Authorization The Missing Piece of the Puzzle

© 2013, Axiomatics AB
Authorization
The Missing Piece of the Puzzle
@srijith
@axiomatics
Srijith Nair
Director, Developer Relations

Show of Hands:
Authorization?
XACML?

Identity is key
Services need to know who you are
You need to prove who you are
Several protocols exist to support Authentication
Authentication (AuthN)
“Authentication is the act of confirming the truth
of an attribute of a datum or entity. This might
involve confirming the identity of a person or
software program (…)”

Identity is key, but it is not everything
Authentication proves your identity
It does not decide what that identity entails
Enter Authorization
Authorization (AuthZ)
“The authorization function determines whether a
particular entity is authorized to perform a given
activity, typically inherited from authentication
when logging on to an application or service.”

Some frameworks, stds. confuse both phases
Often AuthN ≡ AuthZ
If you have authenticated then you are in…
AuthZ is part of a bigger process
Identify
Authenticate
Authorize
Think of the access to your APIs…
AuthN vs. AuthZ

Business-driven authorization
Let “Gold” customers access APIs 1,2 but not 3
Let “Platinum” customers access all APIs
Compliance-driven authorization
Do not let traders approve transactions they
requested
Privacy-driven authorization
Do not disclose medical data to non-employee users
AuthZ addresses various concerns

Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
It’s widely adopted
It’s well understood and industry-standard
It’s simple
Most apps support some form of RBAC
Authorization Approaches

Inflexible & static
Difficult to define fine-grained access control rules
Doesn’t scale
Role explosion
How to implement the rule:
Doctors should be able to view the records of patients
assigned to their unit and edit the records of those patients
with whom they have a care relationship
Where’s the role? Doctor
What’s a patient? A record? A care relationship?
Problem with RBAC?

Pull out the highlighter
What if we were not limited to roles?
Doctors should be able to view the
records of patients assigned to their
unit and edit the records of those
patients with whom they have a care
relationship
Attributes, Attributes, Attributes!

Attribute-Based Access Control (ABAC)
uses attributes as building blocks
in a structured language used to define access control
rules and
to describe access requests
Attributes
Are sets of labels or properties
Describe all aspects of entities that must be considered
for authorization purposes
Each attribute consists of a key-value pair such as
“Class=Gold”, “OS=Windows”
Attribute-based access control

ABAC – beyond RBAC
Role-Based Access Control Attribute-Based Access Control
User  Role  Permissions User + Action + Resource + Context
Attributes
Policies
Example: doctors can open & edit a patient’s health
record in the hospital emergency room at 3PM.
Static & pre-defined Dynamic & Adaptive
Role 1
Role 2
P
P
P
P
P
P

eXtensible Authorization – Future Proofing
External to
Applications
Standards-
Compliant
Authorization Service
Fine-
Grained
Context-Aware
Attribute-based Access Control

Enter XACML

Pronunciation
eXtensible Access Control Markup Language
OASIS standard
V 3.0 approved in January 2013
V 1.0 approved in 2003 (10 years ago!)
XACML is expressed as
A specification document and
An XML schema
REST profile for XACML exists (CSD)
http://www.oasis-open.org/committees/xacml/
14
What is XACML?

15
What does XACML contain?
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol

16
XACML-Architecture
Access request

17
XACML-Architecture
Enforce
Policy Enforcement Point

18
XACML-Architecture
Enforce
Decide
Policy Decision Point

19
XACML-Architecture
Enforce
Decide
Support
Policy Information Point
Policy Retrieval Point

20
XACML-Architecture
Enforce
Decide
Manage
Policy Administration Point
Support
Policy Information Point
Policy Retrieval Point

21
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol

Everything can be described in terms of attributes
Attributes can be grouped into categories
And many more… It’s all about Attributes! ABAC
22
Attributes & Categories
Environment
Subject Action
Resource

23
Examples of attributes
Subject Action Resource Environment
A user … … wants to do
something …
… with an
information asset …
… in a given context
Examples:
A claims
administrator…
…wants to
register a …
… claim receipt for a
new claim…
… via a secure channel
authenticated using the
corporate smart card
An adjuster… …wants to approve
payments of …
… claim payment … …from his office computer
during regular business hours
A manager
wants to …
… assign a claim… …to a claim
adjuster…
… at 2 o’clock at night from a
hotel lounge in Chisinau…

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-
ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/tmp/env/devicetype" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string>Laptop</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml-ctx:AttributeValue>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/acs/role" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">Manager</xacml-ctx:AttributeValue>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="location" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SE</xacml-ctx:AttributeValue>
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/asm/entity/type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Purchase Order</xacml-ctx:AttributeValue>
</xacml-ctx:Request>
Example XACML 3.0 Request, XML

<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
</xacml-ctx:Result>
</xacml-ctx:Response>
Example XACML 3.0 Response

3 levels of elements
PolicySet
Policy
Rule
At root is PolicySet or Policy
PolicySet can contain PolicySet
and Policy
Policy can contain Rule
Rule evaluation returns
PERMIT, DENY, Indeterminate,
NotApplicable
Rule Combining Algorithms
Policy Combining Algorithms
26
Language Elements of XACML
PolicySet
PolicySet
Policy
Rule
Effect
Permit
Deny
Policy
Rule
Rule

All 3 elements can
contain Target elements
At the heart of most
Rules is a Condition
Obligation/Advice can
be specified at all 3
levels
27
Language Structure: Russian dolls
PolicySet
PolicySet
Policy
Rule
Effect
Target
T
T
TC
Permit
Deny
O
Obligation
O
O
O = Obligation / Advice
C = Condition
T = Target

28
XACML
Reference
Architecture
Policy
Language
Request /
Response
Protocol

Environment
Subject Action
Resource Environment
Action
Resource
Subject
29
XACML Concepts
It’s all about Attributes!
ABAC = Attribute Based Access Control
XACML Policies
XACML Request
XACML Response

• Subject
User id = Alice
Role = Manager
• Action
Action id = approve
• Resource
Resource type = Purchase Order
PO #= 12367
• Environment
Device Type = Laptop
30
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approve
Purchase Order 12367?
Yes, she can
• Result
Decision: Permit
Status: ok
The core XACML specification does not
define any specific transport /
communication protocol:
-Developers can choose their own.
-The SAML profile defines a binding to send
requests/responses over SAML assertions

In addition, XACML response can also contain:
Obligation: PEP must comply with the obligation and
is required to deny access if it cannot understand or
enforce the obligation
Advice: the PEP may comply with the advice and can
be safely ignored if not understood or cannot be
acted on
31
Obligation & Advice

AuthN is not enough. AuthZ is needed.
RBAC is often not enough. ABAC is needed.
XACML is a prominent ABAC system.
XACML consists of:
Reference Architecture
Policy Language
Request Response Protocol
Summary

Axiomatics is world’s leading independent provider
of dynamic AuthZ solutions
Our products enable efficient XACML-based
authorization
APIs, SDKs for system integration
Java and .NET support
APS Developer Edition provides you with all the power
of our product in a read-to-use package
http://axiomatics.com/aps-developer-edition.html
Summary (Axiomatics)

http://developers.axiomatics.com
http://www.technicalprivacytraining.org/
https://www.oasis-open.org/committees/xacml/
http://docs.oasis-open.org/xacml/xacml-
rest/v1.0/xacml-rest-v1.0.pdf
http://www.webfarmr.eu/
http://analyzingidentity.com/
More Information

Questions?
Contact us at
info@axiomatics.com

Authorization The Missing Piece of the Puzzle

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Authorization The Missing Piece of the Puzzle

Ähnlich wie Authorization The Missing Piece of the Puzzle (20)

Mehr von Nordic APIs

Mehr von Nordic APIs (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Authorization The Missing Piece of the Puzzle