SlideShare uma empresa Scribd logo

XACML - XML Amsterdam2011

Transferir como PPTX, PDF
Ray Sinnema
Ray Sinnema

Presentation about eXtensible Access Control Markup Language (XACML) delivered at XML Amsterdam 2011

TecnologiaNegócios
1 de 26
eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

Recomendados

Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCloudIDSummit
 
OData - The Universal REST API
OData - The Universal REST APIOData - The Universal REST API
OData - The Universal REST APINishanth Kadiyala
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data AccessPat Patterson
 
OData, External objects & Lightning Connect
OData, External objects & Lightning ConnectOData, External objects & Lightning Connect
OData, External objects & Lightning ConnectPrasanna Deshpande ☁
 
Odata - Open Data Protocol
Odata - Open Data ProtocolOdata - Open Data Protocol
Odata - Open Data ProtocolKhaled Musaied
 
Modern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataModern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataNishanth Kadiyala
 
OData for iOS developers
OData for iOS developersOData for iOS developers
OData for iOS developersGlen Gordon
 

Recomendados

Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...David Brossard
 
CIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCIS14: The Very Latest in Authorization Standards
CIS14: The Very Latest in Authorization StandardsCloudIDSummit
 
OData - The Universal REST API
OData - The Universal REST APIOData - The Universal REST API
OData - The Universal REST APINishanth Kadiyala
 
OData: A Standard API for Data Access
OData: A Standard API for Data AccessOData: A Standard API for Data Access
OData: A Standard API for Data AccessPat Patterson
 
OData, External objects & Lightning Connect
OData, External objects & Lightning ConnectOData, External objects & Lightning Connect
OData, External objects & Lightning ConnectPrasanna Deshpande ☁
 
Odata - Open Data Protocol
Odata - Open Data ProtocolOdata - Open Data Protocol
Odata - Open Data ProtocolKhaled Musaied
 
Modern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataModern REST APIs for Enterprise Databases - OData
Modern REST APIs for Enterprise Databases - ODataNishanth Kadiyala
 
OData for iOS developers
OData for iOS developersOData for iOS developers
OData for iOS developersGlen Gordon
 
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)Pat Patterson
 
Restful Services
Restful ServicesRestful Services
Restful ServicesSHAKIL AKHTAR
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisNishanth Kadiyala
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014Joelith
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Frameworkandrejusb
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Nishanth Kadiyala
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesChris Muir
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesChris Muir
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaosNiels de Bruijn
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorSalesforce Developers
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesAshish Saxena
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectAaron Dominguez Sanchez
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPNiels de Bruijn
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectSalesforce Developers
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectSalesforce Developers
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
NetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataNetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataSAP PartnerEdge program for Application Development
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorialsandrejusb
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14andrejusb
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTandrejusb
 
Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurEMC Nederland
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overviewxKinAnx
 

Mais conteúdo relacionado

Mais procurados

OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)Pat Patterson
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisNishanth Kadiyala
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014Joelith
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Frameworkandrejusb
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Nishanth Kadiyala
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesChris Muir
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesChris Muir
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaosNiels de Bruijn
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorSalesforce Developers
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesAshish Saxena
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectAaron Dominguez Sanchez
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPNiels de Bruijn
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectSalesforce Developers
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectSalesforce Developers
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...OracleIDM
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorialsandrejusb
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14andrejusb
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTandrejusb
 

Mais procurados (20)

OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
OData: Universal Data Solvent or Clunky Enterprise Goo? (GlueCon 2015)
 
Restful Services
Restful ServicesRestful Services
Restful Services
 
GoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market AnalysisGoToMeeting Competitive / Market Analysis
GoToMeeting Competitive / Market Analysis
 
API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014API Gateway - OFM Canberra October 2014
API Gateway - OFM Canberra October 2014
 
Data Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application FrameworkData Caching Strategies for Oracle Mobile Application Framework
Data Caching Strategies for Oracle Mobile Application Framework
 
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017Deliver Secure SQL Access for Enterprise APIs - August 29 2017
Deliver Secure SQL Access for Enterprise APIs - August 29 2017
 
Oracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service ArchitecturesOracle ADF Architecture TV - Design - ADF Service Architectures
Oracle ADF Architecture TV - Design - ADF Service Architectures
 
Oracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration ArchitecturesOracle ADF Architecture TV - Design - Service Integration Architectures
Oracle ADF Architecture TV - Design - Service Integration Architectures
 
Getting your grips on Excel chaos
Getting your grips on Excel chaosGetting your grips on Excel chaos
Getting your grips on Excel chaos
 
Introduction to External Objects and the OData Connector
Introduction to External Objects and the OData ConnectorIntroduction to External Objects and the OData Connector
Introduction to External Objects and the OData Connector
 
SAP ODATA Overview & Guidelines
SAP ODATA Overview & GuidelinesSAP ODATA Overview & Guidelines
SAP ODATA Overview & Guidelines
 
Barcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connectBarcelona salesforce sdg november lightning connect
Barcelona salesforce sdg november lightning connect
 
The_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAPThe_Beauty_And_The_Beast_APEX_and_SAP
The_Beauty_And_The_Beast_APEX_and_SAP
 
Access External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning ConnectAccess External Data in Real-time with Lightning Connect
Access External Data in Real-time with Lightning Connect
 
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce ObjectApex Connector for Lightning Connect: Make Anything a Salesforce Object
Apex Connector for Lightning Connect: Make Anything a Salesforce Object
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
NetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to ODataNetWeaver Gateway- Introduction to OData
NetWeaver Gateway- Introduction to OData
 
ADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous TutorialsADF Anti-Patterns: Dangerous Tutorials
ADF Anti-Patterns: Dangerous Tutorials
 
ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14ADF Mythbusters UKOUG'14
ADF Mythbusters UKOUG'14
 
Oracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC RESTOracle JET CRUD and ADF BC REST
Oracle JET CRUD and ADF BC REST
 

Semelhante a XACML - XML Amsterdam2011

Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurEMC Nederland
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overviewxKinAnx
 
RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)EMC
 
dist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfdist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfNohaNagy5
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas WSO2
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmassureshattanayake
 
Vnx mr presentation kenny pool
Vnx mr presentation kenny poolVnx mr presentation kenny pool
Vnx mr presentation kenny poolEMC Nederland
 
Transforming Mission Critical Applications
Transforming Mission Critical ApplicationsTransforming Mission Critical Applications
Transforming Mission Critical ApplicationsCenk Ersoy
 
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011darach
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresPraetorian
 
Introduction to Web Application Clustering
Introduction to Web Application ClusteringIntroduction to Web Application Clustering
Introduction to Web Application ClusteringPiyush Katariya
 
Mellanox hpc day 2011 kiev
Mellanox hpc day 2011 kievMellanox hpc day 2011 kiev
Mellanox hpc day 2011 kievVolodymyr Saviak
 
102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guideAmit Sharma
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityExtending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityJerome Leonard
 
attachment_3998 (3).pdf
attachment_3998 (3).pdfattachment_3998 (3).pdf
attachment_3998 (3).pdfssuser02a37f1
 
Cloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption TechniquesCloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption TechniquesEMC
 
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...Hans A. Kielland Aanesen
 

Semelhante a XACML - XML Amsterdam2011 (20)

Srm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueurSrm suite technical presentation nrm - tim piqueur
Srm suite technical presentation nrm - tim piqueur
 
Presentation atmos architecture overview
Presentation atmos architecture overviewPresentation atmos architecture overview
Presentation atmos architecture overview
 
RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)RESTful SOA and the Spring Framework (EMCWorld 2011)
RESTful SOA and the Spring Framework (EMCWorld 2011)
 
dist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdfdist-access. access control in distributed systemspdf
dist-access. access control in distributed systemspdf
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmasThe WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
EMC Unified Analytics Platform. Gintaras Pelenis
EMC Unified Analytics Platform. Gintaras PelenisEMC Unified Analytics Platform. Gintaras Pelenis
EMC Unified Analytics Platform. Gintaras Pelenis
 
Vnx mr presentation kenny pool
Vnx mr presentation kenny poolVnx mr presentation kenny pool
Vnx mr presentation kenny pool
 
Transforming Mission Critical Applications
Transforming Mission Critical ApplicationsTransforming Mission Critical Applications
Transforming Mission Critical Applications
 
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
 
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & CountermeasuresWeb Services Presentation - Introduction, Vulnerabilities, & Countermeasures
Web Services Presentation - Introduction, Vulnerabilities, & Countermeasures
 
Introduction to Web Application Clustering
Introduction to Web Application ClusteringIntroduction to Web Application Clustering
Introduction to Web Application Clustering
 
Mellanox hpc day 2011 kiev
Mellanox hpc day 2011 kievMellanox hpc day 2011 kiev
Mellanox hpc day 2011 kiev
 
102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide102550121 symmetrix-foundations-student-resource-guide
102550121 symmetrix-foundations-student-resource-guide
 
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based ExtensibilityExtending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
Extending The Value Of Oracle Crm On Demand Through Cloud Based Extensibility
 
Emc vi pr controller
Emc vi pr controllerEmc vi pr controller
Emc vi pr controller
 
attachment_3998 (3).pdf
attachment_3998 (3).pdfattachment_3998 (3).pdf
attachment_3998 (3).pdf
 
Cloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption TechniquesCloud Models, Considerations, & Adoption Techniques
Cloud Models, Considerations, & Adoption Techniques
 
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
IEEE DEST 2013 tGov presentation (Transformational Government: Sustainable In...
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

XACML - XML Amsterdam2011

  • 1. eXtensible Access Control Markup Language Rémon Sinnema – Consultant Software Engineer at EMC – Voting member of the XACML Technical Committee – sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 1
  • 2. Agenda • Access Control – Various models – How XACML fits in • XACML – Architecture – Request/Response Protocol – Policy Language – Optional Profiles – What’s new in 3.0 – Implementations © Copyright 2011 EMC Corporation. All rights reserved. 2
  • 3. Access Control © Copyright 2011 EMC Corporation. All rights reserved. 3
  • 4. Access Control • Access control is the basis of Information Security: – Confidentiality: prevent disclosure to unauthorized agents – Integrity: prevent modification by unauthorized agents – Availability: keep unauthorized agents off the system • An access request occurs when – a given subject tries to access – a given resource to perform – a given action in – a given environment © Copyright 2011 EMC Corporation. All rights reserved. 4
  • 5. Access Control List (ACL) • (subject, resource, action, ?) – Subject is user or group – No environment – Hard to maintain when many users share privileges • Widely available, e.g. in operating systems © Copyright 2011 EMC Corporation. All rights reserved. 5
  • 6. Role-Based Access Control (RBAC) • (role, resource, action, ?) – Generalizes users into roles – Users can have many roles – Roles can be hierarchical • A manager is an employee – No environment – Not granular enough/role explosion • Commonly available, e.g. in databases © Copyright 2011 EMC Corporation. All rights reserved. 6
  • 7. Attribute-Based Access Control (ABAC) • (subject, resource, action, environment) – Generalizes everything into attributes – Adds environment attributes – Subject can be user, group, role, application, … – Subject can be described by more than one attribute • Matches the definition of identity: – “A person’s identity is built upon an incomplete set of attributes that we deem sufficient to differentiate one person from everyone else” Identity Management – A Primer, p. 9 • State of the art © Copyright 2011 EMC Corporation. All rights reserved. 7
  • 8. Policy-Based Access Control (PBAC) • (subject, resource, action, environment) – Harmonizes attributes across the (extended) organization • Coming soon… © Copyright 2011 EMC Corporation. All rights reserved. 8
  • 9. Risk-Adaptive Access Control (RAdAC) • (subject, resource, action, environment) – Dynamic risk levels as environment attributes – Threat level etc. from outside sources as well • Not anytime soon © Copyright 2011 EMC Corporation. All rights reserved. 9
  • 10. Evolution of Access Control Models Trends: • Finer granularity • More policy-based over ad-hoc © Copyright 2011 EMC Corporation. All rights reserved. 10
  • 11. XACML supports all of ACL, RBAC, ABAC, PBAC, and RAdAC One technology for all your evolving access control needs! © Copyright 2011 EMC Corporation. All rights reserved. 11
  • 12. eXtensible Access Control Markup Language © Copyright 2011 EMC Corporation. All rights reserved. 12
  • 13. Architecture © Copyright 2011 EMC Corporation. All rights reserved. 13
  • 14. Request <Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>Julius Hibbert</AttributeValue> </Attribute> </Subject> <Resource> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://medico.com/record/patient/BartSimpson</AttributeValue> </Attribute> </Resource> <Action> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue> </Attribute> </Action> <Environment /> </Request> © Copyright 2011 EMC Corporation. All rights reserved. 14
  • 15. Response <Response xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os access_control-xacml-2.0-context-schema-os.xsd"> <Result> <Decision>Permit</Decision> <Status> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" /> </Status> </Result> </Response> © Copyright 2011 EMC Corporation. All rights reserved. 15
  • 16. Policy Language (1) • Hierarchical structure: PolicySet → Policy → Rule © Copyright 2011 EMC Corporation. All rights reserved. 16
  • 17. Policy Language (2) • Target filters applicable requests – In PolicySet, Policy, and Rule – Using attribute matching • Condition refines further – Powerful expression language <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> riddle me this </AttributeValue> <SubjectAttributeDesignator SubjectCategory= "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:some-attribute” MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string" /> </Apply> </Condition> © Copyright 2011 EMC Corporation. All rights reserved. 17
  • 18. Attribute Matching Effect <Rule RuleId=“…" Effect="Permit“> <Description>…</Description> <Target> Function <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Robin Hood </AttributeValue> <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"> urn:oasis:names:tc:xacml:1.0:subject:subject-id Attribute Value </SubjectAttributeDesignator> </SubjectMatch> </Subject> Attribute ID Data Type </Subjects> <Resources>…</Resources> <Actions>…</Actions> <Environments>…</Environments> </Target> <Condition>…</Condition> </Rule> © Copyright 2011 EMC Corporation. All rights reserved. 18
  • 19. Conflict Resolution • Multiple rules can be applicable • Conflicts are resolved by Combining Algorithms – Policyhas Rule Combining Algorithm – PolicySet has Policy Combining Algorithm • Standard Combining Algorithms: – permit-overrides – deny-overrides – first-applicable – only-one-applicable – ordered-permit-overrides – ordered-deny-overrides © Copyright 2011 EMC Corporation. All rights reserved. 19
  • 20. Obligations • Action that PEP must perform – Email manager, log access, … • Optional part of the specification © Copyright 2011 EMC Corporation. All rights reserved. 20
  • 21. X stands for eXtensible • Custom attribute IDs • Custom functions • Custom data types • Custom combining algorithms © Copyright 2011 EMC Corporation. All rights reserved. 21
  • 22. Optional Profiles • RBAC • Multiple Resource • Hierarchical Resource • Privacy • SAML • XML Digital Signature © Copyright 2011 EMC Corporation. All rights reserved. 22
  • 23. What’s new in 3.0 • Subject/Resource/Action/Environment generalized into attribute categories • Advice (like obligation but optional) • Obligations & advice can be dynamic • More functions and combining algorithms (better handling of Indeterminate in CAs, new CAs) • XPath improvements (XPath data type) • Updated profiles – Multi: decision schemes – SAML :pass policies with request • New profiles – Administration & Delegation (policies about who can change policies) – Export – Intellectual Property (in progress) © Copyright 2011 EMC Corporation. All rights reserved. 23
  • 24. Implementations Commercial Embedded Open Source SunXac ml © Copyright 2011 EMC Corporation. All rights reserved. 24
  • 25. Q&A sinnema313 © Copyright 2011 EMC Corporation. All rights reserved. 25
  • 26. THANK YOU © Copyright 2011 EMC Corporation. All rights reserved. 26

Notas do Editor

  1. Access Control List focuses on ResourceRole-Based Access Control generalizes SubjectAttribute-Based Access Control generalizes all attributesPolicy-Based Access Control standardizes attributesRisk-Adaptive Access Control