New Initiatives InNew Initiatives In
XACML
The Access Control
St d dStandard
Hal Lockhart
Oracle
04/24/09 | Session ID: GRC-40304/24/09 | Session ID: GRC-403
Agenda
Introduction
XACML 3.0 in DepthXACML 3.0 in Depth
H lth I t d P filiHealthcare Interops and Profiling
Authorization API & Demo
1
What is XACML?
• XML language for access control
C fi i d• Coarse or fine-grained
• Extremely powerful evaluation logic
• Ability to use any available information
• Superset of Permissions, ACLs, RBAC, etc
• Scales from PDA to Internet
• Federated policy administrationFederated policy administration
• OASIS and ITU-T Standard
XACML Current Status
• XACML 2.0 OASIS Standard – Feb 2005
• ITU-T Recommendation X.1142 – Jun 2006
• XACML 3.0 In progress
– Core and base profiles voted to Public Review on April 17p p
• Administration/delegation {New}
• Hierarchical resource {Enhanced}
• Multiple resource {Enhanced}
• SAML {Enhanced}
• Digital Signature
• Privacy
• RBACRBAC
– Additional profiles under development
• XSPA, Obligation families, Export Compliance, Policy Distribution,
Metadata WS XACMLMetadata, WS-XACML
Authorization Principles
• Federation principle – authoritative source
E t li li• Externalize policy
– Encapsulate policy – PDP as black box
– Add functionality by calling PDP – don’t open boxAdd functionality by calling PDP don t open box
• Multi-request, What-if, Administrative policies
– Standard policy expression – permits analysis
– All policy in the box – not spread around
• Use data already being maintained (not
tifi i ll t t d f A th i ti )artificially constructed for Authorization)
• Limit complexity – human comprehension
XACML 3.0XACML 3.0
In Depth
Request Context Schema Generalization
• Triggered by need to add “delegate” for reduction
Eliminate
&• Eliminate , , &
Elements
• Everything carried in ElementEverything carried in Attributes Element
• URNs used to identify categories
– XACML 2.0 Subject categories
– New URNs for Environment, Resource, Action & Delegate Categories
• Generally upwardly compatible
– Attribute selectors may require manual conversion
• Policy & Context Schemas combined
XACML 2.0 Request Context
j g y
… access-subject
AttributeId=“ … subject-id” …>
John Smith
AttributeId=“ … group” …>
Engineer
AttributeId=“ … resource-id” …>
http://www.example.com/p p
…
XACML 3.0 Request Context
Att ib t C t “ bj t”
AttributeId=“ … subject-id” …>
John Smith
Att ib t Id “ ” > AttributeId=“ … group” …>
Engineer
< Att ib t C t “ ”> >< Attributes Category=“ … resource”> >
AttributeId=“ … resource-id” …>
http://www.example.com/
…
XACML 3.0 Administration/Delegation
• Two primary use cases
“HR Ad i t li i i th P ll ”– “HR-Admins can create policies concerning the Payroll servers”
– “Jack can approve expenses while Mary is on vacation”
• Backward compatible• Backward compatible
• Defined as an optional Profile
• Policies can contain Issuer
• Policies can be Access or Admin
• Admin policies enable policy creation
Policy Evaluation
1. Select potentially applicable policies by Target
matchingmatching
2. For each Policy evaluate Rules and combine
T t M t h– Target Match
– Evaluate condition
– Return Effect and associated ObligationsReturn Effect and associated Obligations
3. For each Policy Set combine policy results
4 R t Eff t d Obli ti4. Return Effect and Obligations
Policy Evaluation with Admin Policies
1. Select potentially applicable policies by Target
matching
2. For each Policy evaluate Rules and combine
– Target Match
E l t diti– Evaluate condition
– Return Effect and associated Obligations
3 For every un-trusted policy3. For every un trusted policy
– Find an applicable Admin policy which authorizes the Issuer
– Repeat until a chain to a trusted policy is found
– Discard unauthorized policies
4. For each Policy Set combine policy results
5. Return Effect and Obligations
Fine Points of Reduction
• Access and Administrative policies are matched
against the situation not each otheragainst the situation, not each other
• Current vs. Historic attribute mode
• Indeterminate results must be propagated for
combining
• Maximum delegation depth
• Obligations in Administrative policies apply to
access decision
Obligation Families
• Allows Obligations to be grouped in families with the
same propertiesp p
• Specific Obligations semantics still undefined
• Timing – before, after, with access or anyTiming before, after, with access or any
• Exclusive - Fallback = true or false
• SequentialSequential
– Ordered = true or false
– Repetitive = true or false
– Failure Mode = fail fast, continue or atomic
• Work in process
New Combining Algorithms
• More rational handling of Indeterminate
• Same algorithms for rule and policy combining
• Indeterminate are classified by possible effect
• Example: for deny overrides, if Indeterminate
rule or policy could only result in Permit & there
is at least one Permit, result is Permit
• New algorithms are mandatory to implement
• Old algs are present, but not recommended
Other new features
• Multiple decisions in a single request, varying
any attribute category (just Resource in 2.0)y g y (j )
• Advice – like Obligations, but can be ignored if
not understood by PEP
• New XPath 2.0 functions
• New time duration functionsNew time duration functions
• Policy distribution protocol
• Decision request protocol based on WS Trust• Decision request protocol based on WS-Trust
• Metadata profile
HealthcareHealthcare
Interop
E &Events &
ProfilesProfiles
Healthcare Profile and Interop Events
• XACML Interoperability events
– Burton Catalyst 2007y
– RSA Conference 2008
– OASIS European Forum 2008
HIMSS ’09 April 2009– HIMSS 09 – April 2009
• Cross Enterprise Security & Privacy Authorization (XSPA)
– XACML & SAML Profiles
– Based on previous work at HL7 & ASTM
– XACML Policies used in interop demonstrations
• For more information see:• For more information see:
– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xspa
Security and Privacy Demonstration
Overview: Cross Enterprise Data Sharing
trust relationship
[SOA‐style security!]
XSPA SAML Profile / HITSP TP20 High-Level Interactions
18
Summary of Technical Features
• DHHS approved HITSP IS, standards, constructs (TP20/TP30)
• DHHS Security and Privacy Framework Compliant
• HIPAA Security and Privacy Compliant
• Extends Security and Privacy technologies for NHIN
• Standard Clinical Roles (ASTM ANSI HL7)• Standard Clinical Roles (ASTM, ANSI, HL7)
• Standard Patient Consent Directives (HL7, IHE BPPC)
• Standard Web-Service Protocols (OASIS SAML, XACML, WS-Trust)
• Federation of authenticated identities (OASIS SAML, IHE XUA, C19)
• Standard Interoperability Profiles (OASIS XSPA, IHE)
Implementation ready without change to legacy systems• Implementation-ready without change to legacy systems
• Polices managed centrally, enforced locally (ASTM, ISO PMI)
• Vendor supported solutions
AuthorizationAuthorization
API
Authorization API
• XACML Specifies
P li l l ti ti– Policy language evaluation semantics
– XML format for policy interchange
– Abstract format for inputs and outputs, expressed in XMLAbstract format for inputs and outputs, expressed in XML
– Protocol for remote requests using XML input & output format
• XACML does not specifyXACML does not specify
– API for requesting policy decision
Authorization API Benefits
• Needed for call to local PDP
L l PDP i d f l l t ll– Local PDP required for low latency calls
– Inefficient to serialize data to and from XML
– XML form not required by the standardXML form not required by the standard
• Also useful to have standard API for remote
requestsq
– Common code to build message
API General Characteristics
• Java initially, C++ and perhaps others to follow
• Modeled on XACML Request/Response
Contexts
• Use XACML datatypes – in format natural to
language
• Mostly to be used by infrastructure components
– Occasionally application may need to provide data
– Infrastructure could be Container, Aspects, tool-generated code,
etc.
Why not Java Authorization/JSR 115?
• Java Authorization (with or w/o JSR 115) based
on Permissionson Permissions
• Passive enforcement by container is a good idea
• Limitations to use of XACML features
– No convenient, standard way to provide XACML inputs
O– No method to return outputs, e.g. Obligations, missing Attributes
– New Resource type requires definition of new permissions class
(recompile)
API Overview
• Methods to build (and access) Request Context
• Methods to process Response Context
• “decide” method to invoke PDP
– Single or bulk decisions
• “whatIsAllowed” method to obtain allowed
alternatives
– Operates in the context of some scope
– Creates invokes a series of decisions
– Returns allowed alternatives within scope
O h i h d• Other convenience methods
The Input Attributes Problem
• XACML Policies operate on data provided
• Only PDP sees/evaluates policies
• What attributes should be provided?
• Where can attributes be obtained from?
• How can the proper instance value be obtained?• How can the proper instance value be obtained?
Attribute Manifest File
• File in XML format identifies attributes to be
added to Request Contextadded to Request Context
• Name of Attribute, Issuer, datatype, location,
access method other attribute to use as keyaccess method, other attribute to use as key
• Not all fields may be present
• Three usecases:
– PDP advertizes required attributes
– PIPs are configured to add attributes to Request Context
– Policy authoring tools use attribute name & format
Multiple PIP’s – Enhancing Request
Context
A li ti
AMF
P
I
ReqCtx
LDAP
Application I
P
ReqCtx
PEP
AMF
P
I
P
ReqCtx
OVD
PEP
AMF
P
ReqCtx
DB
PDP
P
I
P
SAML
Multiple PIP’s – Reacting to Missing
Attributes
A li ti
AMF
P
I
RespCtx
Miss Attr
LDAP
Application I
P
RespCtx
PEP
AMF
P
I
P
OVD
Miss Attr
PEP
AMF
P
RespCtx
Miss Attr
DB
PDP
P
I
P
Miss Attr SAML
XACML API Open Source Project
• AMF Specification to be contributed to OASIS
XACML TCXACML TC
• API initial Interfaces and Test Programs
• Under review with partners
• Open source project start – May/June
• Expected to be part of Aristotle project at Open
Liberty (home of IGF project)
• Public announcement July
AuthorizationAuthorization
API
D iDemonstration
Applying XACML
• Evaluate XACML 2.0 based Products
• Deploy low hanging fruit e.g. Web Access
• Determine requirements for Resource attributes
• Watch for announcement of XACML API open
source project