XACML finally ready for prime time?

Posted by Arnon Rotem-Gal-Oz on Jul 02, 2007

Sections

Architecture & Design,

Development,

Enterprise Architecture

Topics

Security ,

WS Standards ,

SOA ,

Interop

Tags

Standardization ,

xacml

XACML, the eXtensible Access Control Markup Language, an Oasis standard approved more than 2 years ago, has been demonstrated to work cross vendor platforms on Burton's Catalyst Conference last week.

XACML is a standard that provides a language (markup) for defining rules for making authorization decisions and provides the request/response protocol for exchanging policy decisions. XACML defines 3 main entities:

• PAP - Policy Administration Point - basically a repository for policies
  
• PIP  - Policy Information Point - Directories or any other identity providers. PIPs can provide attributes on the resource that is being accesses as well as the entity (identity) that tries to access that resource.
  
• PDP - Policy Decision Point - the component that makes the decision to authorize access is made. The PDP uses the policies from the PAP as well as additional information it can get from PIPs.
  
• PEP - Policy Enforcement Point - The component where the request for authorization arrives. the PEP sends a XAXML request to a PDP and then acts according to the PDP's decision

As as side note, XACML is not completely self contained. XACML defines the content of the messages necessary to implement the request/reply but does define the protocols or transport mechanisms for the message exchange.  This can be solved by using another Oasis standard called SAML (Security Assertions Markup Language). In a nutshell, XACML provides a the way to determine access rights to resources and  SAML provides the way to securely exchange that information.

The main reason interoperability is important is it that it is very rare  to find a reasonably sized enterprise with a homogeneous environment and even if you do have such an enterprise - you will face the heterogeneity problem when you'd want to connect with other businesses

The interop demonstration included 8 vendors BEA, IBM, JBoss/Red Hat, Oracle, CA, Jericho Systems, SymLabs and Securent. The vendors demonstrated several security interop scenarios as described by JBoss's Anil Saldhana:

Use Case: Authorization Decision
========================

The Authorization Decision Interop will demonstrate that XACML 2.0 authorization decision requests generated by the */PEP/* of */Vendor A/* (*/PEP-A/*) are properly evaluated by the */PDP/* of */Vendor B /*(*/PDP-B/*), where Vendor A and Vendor B may be any of the vendors participating in the Interop.

Scenario 1: Authorization Decision: Customer Access
Customer from a web browser provides user name and password. After authentication, the PEP packages the customer username, customerId and an operation of "ViewAccount" in the context of the CustomerAccount web application in a xacml request and passes to a PDP for evaluation. The PDP can be from different vendors in the event.

Scenario 2: Authorization Decision: Customer Transaction
Customer tries to purchase 500 shares of XYZ stock. The PEP gathers information on the transaction (namely, operation of "Buy" and the number of shares "500") and creates a xacml request with other contextual information and passes it to a PDP for evaluation. The PDP can be from different vendors in the event.

Scenario 3: Authorization Decision: Account Manager Access
An account manager needs to approve a request. The PEP gathers information about the account manager and passes to a PDP to evaluate access to the account manager.

Scenario 4: Authorization Decision: Account Manager Approval
Account Manager needs to approve the stock purchase. The PEP gathers information about the Account Managers approval and then asks the PDP to evaluate whether the approval should go through.

Use Case: Policy Exchange
===================
XACML Policies generated by one vendor are accessible and usable by the PDP of other vendors.

 Another aspect of the interoperability and the fact that JBoss also implemented it was raised by James McGovern:

Anil Saldhana talks about the release of JBoss XACML 2.0 which is huge. This may be an opportunity for John Newton of Alfresco, Ismael Ghalimi of Intalio and Brian Chan of Liferay to incorporate XACML support into their products with little effort and beat out their closed source competitors

In any event, even if it took more than 2 years, it is good to see this standard finally maturing, as the above mentioned use cases are not that rare.

• Older >