extending xacml authorisation model to support policy
play

Extending XACML Authorisation Model to Support Policy Obligations - PowerPoint PPT Presentation

Sep 11, 2023 •177 likes •488 views

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed Applications Yuri Demchenko SNE Group, University of Amsterdam On behalf of Y. Demchenko, C. de Laat, O. Koeroo, H. Sagehaug MGC 2008 - 6th

  1. Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed Applications Yuri Demchenko SNE Group, University of Amsterdam On behalf of Y. Demchenko, C. de Laat, O. Koeroo, H. Sagehaug MGC 2008 - 6th International Workshop on Middleware for Grid Computing 1 December 2008, Leuven

  2. Outline • Obligations in Complex Grid and Network Resource Provisioning � AAA/AuthZ Architecture for Complex Resource Provisioning (CRP) • Policy Obligations definition in XACML • Reference Model for Obligations Handling (OHRM) – proposed extension • Implementation � OSG/EGEE AuthZ Interoperability project and XACML-Grid profile � GAAA Toolkit library and XACML-NRP attributes and policy profile • AAA/AuthZ mechanisms and functional components to support policy obligations handling in multidomain NRP/CRP • Future developments Background for this research • EU funded Phosphorus Project “Lambda User Controlled Infrastructure for European Research” (EC Contract number 034115) • EGEE project and OSG/EGEE AuthZ Interoperability WG • University of Amsterdam SNE Group ongoing research on GAAA-AuthZ – Generic Authentication, Authorization, Accounting (GAAA) AuthZ Framework Extending XACML for Policy Obligations Handling Slide _ 2 MGC2008, 1 December 2008, Leuven

  3. Complex Resource Provisioning (CRP) Two use case of the general Complex Resource Provisioning (CRP) • ONRP and Network on-demand provisioning • Grid Computing Resource – Distributed and heterogeneous 3 major stages/phases in CRP operation/workflow • Provisioning consisting of 3 basic steps � Resource Lookup � Resource composition (including options) � Component resources reservation (in advance), including combined AuthZ/policy decision, and assigning a global reservation ID (GRI) • Deployment – reservation confirmation and distributing components/domain configuration (including trusted keys) • Access (to the reserved resource) or consumption (of the consumable resource) Now considering two other stages: “decommissioning” and “relocation” • Topic for future research and discussions • Will allows integrating resource provisioning into the upper layer scientific workflow in more consistent way Extending XACML for Policy Obligations Handling Slide _ 3 MGC2008, 1 December 2008, Leuven

  4. Obligations in CRP scenarios • Policy decision is done at the reservation stage (advance reservation stage often requires policy decision) and actual policy enforcement takes place at the access stage � Advance resource reservation (ARR) use cases and Usable/Consumable resources – Fixed ARR that implies strict time/amount constraints – Deferrable ARR that allows some degree of freedom in the time domain with fixed amount (or bandwidth) – Malleable ARR that allows variable duration and amount for the fixed consumption amount • Policy may contain Obligations and (obligated) policy decision may suggest the following action at later stage � Conditional AuthZ decision (e.g. type of service or credentials for multi- domain multi-provider resources) � Account mapping � Quota assignment � Logging and accounting Extending XACML for Policy Obligations Handling Slide _ 4 MGC2008, 1 December 2008, Leuven

  5. Multidomain Network Resource Provisioning (NRP) Provisioning sequences Agent • Agent (A) AAA IDC/AAA IDC/AAA A IDC/AAA • Polling (P) Service • Relay (R) (AAA) R PAP PAP PAP plane PDP PDP PDP Token based policy Dest P TVS TVS TVS enforcement Host Control GRI – Global Reservation ID PEP PEP PEP User plane AuthZ tickets for multidomain Client DC/NRPS context mngnt DC/NRPS DC/NRPS Appli- Network NE NE NE cation plane AAA – AuthN, AuthZ, Accounting Server IDC – Interdomain Controller PDP – Policy Decision Point DC – Domain Controller PEP – Policy Enforcement Point NRPS – Network Resource Provisioning TVS – Token Validation Service System KGS – Key Generation Service Extending XACML for Policy Obligations Handling Slide _ 5 MGC2008, 1 December 2008, Leuven

  6. Obligations and Pilot Job use case PilotJob UserJob User AuthN AuthZ glexec GW glexec WN LCAS/ LCAS/ SCAS LCMAPS LCMAPS • Pilot Job is submitted on behalf of a user in advance with PJ submitter account/credentials, User Job is submitted at later stage with real User Job credentials • Site Central AuthZ Service (SCAS) allows policy enforcement consistency but requires special mechanisms for security context management � SCAS is verified to be compatible with the XACML policy and PDP • gLExec operates as a gateway between (open) Grid world and executive environment of the Computer Element (CE) and/or cluster Worker Node (WN) � gLExec maps user account to one of available pool accounts Extending XACML for Policy Obligations Handling Slide _ 6 MGC2008, 1 December 2008, Leuven

  7. XACML Policy Obligations - Definition Policy Obligation is one of the policy enforcement mechanisms • Obligations are a set of operations that must be performed by the PEP in conjunction with an authorization decision [XACML2.0] Obligations semantics is not defined in the XACML policy language but left to bilateral agreement between a PAP and the PEP PEPs that conform with XACMLv2.0 are required to deny access unless they understand and can discharge all of the <Obligations> elements associated with the applicable policy Element <Obligations> / <Obligation> • The <Obligation> element SHALL contain an identifier (in the form of URI) for the obligation and a set of attributes that form arguments of the action defined by the obligation. The FulfillOn attribute SHALL indicate the effect for which this obligation must be fulfilled by the PEP Extending XACML for Policy Obligations Handling Slide _ 7 MGC2008, 1 December 2008, Leuven

  8. Obligations in other AuthZ and policy based management frameworks XACML policy obligations definition is originated from the two other concepts • Provisional Authorisation model by Kudo (implemented in the IBM’s XACL) � Includes Provisional AuthZ Module (PAM) and Request Execution Module (REM) � PAM can authorise a request provided the requestor or system (actually REM) will take some security actions, defined as “provisional actions” prior to the request execution, e.g. presenting additional credentials, signing privacy statements, logging events, etc. • Obligation policies (by Sloman) are defined together with Authorisation policies as part of the policy based management in distributed systems � Obligation policies provide simpler way of enforcing state-based policies over managed objects – Stateful part of the management policies can be implemented as obligation policies � Requires trusted manager (that can be treated similar to the Reference Monitor concept in the Trusted Computing Base (TCB)) � Provisions and obligations concepts have been further developed by Bettini et al Extending XACML for Policy Obligations Handling Slide _ 8 MGC2008, 1 December 2008, Leuven

  9. XACML Policy format XACML standard specifies XACML policy XACML Policy XACML Policy format and XACML request/response Rule Combination Algorithm messages Target {S, R, A, (E)} Policy Target {S, R , A, (E)} Policy consists of Policy Target and Rules PolicySet • Policy Target is defined for the tuple Rule ID#1 Subject-Resource-Action (-Environment) Policy Rule Target • Policy Rule consists of Conditions and may {S, R, A } {Rules, Obligs} contain Obligations … Condition • Obligation defines actions to be taken by PEP AttrDesignat on Policy decision by PDP Policy Match List {Rules,Obligs} … XACML PDP returns all Obligations that match Rule ID#n policy decision (defined by attribute “FulfillOn”) Obligations from both PolicySet and comprising individual Obligations policies Extending XACML for Policy Obligations Handling Slide _ 9 MGC2008, 1 December 2008, Leuven

  10. XACML2.0 Policy Datamodel XACML Response message contains all Obligations that match policy decision (defined by attribute “FulfillOn”) from both PolicySet and comprising individual policies Extending XACML for Policy Obligations Handling Slide _ 10 MGC2008, 1 December 2008, Leuven

  11. XACML2.0 Authorisation Process Dataflow • Introduces ContextHandler functionality • Assumes stateless PDP as actually XACML policy is stateless as well • Obligations service is called from PEP • Compliant with the Obligations definition but put much restriction in distributed environment Extending XACML for Policy Obligations Handling Slide _ 11 MGC2008, 1 December 2008, Leuven

  12. Retrospective: X.812 Access Control Framework Submit Present Access Access • Defined in the ITU X.812 std for Request Request Initiator AEF Target Open Systems Security • Historically one of the first Decision Decision Request formalised AuthZ model ADF • Further developed in the IETF (a) Generic AAA AuthZ framework • Includes a notion of the AuthZ session and AuthZ context Decision Decision Request management Initiator ADI Target ADI • By introducing retained ADI Contextual Information Access Request ADI • ADF ADF with retained ADI can be treated as stateful ADF Retained • XACML AuthZ model fits into ADI X.812 AuthZ model (b) Access Control Policy Rules AEF/ADF - AuthZ Enforcement/Decision Function ADI – AuthZ Decision Information Extending XACML for Policy Obligations Handling Slide _ 12 MGC2008, 1 December 2008, Leuven

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf of OSG/EGEE AuthZ Interoperability WG and Phosphorus project SNE Group, University of Amsterdam TF-EMC2 Meeting 3

633 views • 50 slides
Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 Sabrina De Capitani di Vimercati

Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 Sabrina De Capitani di Vimercati

Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 Sabrina De Capitani di Vimercati 1 Stefano Paraboschi 2 Eros Pedrini 1 Pierangela Samarati 1 Mario Verdicchio 2 (1) Universit` a degli Studi di Milano, (2) Universit` a degli Studi

202 views • 19 slides
SRA Authorisation Rules &amp; New Firm Authorisation - Guidance for new &amp; existing firms

SRA Authorisation Rules &amp; New Firm Authorisation - Guidance for new &amp; existing firms

SRA Authorisation Rules &amp; New Firm Authorisation - Guidance for new &amp; existing firms Presenters Rachel Lewis Director of Authorisation at the SRA Also responsible for the SRA Contact Centre &amp; Business Support Services Has

525 views • 30 slides
XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored by: Hal Lockhart Entegrity Solutions and OASIS XACML Draft Standard CS 6204, Spring 2005 1 2 Dataflow Model From: OASIS XACML Specification

929 views • 16 slides
XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of

XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of

Department of Computer Sciences XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of Computer Sciences XACML OASIS standard for specifying access control policies in enterprise systems. XML

341 views • 11 slides
DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge Supervisor: Fatih Turkmen August 19, 2016 System and Network Engineering University of Amsterdam WHY Customer data more and more valuable Data stored

565 views • 20 slides
XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce XACML and RBAC/Introduction Jason Crampton Programme Examine the XACML standard and the XACML RBAC

499 views • 32 slides
Support innovative approaches to the development, approval and post-authorisation monitoring of

Support innovative approaches to the development, approval and post-authorisation monitoring of

Support innovative approaches to the development, approval and post-authorisation monitoring of vaccines Underlying actions EMAs Regulatory Science Strategy to 2025 Human Stakeholder Workshop Chaired by Cesar Hernandez Garcia, HMA on 19

394 views • 11 slides
Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process

Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process

1 st EMEA Workshop for Micro, Small and Medium- Sized Enterprises (SMEs) Navigating the Regulatory Maze Marketing Authorisation: Marketing Authorisation: The Evaluation Process The Evaluation Process Dr Evdokia Korakianiti Scientific

474 views • 21 slides
THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending

THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending

THE ENHANCED ER (EER) MODEL CHAPTER 8 (6/E) CHAPTER 4 (5/E) CHAPTER 8 OUTLINE Extending the ER model Created to design more accurate database schemas Reflect the data properties and constraints more precisely Address more

398 views • 14 slides
Extending the linear model DAAG Chapters 7 and 8 Learning objectives The linear model framework

Extending the linear model DAAG Chapters 7 and 8 Learning objectives The linear model framework

Extending the linear model DAAG Chapters 7 and 8 Learning objectives The linear model framework can be extended in many ways. We will learn about Indicator variables for coding factors Fitting multiple lines Polynomial regression

395 views • 16 slides
Copying Subgraphs MDE Extending GT within Model Repositories Case Study Example Models

Copying Subgraphs MDE Extending GT within Model Repositories Case Study Example Models

Introduction Context Copying Subgraphs MDE Extending GT within Model Repositories Case Study Example Models Consistency Constraint Plain SDM Trfo Pieter van Gorp, Story Diagrams Control Flow Hans Schippers, Primitives for Model Dirk

712 views • 37 slides
XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br)

XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br)

Policy 2007 13-15 June 2007 - Bologna, Italy XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br) Joseane Fidalgo (joseane@gprt.ufpe.br) Ramide Dantas (ramide@gprt.ufpe.br) Djamel Sadok

468 views • 22 slides
Extending Bidi Support on the Web Richard Ishida, W3C Aharon Lanin, Google Bidi support on the

Extending Bidi Support on the Web Richard Ishida, W3C Aharon Lanin, Google Bidi support on the

Extending Bidi Support on the Web Richard Ishida, W3C Aharon Lanin, Google Bidi support on the Web Additional Requirements for Bidi in HTML Read the Working Draft at http://www.w3.org/International/ docs/html-bidi-requirements/ You can follow

539 views • 53 slides
Lab 4 preview Hung-Wei Tseng In Lab 4... You will be extending the datapath and control unit

Lab 4 preview Hung-Wei Tseng In Lab 4... You will be extending the datapath and control unit

Lab 4 preview Hung-Wei Tseng In Lab 4... You will be extending the datapath and control unit to support branch instructions! The processor already support lw, sw, add, addi, sub, and, or nor, xor We need to support beq, bne,

255 views • 13 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
Managing the U. S. CMS HL-LHC Upgrades Vivian ODell, U. S. CMS HL-LHC USCMS Project Manager

Managing the U. S. CMS HL-LHC Upgrades Vivian ODell, U. S. CMS HL-LHC USCMS Project Manager

Managing the U. S. CMS HL-LHC Upgrades Vivian ODell, U. S. CMS HL-LHC USCMS Project Manager February 2, 2016 Director's Review - Managing the U. S. CMS HL-LHC Upgrades V. O'Dell, 2

597 views • 11 slides
Serving Medicaid Beneficiaries Who Need Long-term Services and Supports: Better Outcomes at Lower

Serving Medicaid Beneficiaries Who Need Long-term Services and Supports: Better Outcomes at Lower

Center for Studying Disability Policy Serving Medicaid Beneficiaries Who Need Long-term Services and Supports: Better Outcomes at Lower Costs Presenters Discussant Victoria Peebles, Mathematica Debra Lipson, Mathematica Carol Irvin,

566 views • 53 slides
ASPECTS OF HETEROGENEITY AND FAULT TOLERANCE IN CLOUD COMPUTING Magdalena Slawinska Jaroslaw

ASPECTS OF HETEROGENEITY AND FAULT TOLERANCE IN CLOUD COMPUTING Magdalena Slawinska Jaroslaw

Atlanta, Georgia, April 19, 2010 in conjunction with IPDPS 2010 UNIBUS: ASPECTS OF HETEROGENEITY AND FAULT TOLERANCE IN CLOUD COMPUTING Magdalena Slawinska Jaroslaw Slawinski Vaidy Sunderam {magg, jaross, vss}@mathcs.emory.edu Emory

680 views • 21 slides
Requirements for handling paraphrases Transformation rules / patterns &lt; IWP 2005, Oct. 14th,

Requirements for handling paraphrases Transformation rules / patterns &lt; IWP 2005, Oct. 14th,

Requirements for handling paraphrases Transformation rules / patterns &lt; IWP 2005, Oct. 14th, 2005 &gt; X verb # S 0 ( X ) + Oper 1 ( S 0 ( X )) Handcrafting ! Iordansjaka et al., 1991 &quot;! Dras, 1999 &quot;! Sato et al., 1999 &quot; A

74 views • 4 slides
Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation Defense Bo Tang Committee Members: Dr. Ravi Sandhu, Chair Dr. Kay Robbins Dr. Gregory White Dr. Weining Zhang Dr. Jaehong Park 07/31/2014

539 views • 51 slides
Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy Emergency suspension

Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy Emergency suspension

Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy Emergency suspension Suspended DN cant submit jobs to sites Automated Suspension: Fast: Delays configurable &amp; known in advance Completely

334 views • 12 slides
Report from the Project Manager Bill Boroski Contractor Project Manager Contractor Project

Report from the Project Manager Bill Boroski Contractor Project Manager Contractor Project

Report from the Project Manager Bill Boroski Contractor Project Manager Contractor Project Manager USQCD All-Hands Meeting Brookhaven National Laboratory April 16-17, 2010 Outline Outline Completion of the initial computing project

475 views • 16 slides
ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is

ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is divided into two halves: Basics of

935 views • 51 slides

More recommend