Solutions from Axiomatics are based on the eXtensible Access Control Markup Language (XACML) OASIS standard. XACML is the only model that offers a standardized way to achieve effective authorization. Authorization decisions determine what a given user or process is allowed to do in a specific context.
Three areas standardized
XACML standardizes three essential aspects of the authorization process:
- XACML policy language – used to express access control rules and conditions. Many rules can be combined into one policy. Many policies and policy sets can be combined into larger policy sets. Flexible combination algorithms determine how rules are joined to capture the exact meaning of corporate policies similar to how the grammar of a natural language allows us to express precise directives.
- XACML request/response protocol – used to query a decisioning engine that evaluates real-world access requests against existing XACML policies. The result, either Permit or Deny, is returned as an XACML response.
- XACML reference architecture – provides a standard for the deployment of necessary software modules to achieve efficient enforcement of XACML policies. At the core, a Policy Decision Point (PDP) evaluates policies against access requests provided by Policy Enforcement Points (PEP). The PDP or PEP may also need to query a Policy Information Point (PIP) to gather descriptive attributes about the user or the information asset to which access is requested. Policies are maintained via a Policy Administration Point (PAP).
What is XACML?
Below are some XACML samples. Click the slider to view the details.
|
XACML samples
Sample XACML requests and policies - XACML, targets, and conditions.
XACML policy sample
Policy Definition: This policy protects a document. It checks that only managers at Axiomatics can view (and only view) documents. It also checks that the user's clearance is greater than or equal to the resource's classification.
XACML policy sample
<xacml3:policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="access-document" rulecombiningalgid="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" version="1">
<xacml3:description>This Policy controls access to documents and makes sure only those managers at Axiomatics with the right level of clearance can view them.</xacml3:description>
<xacml3:policydefaults><xacml3:xpathversion>http://www.w3.org/TR/1999/REC-xpath-19991116 </xacml3:xpathversion></xacml3:policydefaults>
<xacml3:target>
<xacml3:anyof>
<xacml3:allof>
<xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">manager</xacml3:attributevalue>
<xacml3:attributedesignator attributeid="urn:org:apache:tomcat:user-role" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" mustbepresent="false">
</xacml3:attributedesignator></xacml3:match>
<xacml3:match matchid="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
<xacml3:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">Axiomatics</xacml3:attributevalue>
<xacml3:attributedesignator attributeid="company" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" mustbepresent="false">
</xacml3:attributedesignator></xacml3:match>
<xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">view</xacml3:attributevalue>
<xacml3:attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" datatype="http://www.w3.org/2001/XMLSchema#string" mustbepresent="false">
</xacml3:attributedesignator></xacml3:match>
<xacml3:match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">document</xacml3:attributevalue>
<xacml3:attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/XMLSchema#string" mustbepresent="false">
</xacml3:attributedesignator></xacml3:match>
</xacml3:allof>
</xacml3:anyof>
</xacml3:target>
<xacml3:rule effect="Permit" ruleid="permit-if-clearance-ok">
<xacml3:description>grant if the subject clearance is greater than the document classification</xacml3:description>
<xacml3:target>
<xacml3:condition>
<xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal">
<xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<xacml3:attributedesignator attributeid="urn:org:apache:tomcat:user-attr:clearance" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/XMLSchema#string" mustbepresent="false">
</xacml3:attributedesignator></xacml3:apply>
<xacml3:apply functionid="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<xacml3:attributedesignator attributeid="classification" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/XMLSchema#string" mustbepresent="false">
</xacml3:attributedesignator></xacml3:apply>
</xacml3:apply>
</xacml3:condition>
</xacml3:target></xacml3:rule>
</xacml3:policy>
XACML request samples
It is possible to write requests that will test the policy described in the previous section. Since it implements a clearance check on the user, it is interesting to send two requests where one contains a document classified as confidential and the other contains a document classified as top secret. The first request will lead to Permit provided, of course, the request match the policy target. The second will lead to Deny.
XACML request sample 1 <xacml-ctx:request returnpolicyidlist="true" combineddecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
</xacml-ctx:attributes>
<xacml-ctx:attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:attribute attributeid="urn:org:apache:tomcat:user-attr:clearance" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">SECRET</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
<xacml-ctx:attribute attributeid="company" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">Axiomatics</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
<xacml-ctx:attribute attributeid="urn:org:apache:tomcat:user-role" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
</xacml-ctx:attributes>
<xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<xacml-ctx:attribute attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
</xacml-ctx:attributes>
<xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<xacml-ctx:attribute attributeid="classification" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">CONFIDENTIAL</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
<xacml-ctx:attribute attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">document</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
</xacml-ctx:attributes>
</xacml-ctx:request>
XACML request sample 2
<xacml-ctx:request returnpolicyidlist="true" combineddecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
</xacml-ctx:attributes>
<xacml-ctx:attributes category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:attribute attributeid="urn:org:apache:tomcat:user-attr:clearance" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">SECRET</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
<xacml-ctx:attribute attributeid="company" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">Axiomatics</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
<xacml-ctx:attribute attributeid="urn:org:apache:tomcat:user-role" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">manager</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
</xacml-ctx:attributes>
<xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<xacml-ctx:attribute attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">view</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
</xacml-ctx:attributes>
<xacml-ctx:attributes category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<xacml-ctx:attribute attributeid="classification" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">CONFIDENTIAL</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
<xacml-ctx:attribute attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" includeinresult="true">
<xacml-ctx:attributevalue datatype="http://www.w3.org/2001/XMLSchema#string">document</xacml-ctx:attributevalue>
</xacml-ctx:attribute>
</xacml-ctx:attributes>
</xacml-ctx:request>
|
Advantages achieved using XACML
A standardized approach to authorization:
In the past, authorization rules were embedded in the programming code of individual information systems. The definition of access control was therefore done not by business managers but by the technical staff responsible for software configurations or programming. XACML however, offers a standardized approach that is used consistently across all applications. The focus is on corporate policies rather than the technicalities of varying software environments.
An externalized approach to authorization:
The Policy Decision Point (PDP) offers authorization as a service in the infrastructure. Authorization algorithms can be removed from the application logic of individual information systems, which will then query the PDP via their own Policy Enforcement Points (PEP).
An attribute and policy based approach to authorization:
XACML policies introduce abstract logic to replace previous static assignments of user permissions. Instead of an assignment - "Bob can access document X" - a rule may state "any user belonging to company X with security clearance equal to or higher than the security classification of a document should be granted access to that document". To determine whether Bob should be granted access to document X, his security clearance as well as the document classification needs to be gathered. These descriptive pieces of information are called attributes.
Fine-grained and dynamic authorization:
The capabilities offered by this approach enable truly fine-grained and dynamic authorization that can be made context-aware and risk intelligent.
X for eXtensible - using XACML profiles
The X in XACML stands for eXtensible and one way to extend XACML based authorization is to use XACML profiles. A profile can extend the functionality of a policy server in a number of ways. This can be as simple as the addition of a classification or terminology from an existing standardized domain, it can also include more advanced features, such as new data types or user defined functions. Axiomatics products conform with all XACML 2.0 and XACML 3.0 profiles. Below you can find a sample of profiles and related objectives:
- Core and hierarchical Role Based Access Control (RBAC) profile of XACML v2.0. This profile simplifies alignment with concepts of RBAC. The profile meets the requirements for “core†and “hierarchical†RBAC as specified in the ANSI-RBAC standard. For details, see the XACML Specification Document for RBAC profile.
- Hierarchical resource profile of XACML v2.0
- Multiple resource profile of XACML v2.0
- Privacy policy profile of XACML v2.0
- SAML 2.0 profile of XACML v2.0 (see errata below for corrected version of spec and schemas)
- XML Digital Signature profile of XACML v2.0
The standard itself is maintained by OASIS and published on the OASIS eXtensible Access Control Markup Language (XACML) TC web site.
