Access control for geospatial information objects

using/extending the eXtensible Access Control Markup Language

Andreas Matheus, Technische Universität MünchenMunich, Germany

How does it fit into DRM?

DRM is about licensed use of an existing content Content provider encrypts the content User can use the content on- or offline User requires the decryption key, which

distribution is controlled by provider according to user’s license

Information based access control Regulates the creation/use of a content in the

first place Handles decryption key distribution, based

on the information of an existing content

Motivation: Restrict the use of geospatial features

Based on the features accessed For Write, Delete and Create access,

constraints must be enforced for the service input

For Read access, constraints must be enforced for the service output

Based on the spatial characteristics of the features (spatial features) Location (where is that feature) Geometry (which extend does the feature

have)

XACML based infrastructure

repository ofspatial

features

Web Service 1e.g. WFS, WMS

Policy Enforce-ment Point (PEP)

Policy DecisionPoint (PDP)

restrictedaccess

Internet

SQL

Client 1

Subject 1

Client m

Subject m

unrestrictedaccess

SOAP communication XML/GMLencodedmessage

policyrepository

deci

sion

requ

est

Functions of the PEP and PDP

Policy Enforcement Point Provide Web Service interfaces Analyze the service request/response

Isolate information from the request/response: User, Operation and Resource

Form a decision request message, including the request content to be send to the PDP

Accept or reject the service invocation request based on the response of PDP

Policy Decision Point Has access to the policies in the policy repository Accept decision requests from PEP and return

Deny, Permit, NotApplicable or Indeterminate

Associating access restrictions to features and feature types

A type-based restriction is linked to a feature type; it is to be enforced for all instances of that typeA instance-based restriction is linked to an individual feature; it is to be enforced for this feature onlyExamples Type-based restriction

Bob can read and write features of type BuildingType

Instance-based restrictionBob can not write the feature ‘The White House’

The decision request message

The decision request from the PEP to the PDP contains an XML encoding of the resources that the

subject likes to access (ResourceContent element) and

the subject identity, the requested operation (R, W, C, D)

PDP returns access decision based on the policies from the policy repository, the information from the decision request and optional environmental information

The ResourceContent element

This element of the decision request is filled by the PEP It contains the resources, the subject likes to

access The information is critical, because miss-

structuring can cause the PDP to return a wrong decision

The XML encoded information, hold by the ResourceContent must be valid Schema defines the feature types and defines the structure of the feature instances

An example result of a WFS<?xml version="1.0" encoding="UTF-8"?><FeatureCollection fid =“collection1" … > <gml:boundedBy><gml:Box gid="box1" srsName="foo"> <gml:coord><gml:X>0</gml:X><gml:Y>0</gml:Y></gml:coord> <gml:coord><gml:X>4</gml:X><gml:Y>4</gml:Y></gml:coord> </gml:Box></gml:boundedBy> <gml:featureMember> <Building xsi:type="BuildingType" fid="B1"> <Name>The White House</Name> <Location srsName="foo">

<gml:coord><gml:X>1</gml:X><gml:Y>0</gml:Y></gml:coord> </Location> </Building> </gml:featureMember><Name>An example feature collection</Name></FeatureCollection>

A decision request example <Request xmlns="urn:oasis:names:tc:xacml:1.0:context"

xmlns:gml="http://www.opengis.org/gml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context

cs-xacml-schema-context-01.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-

id" DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>Bob</AttributeValue> </Attribute> </Subject> <Action> <Attribute

AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>read</AttributeValue> </Attribute> </Action>…

A decision request example … <Resource> <ResourceContent> <FeatureCollection fid =“collection1" … > <gml:boundedBy><gml:Box gid="box1" srsName="foo"> <gml:coord><gml:X>0</gml:X><gml:Y>0</gml:Y></gml:coord> <gml:coord><gml:X>4</gml:X><gml:Y>4</gml:Y></gml:coord> </gml:Box></gml:boundedBy><gml:featureMember> <Building xsi:type="BuildingType" fid="B1"> <Name>The White House</Name> <Location srsName="foo"> <gml:coord><gml:X>1</gml:X><gml:Y>0</gml:Y></gml:coord> </Location> </Building> </gml:featureMember> <Name>An example city model</Name> </FeatureCollection> </ResourceContent> …

A decision request example … <Attribute

AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"

DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://mySchema#CityModel</AttributeValue> </Attribute> </Resource></Request>

Example policies based on Xpath

Type-based example <Bob, Read +,

//FeatureCollection/gml:featureMember/Building>

<Bob, Write +, //FeatureCollection/gml:featureMember/Building>

Instance-based example <Bob, Write -,

//FeatureCollection/gml:feature-Member/Building/ Name/text()=‘The White House’>

Inconsistency

Two or more policies match for the same resources (features) but declare inverse access restrictions For the previous example

Bob can write Building ‘The White House’ from the type-based policy

Bob can not write the Building ‘The White House’ from the instance-based policy

Is it an inconsistency or intended exceptional restriction?

Inconsistency

If these restrictions are declared in independent policies, it’s probably an inconsistencyIf these restrictions are declared in a linked fashion, it’s probably an intended situation Type-based restriction represents the general

case Instance-based restriction represents the specific

case

Quintessence: A mechanism must be in place that deals with this

How to deal with NotApplicable and Indeterminate decisions?

Policies express explicit restrictions/allowancesRequests, not matching the explicit policies result in a PDP NotApplicable result How shall the PEP treat these decisions? Minimum allowed: Deny the request Maximum allowed: Permit the request

It must be certain that a NotApplicable decision is always mend to be Permit or Deny, but never bothIndeterminate is always handled as a Deny The PEP may return extra information to the user

about what went wrong

Spatial access restrictions

Feature based restrictions give the abilitySpatial access restrictions can be applied to an area, the restriction area primitive area with no holes complex area with holes

Applicable to spatial features in the resource content, based on their location geometry

Policy must link an area with spatial property

Extending the access control triplet

<Subject, Operation, Object, Condition> Subject, Operation as usual Object = Xpath to the XML elements (spatial

features) Condition = Boolean expression using

spatial relation functions Within Intersects Outside Touches Equals etc.

Spatial restriction example

Spatial exampleBob can read all spatial features of type

BuildingType that reside inside the ‘RestrictedArea’

<Bob, Read +, //FeatureCollection/gml: FeatureMember/Building, Within(//FeatureCollection/gml:FeatureMember/ Building/Location, RestrictedArea>

<Polygon gid=“RestrictedArea" srsName="foo"> <outerBoundaryIs><LinearRing> <coordinates>0,0 0,2 2,2 2,0 0,0</coordinates>

</LinearRing></outerBoundaryIs></Polygon>

Spatial policies and XACML

XACML does not provide the required language constructs => GeoXACMLGeoXACML requirements geometry types based on

gml:Point gml:Polygon gml:Box

functions for checking spatial relation based on Java Topology Suite (JTS) Equals, Disjoint, Intersects, Touches, Crosses,

Within, Contains, Overlaps Combination algorithm that take care of

specific spatial situations

Spatial inconsistency

Spatial restriction examples Bob can read and write spatial features, located

inside restricted area 1 Bob can not write spatial features located inside

restricted area 2

How to encode this? Meta information required Two independent policies:

inconsistency Two linked policies:

indented situation

Quintessence: Deal with spatial inconsistencies

(0,0)

(1,1)

(3,3)

(2,2)

Upcoming work in this field of research

Implement the GeoXACML extensions Geospatial attributes Spatial relation functions Combination algorithms

Prepare a set of XACML policies Type-based policies Instance-based policies Spatial policies

Run test requests on the set of policies Produce lessons learned Produce guide

Conclusion

Feature based restrictions give the ability to restrict access/use of a particular contentSpatial based restrictions gives the ability to restrict access/use of a particular content for a particular areaXACML is a promising specification to be extendedThis type of restriction can be used for controlling the creation of a feature based content the distribution of decryption keys for DRM

The final slide

Thank you very much for your attention

Any feedback is desirable, please mail to matheus@in.tum.de

Questions, please