© 2013, Axiomatics AB
Authorization
The Missing Piece of the Puzzle
@srijith @axiomatics
Srijith Nair Director, Developer Relations
© 2013, Axiomatics AB
Show of Hands: Authorization?
XACML?
© 2013, Axiomatics AB
Identity is key
Services need to know who you are
You need to prove who you are
Several protocols exist to support Authentication
Authentication (AuthN)
“Authentication is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program (…)”
© 2013, Axiomatics AB
Identity is key, but it is not everything
Authentication proves your identity
It does not decide what that identity entails
Enter Authorization
Authorization (AuthZ)
“The authorization function determines whether a particular entity is authorized to perform a given activity, typically inherited from authentication when logging on to an application or service.”
© 2013, Axiomatics AB
Some frameworks, stds. confuse both phases
Often AuthN ≡ AuthZ
If you have authenticated then you are in…
AuthZ is part of a bigger process
Identify
Authenticate
Authorize
Think of the access to your APIs…
AuthN vs. AuthZ
© 2013, Axiomatics AB
Business-driven authorization
Let “Gold” customers access APIs 1,2 but not 3
Let “Platinum” customers access all APIs
Compliance-driven authorization
Do not let traders approve transactions they requested
Privacy-driven authorization
Do not disclose medical data to non-employee users
AuthZ addresses various concerns
© 2013, Axiomatics AB
Mandatory Access Control (MAC)
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
It’s widely adopted
It’s well understood and industry-standard
It’s simple
Most apps support some form of RBAC
Authorization Approaches
© 2013, Axiomatics AB
Inflexible & static
Difficult to define fine-grained access control rules
Doesn’t scale Role explosion
How to implement the rule: Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship
Where’s the role? Doctor
What’s a patient? A record? A care relationship?
Problem with RBAC?
© 2013, Axiomatics AB
Pull out the highlighter
What if we were not limited to roles?
Doctors should be able to view the records of patients assigned to their unit and edit the records of those patients with whom they have a care relationship
Attributes, Attributes, Attributes!
© 2013, Axiomatics AB
Attribute-Based Access Control (ABAC) uses attributes as building blocks
in a structured language used to define access control rules and
to describe access requests
Attributes Are sets of labels or properties
Describe all aspects of entities that must be considered for authorization purposes
Each attribute consists of a key-value pair such as “Class=Gold”, “OS=Windows”
Attribute-based access control
© 2013, Axiomatics AB
ABAC – beyond RBAC
Role-Based Access Control Attribute-Based Access Control
User Role Permissions User + Action + Resource + Context
Attributes
Policies
Example: doctors can open & edit a patient’s health record in the hospital emergency room at 3PM.
Static & pre-defined Dynamic & Adaptive
Role 1
Role 2
P
P
P
P
P
P
© 2013, Axiomatics AB
eXtensible Authorization – Future Proofing
External to
Applications
Standards-
Compliant
Authorization Service
Fine-
Grained Context-Aware
Attribute-based Access Control
© 2013, Axiomatics AB
Enter XACML
© 2013, Axiomatics AB
Pronunciation
eXtensible Access Control Markup Language
OASIS standard V 3.0 approved in January 2013
V 1.0 approved in 2003 (10 years ago!)
XACML is expressed as A specification document and
An XML schema
REST profile for XACML exists (CSD)
http://www.oasis-open.org/committees/xacml/
14
What is XACML?
© 2013, Axiomatics AB 15
What does XACML contain?
XACML
Reference
Architecture
Policy Language
Request / Response Protocol
© 2013, Axiomatics AB 16
XACML-Architecture
Access request
© 2013, Axiomatics AB 17
XACML-Architecture
Enforce Policy Enforcement Point
© 2013, Axiomatics AB 18
XACML-Architecture
Enforce Policy Enforcement Point
Decide Policy Decision Point
© 2013, Axiomatics AB 19
XACML-Architecture
Enforce Policy Enforcement Point
Decide Policy Decision Point
Support Policy Information Point Policy Retrieval Point
© 2013, Axiomatics AB
20
XACML-Architecture
Enforce Policy Enforcement Point
Decide Policy Decision Point
Manage Policy Administration Point
Support Policy Information Point Policy Retrieval Point
© 2013, Axiomatics AB 21
What does XACML contain?
XACML
Reference
Architecture
Policy Language
Request / Response Protocol
© 2013, Axiomatics AB
Everything can be described in terms of attributes
Attributes can be grouped into categories
And many more… It’s all about Attributes! ABAC 22
Attributes & Categories
Environment
Subject Action
Resource
© 2013, Axiomatics AB 23
Examples of attributes
Subject Action Resource Environment
A user … … wants to do
something …
… with an
information asset …
… in a given context
Examples:
A claims
administrator…
…wants to
register a …
… claim receipt for a
new claim…
… via a secure channel
authenticated using the
corporate smart card
An adjuster… …wants to approve
payments of …
… claim payment … …from his office computer
during regular business hours
A manager
wants to …
… assign a claim… …to a claim
adjuster…
… at 2 o’clock at night from a
hotel lounge in Chisinau…
© 2013, Axiomatics AB
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-
ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" >
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/tmp/env/devicetype" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string>Laptop</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" >
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/acs/role" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">Manager</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" >
<xacml-ctx:Attribute AttributeId="location" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SE</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
<xacml-ctx:Attribute AttributeId=”http://www.axiomatics.com/asm/entity/type" IncludeInResult="true">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Purchase Order</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>
Example XACML 3.0 Request, XML
© 2013, Axiomatics AB
<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Result>
<xacml-ctx:Decision>Permit</xacml-ctx:Decision>
<xacml-ctx:Status>
<xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</xacml-ctx:Status>
</xacml-ctx:Result>
</xacml-ctx:Response>
Example XACML 3.0 Response
© 2013, Axiomatics AB
3 levels of elements
PolicySet
Policy
Rule
At root is PolicySet or Policy
PolicySet can contain PolicySet and Policy
Policy can contain Rule
Rule evaluation returns PERMIT, DENY, Indeterminate, NotApplicable
Rule Combining Algorithms
Policy Combining Algorithms
26
Language Elements of XACML
PolicySet
PolicySet
Policy
Rule
Effect
Permit
Deny
Policy
Rule
Rule
© 2013, Axiomatics AB
All 3 elements can contain Target elements
At the heart of most Rules is a Condition
Obligation/Advice can be specified at all 3 levels
27
Language Structure: Russian dolls
PolicySet
PolicySet
Policy
Rule
Effect
Target
T
T
T C
Permit
Deny
O
Obligation
O
O
O = Obligation / Advice C = Condition T = Target
© 2013, Axiomatics AB 28
What does XACML contain?
XACML
Reference
Architecture
Policy Language
Request / Response Protocol
© 2013, Axiomatics AB
Environment
Subject Action
Resource Environment
Action
Resource
Subject
29
XACML Concepts
It’s all about Attributes! ABAC = Attribute Based Access Control
XACML Policies
XACML Request
XACML Response
© 2013, Axiomatics AB
• Subject User id = Alice Role = Manager
• Action Action id = approve
• Resource Resource type = Purchase Order PO #= 12367
• Environment Device Type = Laptop
30
Structure of a XACML Request / Response
XACML Request XACML Response
Can Manager Alice approve Purchase Order 12367?
Yes, she can
• Result Decision: Permit Status: ok
The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions
© 2013, Axiomatics AB
In addition, XACML response can also contain:
Obligation: PEP must comply with the obligation and is required to deny access if it cannot understand or enforce the obligation
Advice: the PEP may comply with the advice and can be safely ignored if not understood or cannot be acted on
31
Obligation & Advice
© 2013, Axiomatics AB
AuthN is not enough. AuthZ is needed.
RBAC is often not enough. ABAC is needed.
XACML is a prominent ABAC system.
XACML consists of:
Reference Architecture
Policy Language
Request Response Protocol
Summary
© 2013, Axiomatics AB
Axiomatics is world’s leading independent provider of dynamic AuthZ solutions
Our products enable efficient XACML-based authorization
APIs, SDKs for system integration
Java and .NET support
APS Developer Edition provides you with all the power of our product in a read-to-use package
http://axiomatics.com/aps-developer-edition.html
Summary (Axiomatics)
© 2013, Axiomatics AB
http://developers.axiomatics.com
http://www.technicalprivacytraining.org/
https://www.oasis-open.org/committees/xacml/
http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.pdf
http://www.webfarmr.eu/
http://analyzingidentity.com/
More Information
© 2013, Axiomatics AB
Questions? Contact us at [email protected]