SlideShare uma empresa Scribd logo

XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer

Transferir como PPTX, PDF
David Brossard
David Brossard

In this presentation I introduce the basics of Attribute-based Access Control, XACML, and why it matters to developers. I also focus on the latest XACML TC profiles - the REST profile and the JSON profile that make integration easier and faster.

Tecnologia
1 de 40
XACML for Developers Updates, New Tools, & Patterns for the Eager #IAM Developer #CISNapa - @davidjbrossard - @axiomatics 1
eXtensible Access Control Markup Language 2 What is XACML? Not guacamole De facto standard Defined at OASIS #CISNapa - @davidjbrossard - @axiomatics
One of the several standards in the #IAM family XACML in the IAM spectrum SAML SPML LDAP RBAC ABAC… SCIM OpenID Oauth WS-* #CISNapa - @davidjbrossard - @axiomatics 3
In a web 3.0 world where it’s about small apps and your data… Why XACML? it’s time to get leaks under control #CISNapa - @davidjbrossard - @axiomatics 4
What’s Attribute-based Access Control? #CISNapa - @davidjbrossard - @axiomatics 5
#CISNapa - @davidjbrossard - @axiomatics In the olden days, authorization was about Who? 6
Authorization should really be about… When?What? How?Where?Who? Why? 7#CISNapa - @davidjbrossard - @axiomatics
A car retail company has a web application that users can access to create, view, and approve purchase orders, in accordance with policy rules 8 Example Scenario: Managing Purchase Orders #CISNapa - @davidjbrossard - @axiomatics
Attributes Resource attributes Resource type PO amount PO location PO creator PO Status Subject attributes Identity Department Location Approval limit Role Action attributes Action type Environment attributes Device type IP address Time of day Profile designed by Sven Gabriel from The Noun Project Invisible designed by Andrew Cameron from The Noun Project Wrench designed by John O’Shea from The Noun Project Clock designed by Brandon Hopkins from The Noun Project PO Id #CISNapa - @davidjbrossard - @axiomatics 9
A simple rule Anyone in the purchasing department can create purchase orders #CISNapa - @davidjbrossard - @axiomatics 10
A manager in the purchasing department can approve purchase orders  up to their approval limit  if and only if the PO location and the manager location are the same  if and only if the manager is not the PO creator 11 A richer rule #CISNapa - @davidjbrossard - @axiomatics
XACML 101 – The Basics 12#CISNapa - @davidjbrossard - @axiomatics
13 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
XACML Architecture & Flow 14 Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point #CISNapa - @davidjbrossard - @axiomatics Access Document #123 Access Document #123 Can Alice access Document #123? Yes, Permit Load XACML policies Retrieve user role, clearance and document classification
15 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
3 structural elements PolicySet Policy Rule Root: either of PolicySet or Policy PolicySets contain any number of PolicySets & Policies Policies contain Rules Rules contain an Effect: Permit / Deny Combining Algorithms 16 Language Elements of XACML #CISNapa - @davidjbrossard - @axiomatics
Root Policy Set PolicySet Policy Rule Effect=Permit Rule Effect = Deny PolicySet Policy Rule Effect = Permit #CISNapa - @davidjbrossard - @axiomatics 17 Sample XACML Policy
18 Language Structure: Russian dolls PolicySet, Policy & Rule can contain Targets Obligations Advice Rules can contain Conditions Policy Set Policy Rule Effect=Permit Target Target Target Obligation Obligation Obligation Condition #CISNapa - @davidjbrossard - @axiomatics
19 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
• Subject User id = Alice Role = Manager • Action Action id = approve • Resource Resource type = Purchase Order PO #= 12367 • Environment Device Type = Laptop 20 Structure of a XACML Request / Response XACML Request XACML Response Can Manager Alice approve Purchase Order 12367? Yes, she can • Result Decision: Permit Status: ok The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions #CISNapa - @davidjbrossard - @axiomatics
So what’s in it for the developer? #CISNapa - @davidjbrossard - @axiomatics 21
#1 A single authorization model & framework #CISNapa - @davidjbrossard - @axiomatics 22
#CISNapa - @davidjbrossard - @axiomatics 23 #1.a working across all layers
#1.b and across different technology stacks Java C Objective-C C++ C# PHP Python (Visual) Basic Perl Ruby JavaScript Visual Basic .NET Lisp Pascal Delphi/Object Pascal Share of programming languages (Feb 2013) #CISNapa - @davidjbrossard - @axiomatics 24
#2 A rich language to express many scenarios ACLs RBAC Whitelists Segregation-of-Duty Relation-based Trust Elevation Device-based Break the glass Privacy protection ABAC Rich business flows Data redaction #CISNapa - @davidjbrossard - @axiomatics 25
The REST profile of XACML OASIS XACML profile Designed by Remon Sinnema of EMC2 #3 Developer-friendly APIs XML over HTTP XML over HTTP #CISNapa - @davidjbrossard - @axiomatics 26 JSON over HTTP JSON over HTTP
#3. Developer-friendly APIs (cont’d) Drop the… Use curl, Perl, and Python with the REST API curl -X POST -H 'Content-type:text/xml' -T xacml-request.xml http://foo:8443/asm-pdp/pdp #CISNapa - @davidjbrossard - @axiomatics 27
Use the JSON profile of XACML Idea Remove the verbose aspects of XACML Focus on the key points Make a request easy to read #4 Simplified request/response #CISNapa - @davidjbrossard - @axiomatics 28
#4 Sample XACML Before JSON (cont’d) <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> #CISNapa - @davidjbrossard - @axiomatics 29
#4 Sample XACML using JSON (cont’d) {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} #CISNapa - @davidjbrossard - @axiomatics 30
#4 JSON & XML Side-by-side comparison 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON #CISNapa - @davidjbrossard - @axiomatics 31 Size of a XACML request
Natural language authoring Axiomatics Language for Authorization (ALFA) Research initiative from TSSG And many more coming… #5 Easy authoring tools #CISNapa - @davidjbrossard - @axiomatics 32
Provide the right tools for Easy Authoring Of XACML policies #5 Axiomatics Language For AuthZ (cont’d) Plugs into Eclipse IDE High-level syntax Auto-complete Automatic Translation to XACML 3.0 #CISNapa - @davidjbrossard - @axiomatics 33
Wrapping up Benefits for the developer #CISNapa - @davidjbrossard - @axiomatics 34
One consistent authorization model Many different applications Decide once, enforce everywhere Benefits of using XACML #1 #CISNapa - @davidjbrossard - @axiomatics 35
Adios endless if, else statements Hello simple if(authorized()) Benefits of using XACML #2 #CISNapa - @davidjbrossard - @axiomatics 36 0 5000 10000 15000 20000 25000 30000 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 Developer Happiness Increase Number of if / else statements terminated Developer Happiness Index
Security potholes are a thing of the past XACML is the concrete that fills in the cracks in your authorization wall Benefits of using XACML #3 #CISNapa - @davidjbrossard - @axiomatics 37
Let developers do what they know best Offload auditing, info security to security architects & auditors by externalizing authorization #CISNapa - @davidjbrossard - @axiomatics 38 Benefits of using XACML #4 Happy developer Happy auditor
#CISNapa - @davidjbrossard - @axiomatics 39 Next steps? Download XACML SDK Download ALFA plugin Download Eclipse Code in your favorite language
Questions? Contact us at info@axiomatics.comQ&A

Recomendados

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
 
Connecting LoRa with FIWARE
Connecting LoRa with FIWAREConnecting LoRa with FIWARE
Connecting LoRa with FIWAREfisuda
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Christian Posta
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeVictor Morales
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)JuHwan Lee
 
Securing Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWiseSecuring Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWise👨‍💻 Levani Kokhreidze
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to siteMostafa El Lathy
 

Recomendados

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
 
Connecting LoRa with FIWARE
Connecting LoRa with FIWAREConnecting LoRa with FIWARE
Connecting LoRa with FIWAREfisuda
 
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...
Leveraging Envoy Proxy and GraphQL to Lower the Risk of Monolith to Microserv...Christian Posta
 
Understanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeUnderstanding kube proxy in ipvs mode
Understanding kube proxy in ipvs modeVictor Morales
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)JuHwan Lee
 
Securing Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWiseSecuring Kafka with SPIFFE @ TransferWise
Securing Kafka with SPIFFE @ TransferWise👨‍💻 Levani Kokhreidze
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to siteMostafa El Lathy
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101Mike Schwartz
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Data power use cases
Data power use casesData power use cases
Data power use casessflynn073
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xAruba, a Hewlett Packard Enterprise company
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Temporal intro and event loop
Temporal intro and event loopTemporal intro and event loop
Temporal intro and event loopTihomirSurdilovic
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Torin Sandall
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1Fermin Galan
 
Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Abilash Soundararajan
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMFrank Brockners
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
Mpls te
Mpls teMpls te
Mpls teAhmad Hailan
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
 

Mais conteúdo relacionado

Mais procurados

Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Data power use cases
Data power use casesData power use cases
Data power use casessflynn073
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice ArchitectureMatt McLarty
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Temporal intro and event loop
Temporal intro and event loopTemporal intro and event loop
Temporal intro and event loopTihomirSurdilovic
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Torin Sandall
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1Fermin Galan
 
Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Abilash Soundararajan
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMFrank Brockners
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routingWilfredzeng
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectVinay Manglani
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 

Mais procurados (20)

Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
Data power use cases
Data power use casesData power use cases
Data power use cases
 
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.xEMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
EMEA Airheads_ Aruba AppRF – AOS 6.x & 8.x
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Temporal intro and event loop
Temporal intro and event loopTemporal intro and event loop
Temporal intro and event loop
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1NGSIv2 Overview for Developers That Already Know NGSIv1
NGSIv2 Overview for Developers That Already Know NGSIv1
 
Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...Aos & cppm integration configuration & testing document for eap tls & eap ...
Aos & cppm integration configuration & testing document for eap tls & eap ...
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
 
Vxlan control plane and routing
Vxlan control plane and routingVxlan control plane and routing
Vxlan control plane and routing
 
Mpls te
Mpls teMpls te
Mpls te
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic Control
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 

Destaque

Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you areDavid Brossard
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?David Brossard
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your LoveDavid Brossard
 
RBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступаRBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступаCUSTIS
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...David Brossard
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLDavid Brossard
 
Top Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACTop Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACForgeRock
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas WSO2
 
IDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement SystemsIDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement SystemsSRI Infotech
 
infoShare 2013: Kamil Kozieł, Kamil Stawiarski - Oracle hacking session czyli...
infoShare 2013: Kamil Kozieł, Kamil Stawiarski - Oracle hacking session czyli...infoShare 2013: Kamil Kozieł, Kamil Stawiarski - Oracle hacking session czyli...
infoShare 2013: Kamil Kozieł, Kamil Stawiarski - Oracle hacking session czyli...Infoshare
 
Fine-grained authorization with XACML
Fine-grained authorization with XACMLFine-grained authorization with XACML
Fine-grained authorization with XACMLPrabath Siriwardena
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases WSO2
 
Singer, Pinterest's Logging Infrastructure
Singer, Pinterest's Logging InfrastructureSinger, Pinterest's Logging Infrastructure
Singer, Pinterest's Logging InfrastructureDiscover Pinterest
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignDavid Brossard
 
Beautiful Thoughts On Friendship
Beautiful Thoughts On FriendshipBeautiful Thoughts On Friendship
Beautiful Thoughts On FriendshipV Khawani
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache AccumuloReal-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache AccumuloJoe Stein
 
Real time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkReal time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkRahul Jain
 

Destaque (20)

Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
 
RBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступаRBAC & ABAC: гибридное решение для управления правами доступа
RBAC & ABAC: гибридное решение для управления правами доступа
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
 
Top Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABACTop Ten Reasons Why Developers Don't Adopt ABAC
Top Ten Reasons Why Developers Don't Adopt ABAC
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
IDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement SystemsIDM and Automated Security Entitlement Systems
IDM and Automated Security Entitlement Systems
 
infoShare 2013: Kamil Kozieł, Kamil Stawiarski - Oracle hacking session czyli...
infoShare 2013: Kamil Kozieł, Kamil Stawiarski - Oracle hacking session czyli...infoShare 2013: Kamil Kozieł, Kamil Stawiarski - Oracle hacking session czyli...
infoShare 2013: Kamil Kozieł, Kamil Stawiarski - Oracle hacking session czyli...
 
Fine-grained authorization with XACML
Fine-grained authorization with XACMLFine-grained authorization with XACML
Fine-grained authorization with XACML
 
Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases Uncovering XACML to solve real world business use cases
Uncovering XACML to solve real world business use cases
 
Singer, Pinterest's Logging Infrastructure
Singer, Pinterest's Logging InfrastructureSinger, Pinterest's Logging Infrastructure
Singer, Pinterest's Logging Infrastructure
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
 
Beautiful Thoughts On Friendship
Beautiful Thoughts On FriendshipBeautiful Thoughts On Friendship
Beautiful Thoughts On Friendship
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache AccumuloReal-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
Real-Time Distributed and Reactive Systems with Apache Kafka and Apache Accumulo
 
Real time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache SparkReal time Analytics with Apache Kafka and Apache Spark
Real time Analytics with Apache Kafka and Apache Spark
 

Semelhante a XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer

CIS13: Externalized Authorization from the Developer’s Perspective
CIS13: Externalized Authorization from the Developer’s PerspectiveCIS13: Externalized Authorization from the Developer’s Perspective
CIS13: Externalized Authorization from the Developer’s PerspectiveCloudIDSummit
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedFinn Frisch
 
RightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
Microservices Architecture, Monolith Migration Patterns
Microservices Architecture, Monolith Migration PatternsMicroservices Architecture, Monolith Migration Patterns
Microservices Architecture, Monolith Migration PatternsAraf Karsh Hamid
 
Pre-Con Ed: Using SQL to Access Your CA IDMS Databases
Pre-Con Ed: Using SQL to Access Your CA IDMS DatabasesPre-Con Ed: Using SQL to Access Your CA IDMS Databases
Pre-Con Ed: Using SQL to Access Your CA IDMS DatabasesCA Technologies
 
NoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition ServiceNoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition ServiceCatchoom
 
Running microservice environments is no free lunch
Running microservice environments is no free lunchRunning microservice environments is no free lunch
Running microservice environments is no free lunchAlois Mayr
 
Amx202 l Building Your CA Service Management Solution on AWS
Amx202 l Building Your CA Service Management Solution on AWSAmx202 l Building Your CA Service Management Solution on AWS
Amx202 l Building Your CA Service Management Solution on AWSBrian Poissant
 
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)Amazon Web Services
 
LinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
LinuxCon North America 2013: Why Lease When You Can Buy Your CloudLinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
LinuxCon North America 2013: Why Lease When You Can Buy Your CloudMark Hinkle
 
3 Steps to Accelerate to Cloud
3 Steps to Accelerate to Cloud3 Steps to Accelerate to Cloud
3 Steps to Accelerate to CloudRightScale
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...CA Technologies
 
Accelerate Big Data Application Development with Cascading
Accelerate Big Data Application Development with CascadingAccelerate Big Data Application Development with Cascading
Accelerate Big Data Application Development with CascadingCascading
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...David Brossard
 
5 Factors When Selecting a High Performance, Low Latency Database
5 Factors When Selecting a High Performance, Low Latency Database5 Factors When Selecting a High Performance, Low Latency Database
5 Factors When Selecting a High Performance, Low Latency DatabaseScyllaDB
 
Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs, Inc.
 

Semelhante a XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer (20)

CIS13: Externalized Authorization from the Developer’s Perspective
CIS13: Externalized Authorization from the Developer’s PerspectiveCIS13: Externalized Authorization from the Developer’s Perspective
CIS13: Externalized Authorization from the Developer’s Perspective
 
Axiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 sharedAxiomatics webinar 13 june 2013 shared
Axiomatics webinar 13 june 2013 shared
 
RightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to CloudRightScale Roadtrip - Accelerate to Cloud
RightScale Roadtrip - Accelerate to Cloud
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
Microservices Architecture, Monolith Migration Patterns
Microservices Architecture, Monolith Migration PatternsMicroservices Architecture, Monolith Migration Patterns
Microservices Architecture, Monolith Migration Patterns
 
Pre-Con Ed: Using SQL to Access Your CA IDMS Databases
Pre-Con Ed: Using SQL to Access Your CA IDMS DatabasesPre-Con Ed: Using SQL to Access Your CA IDMS Databases
Pre-Con Ed: Using SQL to Access Your CA IDMS Databases
 
NoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition ServiceNoSQL matters in Catchoom Recognition Service
NoSQL matters in Catchoom Recognition Service
 
Running microservice environments is no free lunch
Running microservice environments is no free lunchRunning microservice environments is no free lunch
Running microservice environments is no free lunch
 
Amx202 l Building Your CA Service Management Solution on AWS
Amx202 l Building Your CA Service Management Solution on AWSAmx202 l Building Your CA Service Management Solution on AWS
Amx202 l Building Your CA Service Management Solution on AWS
 
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
 
LinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
LinuxCon North America 2013: Why Lease When You Can Buy Your CloudLinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
LinuxCon North America 2013: Why Lease When You Can Buy Your Cloud
 
3 Steps to Accelerate to Cloud
3 Steps to Accelerate to Cloud3 Steps to Accelerate to Cloud
3 Steps to Accelerate to Cloud
 
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
Securing Your Enterprise Continuous Delivery Pipelines with CA Automation Sol...
 
Session
SessionSession
Session
 
Accelerate Big Data Application Development with Cascading
Accelerate Big Data Application Development with CascadingAccelerate Big Data Application Development with Cascading
Accelerate Big Data Application Development with Cascading
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
 
5 Factors When Selecting a High Performance, Low Latency Database
5 Factors When Selecting a High Performance, Low Latency Database5 Factors When Selecting a High Performance, Low Latency Database
5 Factors When Selecting a High Performance, Low Latency Database
 
Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?Accion Labs - Rackspace - How can cloud help you?
Accion Labs - Rackspace - How can cloud help you?
 
Elastic-Engineering
Elastic-EngineeringElastic-Engineering
Elastic-Engineering
 

Mais de David Brossard

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...David Brossard
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...David Brossard
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationDavid Brossard
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtDavid Brossard
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateDavid Brossard
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...David Brossard
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...David Brossard
 

Mais de David Brossard (7)

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
 
OpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior ArtOpenID AuthZEN ALFA PEP-PDP Prior Art
OpenID AuthZEN ALFA PEP-PDP Prior Art
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...
 

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Developer

  • 1. XACML for Developers Updates, New Tools, & Patterns for the Eager #IAM Developer #CISNapa - @davidjbrossard - @axiomatics 1
  • 2. eXtensible Access Control Markup Language 2 What is XACML? Not guacamole De facto standard Defined at OASIS #CISNapa - @davidjbrossard - @axiomatics
  • 3. One of the several standards in the #IAM family XACML in the IAM spectrum SAML SPML LDAP RBAC ABAC… SCIM OpenID Oauth WS-* #CISNapa - @davidjbrossard - @axiomatics 3
  • 4. In a web 3.0 world where it’s about small apps and your data… Why XACML? it’s time to get leaks under control #CISNapa - @davidjbrossard - @axiomatics 4
  • 5. What’s Attribute-based Access Control? #CISNapa - @davidjbrossard - @axiomatics 5
  • 6. #CISNapa - @davidjbrossard - @axiomatics In the olden days, authorization was about Who? 6
  • 7. Authorization should really be about… When?What? How?Where?Who? Why? 7#CISNapa - @davidjbrossard - @axiomatics
  • 8. A car retail company has a web application that users can access to create, view, and approve purchase orders, in accordance with policy rules 8 Example Scenario: Managing Purchase Orders #CISNapa - @davidjbrossard - @axiomatics
  • 9. Attributes Resource attributes Resource type PO amount PO location PO creator PO Status Subject attributes Identity Department Location Approval limit Role Action attributes Action type Environment attributes Device type IP address Time of day Profile designed by Sven Gabriel from The Noun Project Invisible designed by Andrew Cameron from The Noun Project Wrench designed by John O’Shea from The Noun Project Clock designed by Brandon Hopkins from The Noun Project PO Id #CISNapa - @davidjbrossard - @axiomatics 9
  • 10. A simple rule Anyone in the purchasing department can create purchase orders #CISNapa - @davidjbrossard - @axiomatics 10
  • 11. A manager in the purchasing department can approve purchase orders  up to their approval limit  if and only if the PO location and the manager location are the same  if and only if the manager is not the PO creator 11 A richer rule #CISNapa - @davidjbrossard - @axiomatics
  • 12. XACML 101 – The Basics 12#CISNapa - @davidjbrossard - @axiomatics
  • 13. 13 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
  • 14. XACML Architecture & Flow 14 Decide Policy Decision Point Manage Policy Administration Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point #CISNapa - @davidjbrossard - @axiomatics Access Document #123 Access Document #123 Can Alice access Document #123? Yes, Permit Load XACML policies Retrieve user role, clearance and document classification
  • 15. 15 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
  • 16. 3 structural elements PolicySet Policy Rule Root: either of PolicySet or Policy PolicySets contain any number of PolicySets & Policies Policies contain Rules Rules contain an Effect: Permit / Deny Combining Algorithms 16 Language Elements of XACML #CISNapa - @davidjbrossard - @axiomatics
  • 17. Root Policy Set PolicySet Policy Rule Effect=Permit Rule Effect = Deny PolicySet Policy Rule Effect = Permit #CISNapa - @davidjbrossard - @axiomatics 17 Sample XACML Policy
  • 18. 18 Language Structure: Russian dolls PolicySet, Policy & Rule can contain Targets Obligations Advice Rules can contain Conditions Policy Set Policy Rule Effect=Permit Target Target Target Obligation Obligation Obligation Condition #CISNapa - @davidjbrossard - @axiomatics
  • 19. 19 What does XACML contain? XACML Reference Architecture Policy Language Request / Response Protocol #CISNapa - @davidjbrossard - @axiomatics
  • 20. • Subject User id = Alice Role = Manager • Action Action id = approve • Resource Resource type = Purchase Order PO #= 12367 • Environment Device Type = Laptop 20 Structure of a XACML Request / Response XACML Request XACML Response Can Manager Alice approve Purchase Order 12367? Yes, she can • Result Decision: Permit Status: ok The core XACML specification does not define any specific transport / communication protocol: -Developers can choose their own. -The SAML profile defines a binding to send requests/responses over SAML assertions #CISNapa - @davidjbrossard - @axiomatics
  • 21. So what’s in it for the developer? #CISNapa - @davidjbrossard - @axiomatics 21
  • 22. #1 A single authorization model & framework #CISNapa - @davidjbrossard - @axiomatics 22
  • 23. #CISNapa - @davidjbrossard - @axiomatics 23 #1.a working across all layers
  • 24. #1.b and across different technology stacks Java C Objective-C C++ C# PHP Python (Visual) Basic Perl Ruby JavaScript Visual Basic .NET Lisp Pascal Delphi/Object Pascal Share of programming languages (Feb 2013) #CISNapa - @davidjbrossard - @axiomatics 24
  • 25. #2 A rich language to express many scenarios ACLs RBAC Whitelists Segregation-of-Duty Relation-based Trust Elevation Device-based Break the glass Privacy protection ABAC Rich business flows Data redaction #CISNapa - @davidjbrossard - @axiomatics 25
  • 26. The REST profile of XACML OASIS XACML profile Designed by Remon Sinnema of EMC2 #3 Developer-friendly APIs XML over HTTP XML over HTTP #CISNapa - @davidjbrossard - @axiomatics 26 JSON over HTTP JSON over HTTP
  • 27. #3. Developer-friendly APIs (cont’d) Drop the… Use curl, Perl, and Python with the REST API curl -X POST -H 'Content-type:text/xml' -T xacml-request.xml http://foo:8443/asm-pdp/pdp #CISNapa - @davidjbrossard - @axiomatics 27
  • 28. Use the JSON profile of XACML Idea Remove the verbose aspects of XACML Focus on the key points Make a request easy to read #4 Simplified request/response #CISNapa - @davidjbrossard - @axiomatics 28
  • 29. #4 Sample XACML Before JSON (cont’d) <xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml- ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml- ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request> #CISNapa - @davidjbrossard - @axiomatics 29
  • 30. #4 Sample XACML using JSON (cont’d) {"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]}, "resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]}, "action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} #CISNapa - @davidjbrossard - @axiomatics 30
  • 31. #4 JSON & XML Side-by-side comparison 0 10 20 30 40 50 Word count XML JSON 0 200 400 600 800 1000 1200 1400 Char. Count XML JSON #CISNapa - @davidjbrossard - @axiomatics 31 Size of a XACML request
  • 32. Natural language authoring Axiomatics Language for Authorization (ALFA) Research initiative from TSSG And many more coming… #5 Easy authoring tools #CISNapa - @davidjbrossard - @axiomatics 32
  • 33. Provide the right tools for Easy Authoring Of XACML policies #5 Axiomatics Language For AuthZ (cont’d) Plugs into Eclipse IDE High-level syntax Auto-complete Automatic Translation to XACML 3.0 #CISNapa - @davidjbrossard - @axiomatics 33
  • 34. Wrapping up Benefits for the developer #CISNapa - @davidjbrossard - @axiomatics 34
  • 35. One consistent authorization model Many different applications Decide once, enforce everywhere Benefits of using XACML #1 #CISNapa - @davidjbrossard - @axiomatics 35
  • 36. Adios endless if, else statements Hello simple if(authorized()) Benefits of using XACML #2 #CISNapa - @davidjbrossard - @axiomatics 36 0 5000 10000 15000 20000 25000 30000 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 Developer Happiness Increase Number of if / else statements terminated Developer Happiness Index
  • 37. Security potholes are a thing of the past XACML is the concrete that fills in the cracks in your authorization wall Benefits of using XACML #3 #CISNapa - @davidjbrossard - @axiomatics 37
  • 38. Let developers do what they know best Offload auditing, info security to security architects & auditors by externalizing authorization #CISNapa - @davidjbrossard - @axiomatics 38 Benefits of using XACML #4 Happy developer Happy auditor
  • 39. #CISNapa - @davidjbrossard - @axiomatics 39 Next steps? Download XACML SDK Download ALFA plugin Download Eclipse Code in your favorite language

Notas do Editor

  1. PronunciationOASIS standardV 3.0 approved in January 2013V 1.0 approved in 2003 (10 years ago!)XACML is expressed asA specification document andAn XML schemahttp://www.oasis-open.org/committees/xacml/
  2. Once upon a time, access control was about who you were. What mattered was your identity or perhaps your role or group.But today, access control should be more about what you represent, what you want to do, what you want to access, for which purpose, when, where, how, and why…Credits:Invisible: Andrew Cameron, from The Noun ProjectBox: Martin Karachorov, Wrench: John O&apos;Sheaclock: Brandon Hopkins
  3. Context attributesdevice typeIPtime of the dayAction attributesAction id: create, approve, view
  4. Policy Enforcement PointIn the XACML architecture, the PEP is the component in charge of intercepting business messages and protecting targeted resources by requesting an access control decision from a policy decision point and enforcing that decision. PEPs can embrace many different form factors depending on the type of resource being protected.Policy Decision PointThe PDP sits at the very core of the XACML architecture. It implements the XACML standard and evaluation logic. Its purpose is to evaluate access control requests coming in from the PEP against the XACML policies read from the PRP. The PDP then returns a decision – either of Permit, Deny, Not Applicable, or Indeterminate.Policy Retrieval PointThe PRP is one of the components that support the PDP in its evaluation process. Its only purpose is to act as a persistence layer for XACML policies. It can therefore take many forms such as a database, a file, or a web service call to a remote repository.Policy Information PointXACML is a policy-based language which uses attributes to express rules &amp; conditions. Attributes are bits of information about a subject, resource, action, or context describing an access control situation. Examples of attributes are a user id, a role, a resource URI, a document classification, the time of the day, etc… In its evaluation process, the PDP may need to retrieve additional attributes. It turns to PIPs where attributes are stored. Examples of PIPs include corporate user directories (LDAP…), databases, UDDIs… The PDP may for instance ask the PIP to look up the role of a given user.Policy Administration PointThe PAP’s purpose is to provide a management interface administrators can use to author policies and control their lifecycle.
  5. Need to clarify the location constrain. Permit is assuming that Alice location == 12367 location