SlideShare una empresa de Scribd logo

XACML - XML Amsterdam2011

Descargar como PPTX, PDF
Ray Sinnema
Ray Sinnema

Presentation about eXtensible Access Control Markup Language (XACML) delivered at XML Amsterdam 2011

TecnologíaEmpresariales
1 de 26
eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

Recomendados

Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCloudIDSummit
 
OData - The Universal REST API
OData - The Universal REST APIOData - The Universal REST API
OData - The Universal REST APINishanth Kadiyala
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data AccessPat Patterson
 
OData, External objects & Lightning Connect
OData, External objects & Lightning ConnectOData, External objects & Lightning Connect
OData, External objects & Lightning ConnectPrasanna Deshpande ☁
 
Odata - Open Data Protocol
Odata - Open Data ProtocolOdata - Open Data Protocol
Odata - Open Data ProtocolKhaled Musaied
 
Modern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataModern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataNishanth Kadiyala
 
OData for iOS developers
OData for iOS developersOData for iOS developers
OData for iOS developersGlen Gordon
 

Recomendados

Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCloudIDSummit
 
OData - The Universal REST API
OData - The Universal REST APIOData - The Universal REST API
OData - The Universal REST APINishanth Kadiyala
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data AccessPat Patterson
 
OData, External objects & Lightning Connect
OData, External objects & Lightning ConnectOData, External objects & Lightning Connect
OData, External objects & Lightning ConnectPrasanna Deshpande ☁
 
Odata - Open Data Protocol
Odata - Open Data ProtocolOdata - Open Data Protocol
Odata - Open Data ProtocolKhaled Musaied
 
Modern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataModern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataNishanth Kadiyala
 
OData for iOS developers
OData for iOS developersOData for iOS developers
OData for iOS developersGlen Gordon
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)Pat Patterson
 
Restful Services
Restful ServicesRestful Services
Restful ServicesSHAKIL AKHTAR
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisNishanth Kadiyala
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014Joelith
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Frameworkandrejusb
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Nishanth Kadiyala
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesChris Muir
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesChris Muir
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaosNiels de Bruijn
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorSalesforce Developers
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesAshish Saxena
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectAaron Dominguez Sanchez
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPNiels de Bruijn
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectSalesforce Developers
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectSalesforce Developers
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
NetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataNetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataSAP PartnerEdge program for Application Development
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorialsandrejusb
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14andrejusb
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTandrejusb
 
Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurEMC Nederland
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overviewxKinAnx
 

Más contenido relacionado

La actualidad más candente

OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)Pat Patterson
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisNishanth Kadiyala
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014Joelith
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Frameworkandrejusb
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Nishanth Kadiyala
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesChris Muir
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesChris Muir
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaosNiels de Bruijn
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorSalesforce Developers
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesAshish Saxena
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectAaron Dominguez Sanchez
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPNiels de Bruijn
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectSalesforce Developers
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectSalesforce Developers
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorialsandrejusb
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14andrejusb
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTandrejusb
 

La actualidad más candente (20)

OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
 
Restful Services
Restful ServicesRestful Services
Restful Services
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market Analysis
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Framework
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service Architectures
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration Architectures
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaos
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData Connector
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & Guidelines
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connect
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAP
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning Connect
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
NetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataNetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to OData
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorials
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC REST
 

Similar a XACML - XML Amsterdam2011

Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurEMC Nederland
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overviewxKinAnx
 
RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)EMC
 
dist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfdist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfNohaNagy5
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas WSO2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
Vnx mr presentation kenny pool
Vnx mr presentation kenny poolVnx mr presentation kenny pool
Vnx mr presentation kenny poolEMC Nederland
 
Transforming Mission Critical Applications
Transforming Mission Critical ApplicationsTransforming Mission Critical Applications
Transforming Mission Critical ApplicationsCenk Ersoy
 
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011darach
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresPraetorian
 
Introduction to Web Application Clustering
Introduction to Web Application ClusteringIntroduction to Web Application Clustering
Introduction to Web Application ClusteringPiyush Katariya
 
Mellanox hpc day 2011 kiev
Mellanox hpc day 2011 kievMellanox hpc day 2011 kiev
Mellanox hpc day 2011 kievVolodymyr Saviak
 
102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guideAmit Sharma
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityExtending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityJerome Leonard
 
attachment_3998 (3).pdf
attachment_3998 (3).pdfattachment_3998 (3).pdf
attachment_3998 (3).pdfssuser02a37f1
 
Cloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption TechniquesCloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption TechniquesEMC
 
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...Hans A. Kielland Aanesen
 

Similar a XACML - XML Amsterdam2011 (20)

Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueur
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overview
 
RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)
 
dist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfdist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdf
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
EMC Unified Analytics Platform. Gintaras Pelenis
EMC Unified Analytics Platform. Gintaras PelenisEMC Unified Analytics Platform. Gintaras Pelenis
EMC Unified Analytics Platform. Gintaras Pelenis
 
Vnx mr presentation kenny pool
Vnx mr presentation kenny poolVnx mr presentation kenny pool
Vnx mr presentation kenny pool
 
Transforming Mission Critical Applications
Transforming Mission Critical ApplicationsTransforming Mission Critical Applications
Transforming Mission Critical Applications
 
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
 
Introduction to Web Application Clustering
Introduction to Web Application ClusteringIntroduction to Web Application Clustering
Introduction to Web Application Clustering
 
Mellanox hpc day 2011 kiev
Mellanox hpc day 2011 kievMellanox hpc day 2011 kiev
Mellanox hpc day 2011 kiev
 
102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityExtending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
 
Emc vi pr controller
Emc vi pr controllerEmc vi pr controller
Emc vi pr controller
 
attachment_3998 (3).pdf
attachment_3998 (3).pdfattachment_3998 (3).pdf
attachment_3998 (3).pdf
 
Cloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption TechniquesCloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption Techniques
 
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
 

Último

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Último (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

XACML - XML Amsterdam2011

  • 1. eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
  • 2. Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
  • 3. Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
  • 4. Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
  • 5. Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
  • 6. Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
  • 7. Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
  • 8. Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
  • 9. Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
  • 10. Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
  • 11. XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
  • 12. eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
  • 13. Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
  • 14. Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
  • 15. Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
  • 16. Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
  • 17. Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
  • 18. Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
  • 19. Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
  • 20. Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
  • 21. X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
  • 22. Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
  • 23. What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
  • 24. Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
  • 25. Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
  • 26. THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

Notas del editor

  1. Access Control List focuses on ResourceRole-Based Access Control generalizes SubjectAttribute-Based Access Control generalizes all attributesPolicy-Based Access Control standardizes attributesRisk-Adaptive Access Control