fine Grained access control for SOAP/REST APIs o Building access control for Web applications o Adding entitlement for enterprise data o Building centralized entitlement system with existing legacy authorization data
Introduction
Access Control Concepts Policy Based Access Control Attribute Based Access Control Role Based Access Control Dynamic Access Control Fine Grained Access Control Externalized Access Control Standardized Access Control Location Based Access Control Real Time Access Control
Access Control Concepts @#@^!(&%%@ We need to build an Externalized, Standardized, Policy based, Attribute based and Dynamic Authorization System….. ASAP?
Access Control Concepts
Access Control Concepts DONE X A C M L
XACML
What is XACML o XACML is standard for eXtensible Access Control Markup Language o Standard is ratified by OASIS standards organization The First meeting 21st March 2001 XACML 1.0 - OASIS Standard – 6 February 2003 XACML 2.0 – OASIS Standard – 1 February 2005 XACML 3.0 – OASIS Standard – 22 January 2013
XACML Core Specification o Standardized Policy Language o Standard way to write access control rules. o Request/Response Protocol o Standard way to query authorization requests & authorization decisions must be responded back. o Reference Architecture o Standard components in an authorization system and integration of each other. o PDP - Policy Decision Point o PEP - Policy Enforcement Point o PIP - Policy Information Point o PAP - Policy Administration Point
XACML Core Specification
XACML Associated Profiles o Multiple Decision Profile o Sending multiple authorization queries in single request & Responding back with multiple decisions. o REST profile of XACML o Standard way to communicate between PDP & PEP. o Request / Response Interface based on JSON and HTTP (Draft) o JSON based request & response messages.
Advantages of XACML o Externalized o Standardized o Policy Based o Attribute Based o Fine Grained o Dynamic
Challenges with XACML o XACML is too complex o XML language with many syntax o Difficult to write & understand policies o Integrating current authorization system with XACML o Converting existing authorization rules in to XACML o Standard extension point to integrate
Challenges with XACML o Performance Bottleneck o PDP - PEP communication o Boolean decision results o What are the resources that Bob can access? o Policy Distribution o Large scale deployments
Use Cases
XACML for SOAP/REST Services o Access Control for SOAP Web Service o Fine Grained into Operational & Message level o Filtering response messages
XACML for SOAP/REST Services o Access Control for REST APIs o Fine Grained into Resources & HTTP Methods o Scope validation - OAuth 2.0
XACML Business Use Case - 1 o Use Case o X.509 Certificate based Authentication o Authorization for Web Service operations based on X.509 Certificate’s details such as CN, OU and O.
XACML Business Use Case - 1 o Key Challenges o Implementing PEP to extract data from X.509 Certificate o Writing XACML policies o Managing and Updating XACML policies efficiently o Solutions o X.509 authentication with WSO2ESB o WSO2ESB Entitlement Mediator as PEP o Policy Editors in WSO2 Identity Server o Policy References
XACML Business Use Case - 1
XACML for Web Applications o Presentation layer differ with the authenticated User
XACML for Web Applications o Multiple Decision Profile o Hierarchical Resource Profile
XACML Business Use Case - 2 o Use Case o Externalized Authorization system for Liferay Portal o Authorized menu items, images and links are shown for authenticated users o ABAC using the existing OpenDJ user store o Reusing Authorization system for Web Service & API access control
XACML Business Use Case - 2
XACML Business Use Case - 2 o Key Challenges o Implementing PEP for Liferay Portal o Performance with XACML o Writing & Managing XACML policies o Solutions o Liferay handler as PEP o Thrift Protocol for improving PDP - PEP communication o Caching at PEP level o Custom built PAP with Policy Editor
XACML Business Use Case - 2
XACML for Data Entitlement o Filter data access in database level
XACML for Data Entitlement o Filtering data returned from the database
XACML for Data Entitlement o Modifying input parameters before data is retrieved
XACML Business Use Case - 3 o Use Case o Access Control for Web Application o Authorized data must be filtered from large number of database entries o Key Challenges o Performance of PEP-PDP communication o Performance of filtering data from large database entries
XACML Business Use Case - 3 o Solutions o De-Centralized PDP o OSGI Service level communication o Modifying SQL queries based authorization decisions
XACML Business Use Case - 3
XACML for Centralized Entitlement o Multiple Applications with their own legacy Access Control Systems
XACML for Centralized Entitlement o Centralized Externalized and Standardized
XACML Business Use Case - 4 o Use Case o Centralized management for access control o Get rid from legacy authorization systems o Externalized and Standardized approaches o Large scale deployment o Key Challenges o Integrating with legacy authorization data o Policy generation with existing data o Performance o Policy distribution o Auditing
XACML Business Use Case - 4 o Solutions o Policy generation tools o Policy information points for integrations o Thrift Protocol for improving PDP - PEP communication o Policy distribution patterns o Policy notifications o Policy reverse search for auditing
XACML Business Use Case - 4
XACML Business Use Case - 4
XACML Business Use Case - 4
Q & A
Contact us !

Empfohlen

March 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know WebinarMarch 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know Webinar
Robert Crane
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
Presentation AuthZForce
Presentation AuthZForcePresentation AuthZForce
Presentation AuthZForce
mpfariseni mabogo
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
panagenda
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
Gleb Smirnoff
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
Drew Madelung
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 

Empfohlen

March 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know WebinarMarch 2023 CIAOPS Need to Know Webinar
March 2023 CIAOPS Need to Know Webinar
Robert Crane
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
Presentation AuthZForce
Presentation AuthZForcePresentation AuthZForce
Presentation AuthZForce
mpfariseni mabogo
 
The Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad WebThe Ultimate Administrator’s Guide to HCL Nomad Web
The Ultimate Administrator’s Guide to HCL Nomad Web
panagenda
 
Netflix CDN and Open Source
Netflix CDN and Open SourceNetflix CDN and Open Source
Netflix CDN and Open Source
Gleb Smirnoff
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
Drew Madelung
 
Introduction to Active Directory
Introduction to Active DirectoryIntroduction to Active Directory
Introduction to Active Directory
thoms1i
 
Document fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 ComplianceDocument fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 Compliance
Matt Soseman
 
CollabDaysBE - Microsoft Purview Information Protection demystified
CollabDaysBE - Microsoft Purview Information Protection demystifiedCollabDaysBE - Microsoft Purview Information Protection demystified
CollabDaysBE - Microsoft Purview Information Protection demystified
Albert Hoitingh
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
Ryan Dawson
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
NetApp Se training storage grid webscale technical overview
NetApp Se training storage grid webscale technical overviewNetApp Se training storage grid webscale technical overview
NetApp Se training storage grid webscale technical overview
solarisyougood
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
PowerShell 101
PowerShell 101PowerShell 101
PowerShell 101
Thomas Lee
 
Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...
Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...
Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...
Joanne Klein
 
Next-Generation Security Operations with AWS
Next-Generation Security Operations with AWSNext-Generation Security Operations with AWS
Next-Generation Security Operations with AWS
Amazon Web Services
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
IRMS UG Principles of Retention in Microsoft 365
IRMS UG Principles of Retention in Microsoft 365IRMS UG Principles of Retention in Microsoft 365
IRMS UG Principles of Retention in Microsoft 365
Joanne Klein
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know Webinar
Robert Crane
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS
Amazon Web Services
 
Golang 개발 환경(profile) 다르게 잡아주기
Golang 개발 환경(profile) 다르게 잡아주기Golang 개발 환경(profile) 다르게 잡아주기
Golang 개발 환경(profile) 다르게 잡아주기
라한사 아
 
Tips and tricks for complex migrations to SharePoint Online
Tips and tricks for complex migrations to SharePoint OnlineTips and tricks for complex migrations to SharePoint Online
Tips and tricks for complex migrations to SharePoint Online
Andries den Haan
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
David Brossard
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
David Brossard
 

Weitere ähnliche Inhalte

Was ist angesagt?

RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
Next-Generation Security Operations with AWS
Next-Generation Security Operations with AWSNext-Generation Security Operations with AWS
Next-Generation Security Operations with AWS
Amazon Web Services
 
IRMS UG Principles of Retention in Microsoft 365
IRMS UG Principles of Retention in Microsoft 365IRMS UG Principles of Retention in Microsoft 365
IRMS UG Principles of Retention in Microsoft 365
Joanne Klein
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS
Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 

Was ist angesagt? (20)

Document fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 ComplianceDocument fingerprinting in Microsoft 365 Compliance
Document fingerprinting in Microsoft 365 Compliance
 
CollabDaysBE - Microsoft Purview Information Protection demystified
CollabDaysBE - Microsoft Purview Information Protection demystifiedCollabDaysBE - Microsoft Purview Information Protection demystified
CollabDaysBE - Microsoft Purview Information Protection demystified
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
NetApp Se training storage grid webscale technical overview
NetApp Se training storage grid webscale technical overviewNetApp Se training storage grid webscale technical overview
NetApp Se training storage grid webscale technical overview
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
 
PowerShell 101
PowerShell 101PowerShell 101
PowerShell 101
 
Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...
Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...
Taking a Crawl-Walk-Run Approach to Office 365 Retention - Ottawa SPUG (no de...
 
Next-Generation Security Operations with AWS
Next-Generation Security Operations with AWSNext-Generation Security Operations with AWS
Next-Generation Security Operations with AWS
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
IRMS UG Principles of Retention in Microsoft 365
IRMS UG Principles of Retention in Microsoft 365IRMS UG Principles of Retention in Microsoft 365
IRMS UG Principles of Retention in Microsoft 365
 
May 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know WebinarMay 2023 CIAOPS Need to Know Webinar
May 2023 CIAOPS Need to Know Webinar
 
(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS(NET405) Build a Remote Access VPN Solution on AWS
(NET405) Build a Remote Access VPN Solution on AWS
 
Golang 개발 환경(profile) 다르게 잡아주기
Golang 개발 환경(profile) 다르게 잡아주기Golang 개발 환경(profile) 다르게 잡아주기
Golang 개발 환경(profile) 다르게 잡아주기
 
Tips and tricks for complex migrations to SharePoint Online
Tips and tricks for complex migrations to SharePoint OnlineTips and tricks for complex migrations to SharePoint Online
Tips and tricks for complex migrations to SharePoint Online
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
Active Directory
Active Directory Active Directory
Active Directory
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
 

Andere mochten auch

Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
David Brossard
 
Access control patterns
Access control patterns Access control patterns
Access control patterns
WSO2
 
Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware Platform
WSO2
 
Spring Day | Identity Management with Spring Security | Dave Syer
Spring Day | Identity Management with Spring Security | Dave SyerSpring Day | Identity Management with Spring Security | Dave Syer
Spring Day | Identity Management with Spring Security | Dave Syer
JAX London
 

Andere mochten auch (14)

OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
Access control patterns
Access control patterns Access control patterns
Access control patterns
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Data Entitlement in an API-Centric Architecture
Data Entitlement in an API-Centric ArchitectureData Entitlement in an API-Centric Architecture
Data Entitlement in an API-Centric Architecture
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACML
 
Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware Platform
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
 
Beautiful Thoughts On Friendship
Beautiful Thoughts On FriendshipBeautiful Thoughts On Friendship
Beautiful Thoughts On Friendship
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
 
Spring Day | Identity Management with Spring Security | Dave Syer
Spring Day | Identity Management with Spring Security | Dave SyerSpring Day | Identity Management with Spring Security | Dave Syer
Spring Day | Identity Management with Spring Security | Dave Syer
 

Ähnlich wie Uncovering XACML to solve real world business use cases

The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
sureshattanayake
 
SOA Pattern : Policy Centralization
SOA Pattern : Policy CentralizationSOA Pattern : Policy Centralization
SOA Pattern : Policy Centralization
WSO2
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soaOtm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soa
jucaab
 
Introducing The WSO2 Platform
Introducing The WSO2 Platform Introducing The WSO2 Platform
Introducing The WSO2 Platform
WSO2
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
David Brossard
 
Leveraging Governance in the IBM WebSphere Service Registry and Repository fo...
Leveraging Governance in the IBM WebSphere Service Registry and Repository fo...Leveraging Governance in the IBM WebSphere Service Registry and Repository fo...
Leveraging Governance in the IBM WebSphere Service Registry and Repository fo...
Prolifics
 
Insights into Real World Data Management Challenges
Insights into Real World Data Management ChallengesInsights into Real World Data Management Challenges
Insights into Real World Data Management Challenges
DataWorks Summit
 

Ähnlich wie Uncovering XACML to solve real world business use cases (20)

The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
SOA Pattern : Policy Centralization
SOA Pattern : Policy CentralizationSOA Pattern : Policy Centralization
SOA Pattern : Policy Centralization
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Introduction to SoapUI day 1
Introduction to SoapUI day 1Introduction to SoapUI day 1
Introduction to SoapUI day 1
 
Soap UI - Getting started
Soap UI - Getting startedSoap UI - Getting started
Soap UI - Getting started
 
Streamline it management
Streamline it managementStreamline it management
Streamline it management
 
Oslc case study (poc results) v1.1
Oslc case study (poc results) v1.1Oslc case study (poc results) v1.1
Oslc case study (poc results) v1.1
 
Con8833 access at scale for hundreds of millions of users final
Con8833 access at scale for hundreds of millions of users finalCon8833 access at scale for hundreds of millions of users final
Con8833 access at scale for hundreds of millions of users final
 
oracle ebs free web service integration tools
oracle ebs free web service integration toolsoracle ebs free web service integration tools
oracle ebs free web service integration tools
 
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soaOtm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soa
 
Introducing The WSO2 Platform
Introducing The WSO2 Platform Introducing The WSO2 Platform
Introducing The WSO2 Platform
 
Oracle soa bpel 11 g online training
Oracle soa bpel 11 g online trainingOracle soa bpel 11 g online training
Oracle soa bpel 11 g online training
 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 shared
 
Semantic Mediation Bus Presentation at VORTE 2012
Semantic Mediation Bus Presentation at VORTE 2012Semantic Mediation Bus Presentation at VORTE 2012
Semantic Mediation Bus Presentation at VORTE 2012
 
Leveraging Governance in the IBM WebSphere Service Registry and Repository fo...
Leveraging Governance in the IBM WebSphere Service Registry and Repository fo...Leveraging Governance in the IBM WebSphere Service Registry and Repository fo...
Leveraging Governance in the IBM WebSphere Service Registry and Repository fo...
 
Insights into Real World Data Management Challenges
Insights into Real World Data Management ChallengesInsights into Real World Data Management Challenges
Insights into Real World Data Management Challenges
 

Mehr von WSO2

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 

Mehr von WSO2 (20)

Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
WSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the CloudWSO2CON 2024 - Elevating the Integration Game to the Cloud
WSO2CON 2024 - Elevating the Integration Game to the Cloud
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 

Uncovering XACML to solve real world business use cases

  • 1. Uncovering XACML to solve real world business use cases Asela Pathberiya Associate Technical Lead
  • 2. About WSO2 ๏ Global enterprise, founded in 2005 by acknowledged leaders in XML, web services technologies, standards and open source ๏ Provides only open source platform-as-a-service for private, public and hybrid cloud deployments ๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0. ๏ Is an Active Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID Foundation and W3C. ๏ Driven by Innovation ๏ Launched first open source API Management solution in 2012 ๏ Launched App Factory in 2Q 2013 ๏ Launched Enterprise Store and first open source Mobile solution in 4Q 2013
  • 4. What is in Today’s Webinar o Introduction to Access Control & XACML o Advantages of XACML o Challenges with XACML o Business use cases implemented with XACML o Fine Grained access control for SOAP/REST APIs o Building access control for Web applications o Adding entitlement for enterprise data o Building centralized entitlement system with existing legacy authorization data
  • 6. Access Control Concepts Policy Based Access Control Attribute Based Access Control Role Based Access Control Dynamic Access Control Fine Grained Access Control Externalized Access Control Standardized Access Control Location Based Access Control Real Time Access Control
  • 7. Access Control Concepts @#@^!(&%%@ We need to build an Externalized, Standardized, Policy based, Attribute based and Dynamic Authorization System….. ASAP?
  • 10. XACML
  • 11. What is XACML o XACML is standard for eXtensible Access Control Markup Language o Standard is ratified by OASIS standards organization The First meeting 21st March 2001 XACML 1.0 - OASIS Standard – 6 February 2003 XACML 2.0 – OASIS Standard – 1 February 2005 XACML 3.0 – OASIS Standard – 22 January 2013
  • 12. XACML Core Specification o Standardized Policy Language o Standard way to write access control rules. o Request/Response Protocol o Standard way to query authorization requests & authorization decisions must be responded back. o Reference Architecture o Standard components in an authorization system and integration of each other. o PDP - Policy Decision Point o PEP - Policy Enforcement Point o PIP - Policy Information Point o PAP - Policy Administration Point
  • 14. XACML Associated Profiles o Multiple Decision Profile o Sending multiple authorization queries in single request & Responding back with multiple decisions. o REST profile of XACML o Standard way to communicate between PDP & PEP. o Request / Response Interface based on JSON and HTTP (Draft) o JSON based request & response messages.
  • 15. Advantages of XACML o Externalized o Standardized o Policy Based o Attribute Based o Fine Grained o Dynamic
  • 16. Challenges with XACML o XACML is too complex o XML language with many syntax o Difficult to write & understand policies o Integrating current authorization system with XACML o Converting existing authorization rules in to XACML o Standard extension point to integrate
  • 17. Challenges with XACML o Performance Bottleneck o PDP - PEP communication o Boolean decision results o What are the resources that Bob can access? o Policy Distribution o Large scale deployments
  • 19. XACML for SOAP/REST Services o Access Control for SOAP Web Service o Fine Grained into Operational & Message level o Filtering response messages
  • 20. XACML for SOAP/REST Services o Access Control for REST APIs o Fine Grained into Resources & HTTP Methods o Scope validation - OAuth 2.0
  • 21. XACML Business Use Case - 1 o Use Case o X.509 Certificate based Authentication o Authorization for Web Service operations based on X.509 Certificate’s details such as CN, OU and O.
  • 22. XACML Business Use Case - 1 o Key Challenges o Implementing PEP to extract data from X.509 Certificate o Writing XACML policies o Managing and Updating XACML policies efficiently o Solutions o X.509 authentication with WSO2ESB o WSO2ESB Entitlement Mediator as PEP o Policy Editors in WSO2 Identity Server o Policy References
  • 23. XACML Business Use Case - 1
  • 24. XACML for Web Applications o Presentation layer differ with the authenticated User
  • 25. XACML for Web Applications o Multiple Decision Profile o Hierarchical Resource Profile
  • 26. XACML Business Use Case - 2 o Use Case o Externalized Authorization system for Liferay Portal o Authorized menu items, images and links are shown for authenticated users o ABAC using the existing OpenDJ user store o Reusing Authorization system for Web Service & API access control
  • 27. XACML Business Use Case - 2
  • 28. XACML Business Use Case - 2 o Key Challenges o Implementing PEP for Liferay Portal o Performance with XACML o Writing & Managing XACML policies o Solutions o Liferay handler as PEP o Thrift Protocol for improving PDP - PEP communication o Caching at PEP level o Custom built PAP with Policy Editor
  • 29. XACML Business Use Case - 2
  • 30. XACML for Data Entitlement o Filter data access in database level
  • 31. XACML for Data Entitlement o Filtering data returned from the database
  • 32. XACML for Data Entitlement o Modifying input parameters before data is retrieved
  • 33. XACML Business Use Case - 3 o Use Case o Access Control for Web Application o Authorized data must be filtered from large number of database entries o Key Challenges o Performance of PEP-PDP communication o Performance of filtering data from large database entries
  • 34. XACML Business Use Case - 3 o Solutions o De-Centralized PDP o OSGI Service level communication o Modifying SQL queries based authorization decisions
  • 35. XACML Business Use Case - 3
  • 36. XACML for Centralized Entitlement o Multiple Applications with their own legacy Access Control Systems
  • 37. XACML for Centralized Entitlement o Centralized Externalized and Standardized
  • 38. XACML Business Use Case - 4 o Use Case o Centralized management for access control o Get rid from legacy authorization systems o Externalized and Standardized approaches o Large scale deployment o Key Challenges o Integrating with legacy authorization data o Policy generation with existing data o Performance o Policy distribution o Auditing
  • 39. XACML Business Use Case - 4 o Solutions o Policy generation tools o Policy information points for integrations o Thrift Protocol for improving PDP - PEP communication o Policy distribution patterns o Policy notifications o Policy reverse search for auditing
  • 40. XACML Business Use Case - 4
  • 41. XACML Business Use Case - 4
  • 42. XACML Business Use Case - 4
  • 43. Q & A