XACML finally ready for prime time?
XACML is a standard that provides a language (markup) for defining rules for making authorization decisions and provides the request/response protocol for exchanging policy decisions. XACML defines 3 main entities:
- PAP - Policy Administration Point - basically a repository for policies
- PIP - Policy Information Point - Directories or any other identity providers. PIPs can provide attributes on the resource that is being accesses as well as the entity (identity) that tries to access that resource.
- PDP - Policy Decision Point - the component that makes the decision to authorize access is made. The PDP uses the policies from the PAP as well as additional information it can get from PIPs.
- PEP - Policy Enforcement Point - The component where the request for authorization arrives. the PEP sends a XAXML request to a PDP and then acts according to the PDP's decision
The main reason interoperability is important is it that it is very rare to find a reasonably sized enterprise with a homogeneous environment and even if you do have such an enterprise - you will face the heterogeneity problem when you'd want to connect with other businesses
The interop demonstration included 8 vendors BEA, IBM, JBoss/Red Hat, Oracle, CA, Jericho Systems, SymLabs and Securent. The vendors demonstrated several security interop scenarios as described by JBoss's Anil Saldhana:
Use Case: Authorization DecisionAnother aspect of the interoperability and the fact that JBoss also implemented it was raised by James McGovern:
The Authorization Decision Interop will demonstrate that XACML 2.0 authorization decision requests generated by the */PEP/* of */Vendor A/* (*/PEP-A/*) are properly evaluated by the */PDP/* of */Vendor B /*(*/PDP-B/*), where Vendor A and Vendor B may be any of the vendors participating in the Interop.
Scenario 1: Authorization Decision: Customer Access
Customer from a web browser provides user name and password. After authentication, the PEP packages the customer username, customerId and an operation of "ViewAccount" in the context of the CustomerAccount web application in a xacml request and passes to a PDP for evaluation. The PDP can be from different vendors in the event.
Scenario 2: Authorization Decision: Customer Transaction
Customer tries to purchase 500 shares of XYZ stock. The PEP gathers information on the transaction (namely, operation of "Buy" and the number of shares "500") and creates a xacml request with other contextual information and passes it to a PDP for evaluation. The PDP can be from different vendors in the event.
Scenario 3: Authorization Decision: Account Manager Access
An account manager needs to approve a request. The PEP gathers information about the account manager and passes to a PDP to evaluate access to the account manager.
Scenario 4: Authorization Decision: Account Manager Approval
Account Manager needs to approve the stock purchase. The PEP gathers information about the Account Managers approval and then asks the PDP to evaluate whether the approval should go through.
Use Case: Policy Exchange
XACML Policies generated by one vendor are accessible and usable by the PDP of other vendors.
Anil Saldhana talks about the release of JBoss XACML 2.0 which is huge. This may be an opportunity for John Newton of Alfresco, Ismael Ghalimi of Intalio and Brian Chan of Liferay to incorporate XACML support into their products with little effort and beat out their closed source competitorsIn any event, even if it took more than 2 years, it is good to see this standard finally maturing, as the above mentioned use cases are not that rare.