Next-generation access control is undergoing a bit of an identity crisis. Some call it eXternalized Authorization Management, others Dynamic Access Control and still others just refer to it as Attribute Based Access Control (ABAC). Until now, XACML and ABAC have been the two pillars supporting next-gen AuthZ. Gartner predicts that 70% of enterprises will adopt ABAC by 2020. With ALFA, REST, and JSON, even the most complex authorization scenarios become extremely simple to implement. It's haute cuisine made simple. In this session, we will go hands-on with examples, live demos, coding, and delicious samples.

1. Why lasagna is better than spaghetti
Building authorization into your apps,
APIs, and DB using JSON, REST & ALFA
© Axiomatics 2014 - @axiomatics

2. Before we begin, a little draw
Drop in your card at the Axiomatics booth for a
chance to win a Bose bluetooth speaker
© Axiomatics 2014 - @axiomatics

3. A little history of pasta
Meet Sally And her precious one And so lasagna kicked
spaghetti out© Axiomatics 2014 - @axiomatics

4. Doesn’t your code feel like spaghetti?
© Axiomatics 2014 - @axiomatics

5. A little history of access control
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABAC
Increasing access
control challenges
© Axiomatics 2014 - @axiomatics

6. What’s Our Secret Ingredient?
Attributes…
Attributes…
Attributes…

7. Attribute-Based Access Control
Who… What… Where… When… Why…
Attributes can describe everything (not just who)
How…

8. The Secret Sauce?
Policy-Based Access Control
Centralized…
Easy to audit…
eXtensible…Standardized…
Attribute-based…

9. XACML – eXtensible Access Control
= +
(ABAC) (PBAC)

10. XACML
supports
Schrodinger's
cat Paul Madsen’s

11. Bake in layers
© Axiomatics 2014 - @axiomatics
Authorization at the right place
Business tier…API tier… Data tier…Web app tier…Presentation tier…

12. Data Tier
Bake once, enjoy everywhere
Presentation Tier
API & WS Tier
Business Tier
eXternalized
Authorization
Service

13. How does Chef
Gebel take it to
the next level?
I use ALFA,
100%
XACML
I use JSON
and REST too
– easy on the
developers

14. THE ALFA
PLUGIN FOR
ECLIPSE
Authorization’s KitchenAid
© Axiomatics 2014 - @axiomatics

15. What’s ALFA
• Abbreviated Language for Authorization
• OASIS
– Axiomatics language donated to OASIS XACML
– In the process of standardization
• Goals
– Makes XACML policies easier to write
– Simplifies XACML structure
– Enhances possibilities
• Audience
– Aimed at developers initially
– Very popular with business analysts
© Axiomatics 2014 - @axiomatics

16. What’s the ALFA plugin?
• Add-on to Eclipse, the popular IDE
• Lets you write ALFA easily
– Auto-complete
– Syntax checking
– Syntax coloring
• Converts ALFA into XACML 3.0 policies on the fly
• Lets you test your policies
© Axiomatics 2014 - @axiomatics

17. An example: the insurance use case
• Authorization requirement
– A customer can view his/her own policies and the policies of a spouse
that are not marked as private
• Identify the attributes
– User type; action; policy owner; policy private flag; spouse; object
type; user identity
• Rework the rule
– A user with type==customer can do action==view on object of
type==policy…
• if and only if policyOwner == userId or,
• If and only if policyPrivateFlag==false && policy.owner==user.spouse
• Implement in ALFA
© Axiomatics 2014 - @axiomatics

18. THE JSON PROFILE
OF XACML
Delicious & Healthy
© Axiomatics 2014 - @axiomatics

19. Objectives
• Lightweight notation
• Get rid of the verboseness of XML
• Easy to write
• Broader support for languages (JS, Python…)
• Remove the XACML / XML redundancy
• Infer certain things e.g. datatypes
© Axiomatics 2014 - @axiomatics

20. The JSON Profile - Basics
• The profile is a close mirror of the XML XACML
request / response
• It is possible to omit information and use
inference
– Reasonable defaults
– E.g. String is not specified.
• Default category names
– AccessSubject, Resource, Action, Environment
© Axiomatics 2014 - @axiomatics

21. Example in HTML/Javascript
<script language="javascript">
var jsonRequest = new Object();
jsonRequest.Request = new Object();
jsonRequest.Request.AccessSubject = new Object();
// jsonRequest.Request.AccessSubject.Attribute
var userId = new Object();
userId.AttributeId="userId";
userId.Value="John";
var role = new Object();
role.AttributeId="role";
role.Value="manager";
jsonRequest.Request.AccessSubject.Attribute = [userId,role];
</script>
© Axiomatics 2014 - @axiomatics

22. Size of a XACML request
© Axiomatics 2014 - @axiomatics
0
10
20
30
40
50
Word count
XML
JSON
0
200
400
600
800
1000
1200
1400
Char. Count
XML
JSON

23. THE REST PROFILE OF XACML
The perfect way to serve your lasagna
© Axiomatics 2014 - @axiomatics

24. Why a “REST” profile?
• No standard transport protocol in XACML core
• Different implementations have different
SOAP wrappings
• SOAP in itself is losing in popularity
• Provide easy means to send authorization
request
© Axiomatics 2014 - @axiomatics

25. Posting the JSON Request in Javascript
var xmlHttp = null;
function authorize() {
var xacmlRequest = document.getElementById( "xacmlrequest" ).value;
var Url = "https://localhost:5443/axio/authorize";
xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = ProcessRequest;
xmlHttp.withCredentials = true;
xmlHttp.open( "POST", Url, false );
xmlHttp.setRequestHeader("Accept","application/xacml+json");
xmlHttp.setRequestHeader("Content-Type","application/xacml+json");
xmlHttp.setRequestHeader("Authorization","Basic cGVwOnBhc3N3b3Jk");
xmlHttp.send( JSON.stringify(xacmlRequest) );
}
© Axiomatics 2014 - @axiomatics

26. And now,
let’s bake!

27. Ok, so it’s
time to
wrap up

28. Forget spaghetti. Whip up lasagna!
© Axiomatics 2014 - @axiomatics
(Sorry Sergio Leone)
Don’t forget to pair the pasta with an elegant
wine. Ask @ggebel, our head sommelier, for
recommendations

29. Summary
Acronym Name Description
EAM eXternalized
Authorization
Management
The act of cleanly separating business logic
from authorization logic and maintaining each
one independently
ABAC Attribute-based access
control
An authorization model whereby parameters
about the user, resource, action, and
environment can be used to determine access
PBAC Policy-based access
control
An authorization model which uses attributes
combined together inside policies to define
granted or denied access
XACML eXtensible Access Control
Markup Language
The standard implementation of ABAC and
PBAC – done by OASIS.

30. References
• REST profile of XACML
• JSON profile of XACML
• ALFA profile of XACML
Available on the OASIS XACML TC website
oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
© Axiomatics 2014 - @axiomatics

31. Grazie a tutti i tutte
David Brossard
Axiomatics – the leaders in ABAC & PBAC
@davidjbrossard
@axiomatics
http://developers.axiomatics.com
© Axiomatics 2014 - @axiomatics