extending xacml for open web based scenarios
play

Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 - PowerPoint PPT Presentation

Jul 24, 2023 •12 likes •202 views

Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 Sabrina De Capitani di Vimercati 1 Stefano Paraboschi 2 Eros Pedrini 1 Pierangela Samarati 1 Mario Verdicchio 2 (1) Universit` a degli Studi di Milano, (2) Universit` a degli Studi

  1. Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 Sabrina De Capitani di Vimercati 1 Stefano Paraboschi 2 Eros Pedrini 1 Pierangela Samarati 1 Mario Verdicchio 2 (1) Universit` a degli Studi di Milano, (2) Universit` a degli Studi di Bergamo W3C Workshop on Access Control Application Scenarios Luxemboug, 17-18 November 2009 c � Pierangela Samarati 1/19

  2. Motivation • Open Web service systems receive access requests from remote parties to access Web services • These systems may not have prior knowledge of users (relationships with authentication may change) ⇒ Need for access control based on properties/certificates = ⇒ Need for interactive access control systems = ⇒ Need for an expressive and simple access control solution = applicable in practice c � Pierangela Samarati 2/19

  3. Goal and Contributions Extending XACML (the most significant proposal for access control over the Web) for supporting the new access control paradigm needed in open scenarios • depart from traditional authenticate/authorize approach (credential-based authorizations) • support of abstractions • provide access control authorizations with reasoning capability (recursive reasoning) • communication of protection requirements while protecting access policy and related information (dialog management and interactive access control) With a limited impact on the original XACML specification c � Pierangela Samarati 3/19

  4. Credential-based Authorizations • Allow reference to digital certificates • Allow fine-grained reference to properties they certify and to conditions about them ◦ Attributes represent the content of the credentials (e.g., last name) ◦ Metadata represent properties on the credentials (e.g., type) • What users can do then depend on assertions (attributes) they can prove presenting certificates • Access control can respond with requirements that the requester must satisfy to get access c � Pierangela Samarati 4/19

  5. Credential-based Authorizations – XACML Credentials/Metadata are represented as a new XML schema • Root element certifications contains one or more elements certification (class of certificates) • Element certification defines a condition on metadata and has an attribute id • Each element certification contains one or more alternative group elements representing restrictions on metadata Attributes are treated like any other property in XACML • Each occurrence of a certified attribute is translated into a XACML element SubjectAttributeDesignator ◦ Attribute AttributeId is the attribute name ◦ Attribute Issuer points to a credential c � Pierangela Samarati 5/19

  6. Credential-based Authorizations – Example < certifications > < Rule RuleId=“ExampleRule” Effect=“Permit” > < certification id=“IT IC” > < Target/ > < group > < Condition < type > FunctionId=“urn:oasis:names:tc:xacml:1.0:function:and” > identity card < Apply < /type > FunctionId=“urn:oasis:names:tc:xacml:2.0:function:string-equal” > < issuer > < SubjectAttributeDesignator DataType=“XMLSchema#string” IT Gov Issuer=“urn:ext:cred-reference:IT IC” < /issuer > AttributeId=“urn:oasis:names:tc:xacml:2.0:attribute:city-birth”/ > < method > < AttributeValue DataType=“XMLSchema#string” > X.509 Milan < /method > < /AttributeValue > < /group > < /Apply > < group > < Apply < type > FunctionId=“urn:oasis:names:tc:xacml:2.0:function:integer-less-than” > passport < SubjectAttributeDesignator DataType=“XMLSchema#integer” < /type > Issuer=“urn:ext:cred-reference:IT IC” < issuer > AttributeId=“urn:oasis:names:tc:xacml:2.0:attribute:year-birth”/ > IT Gov < AttributeValue DataType=“XMLSchema#integer” > < /issuer > 1981 < method > < /AttributeValue > SAML < /Apply > < /method > < /Condition > < /group > < /Rule > < /certification > < /certifications > Metadata XACML policy with conditions on certified attributes c � Pierangela Samarati 6/19

  7. Abstractions • Allow for the derivation of new concepts from existing ones • Represent a shorthand by which a single concept represents a more complex one Example id document (abstraction head) defined as an abstraction of credentials: { identity card, driver license, passport } (abstraction tail) A policy that requires an id document is satisfied by providing any of the three credentials c � Pierangela Samarati 7/19

  8. Abstractions – XACML To manage abstraction specifications XACML is integrated with XQuery • Abstractions are represented as a new XML schema ◦ Root element abstractions contains one or more elements abstraction ◦ Each element abstraction has an attribute id (abstraction head) and a set of equivalences in element is (abstraction tail) • Abstractions can be embedded in XACML conditions via an XQuery invocation ◦ An XQuery function takes in input an abstraction head and returns an abstraction tail c � Pierangela Samarati 8/19

  9. Abstractions – Example < abstractions > < certifications > < abstraction id=“id document” > < certification id=“IT ABBR” > < is > < group > < item > identity card < /item > < type > < item > driver license < /item > local:expand(’id document’) < item > passport < /item > < /type > < /is > < /group > < /abstraction > < /certification > < /abstractions > < /certifications > Abstraction definition Abstraction-based metadata condition c � Pierangela Samarati 9/19

  10. Recursive Conditions • Recursion can be exploited to specify conditions on data with a recursive structure (e.g., delegation, supervisor) • Recursive reasoning is needed, for example: ◦ for expressing policies based on chain of credentials ◦ for supporting delegation c � Pierangela Samarati 10/19

  11. Recursive Conditions – XACML • Like for abstraction, recursion is supported by integrating XACML with an XQuery engine ◦ Recursive conditions defined via recursive XQuery functions ◦ Recursive functions embedded and referenced in the policies (no changes to the language) to define policy conditions based on recursive concepts ◦ Recursive functions take in input the XACML context, and produce new information to be used in policy evaluation c � Pierangela Samarati 11/19

  12. Recursive Conditions – Example < context > < Condition < doctor id=“1” > FunctionId=“urn:oasis:names:tc:xacml:2.0:function:string-equal” > < first name > George < /first name > < SubjectAttributeDesignator < last name > Williams < /last name > DataType=“http://www.w3.org/2001/XMLSchema#string” < specialized > Surgery < /specialized > AttributeId=“urn:oasis:names:tc:xacml:2.0:attribute:doctor-id”/ > < sex > M < /sex > < AttributeSelector RequestContextPath= < supervisor/ > “local:getSupervisor(//doctor[@id= < /doctor > //patient[@id=urn:oasis:names:tc:xacml:2.0:attribute:patient-id] < doctor id=“2” > /doctorid])/@id” < first name > Charles < /first name > DataType=“http://www.w3.org/2001/XMLSchema#string”/ > < last name > White < /last name > < /Condition > < specialized > Pediatric Surgery < /specialized > < sex > M < /sex > < supervisor > < doctorid > 1 < /doctorid > < /supervisor > < /doctor > < doctor id=“3” > < first name > Mary < /first name > < last name > Wilson < /last name > < specialized > Pediatric Allergy < /specialized > < sex > F < /sex > < supervisor > < doctorid > 1 < /doctorid > < /supervisor > < /doctor > < /context > XACML Context XACML Recursive Condition c � Pierangela Samarati 12/19

  13. Dialog – 1 • The server may not have all the information it needs to decide whether or not an access should be granted • The requester may not know which certificates she needs to present to a server to get access ⇒ Dialog management supports a new way of enforcing the = access control process • The server can communicate which information is needed to evaluate a policy • Allows the requester to hand over only the necessary credentials c � Pierangela Samarati 13/19

  14. Dialog – 2 Issue to be addressed: communication of access control restrictions to be satisfied • Safeguard privacy of the involved parties ◦ avoid unnecessary release of certificates and information ◦ avoid leakage of access control policies and information ⇒ Disclosure policies = • We distinguish five different disclosure policies. Each one potentially used independently in any condition appearing in an expression c � Pierangela Samarati 14/19

  15. Dialog – 3 Example: identity card.age > 18 • Condition: the condition can be fully disclosed as it is E.g., identity card.age > 18 • Predicate: only the information that a property needs to be evaluated with respect to a predicate can be released E.g., identity card.age > • Property: only the information that a property needs to be evaluated can be released E.g., identity card.age • Credential: only the information that there is a condition about a credential can be released E.g., identity card • None: nothing can be disclosed about the condition c � Pierangela Samarati 15/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed Applications Yuri Demchenko SNE Group, University of Amsterdam On behalf of Y. Demchenko, C. de Laat, O. Koeroo, H. Sagehaug MGC 2008 - 6th

488 views • 31 slides
XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce XACML and RBAC/Introduction Jason Crampton Programme Examine the XACML standard and the XACML RBAC

499 views • 32 slides
XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf of OSG/EGEE AuthZ Interoperability WG and Phosphorus project SNE Group, University of Amsterdam TF-EMC2 Meeting 3

633 views • 50 slides
Extending and Contributing to an Open Source Web-based System for the Assessment of Programming

Extending and Contributing to an Open Source Web-based System for the Assessment of Programming

in CS Extending and Contributing to an Open Source Web-based System for the Assessment of Programming Dr. Christelle Scharff Dr. Olly Gotel Pace University, New York, USA Dr. Andrew Wildenberg Cornell College, Iowa, USA in CS Outline

273 views • 26 slides
Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri Demchenko, Leon Gommans, Cees de Laat System and Network Engineering Group University of Amsterdam POLICY2007 Workshop 13-15 June 2007, Bologna Outline

532 views • 25 slides
Extending DPLL-Based QBF Solvers to Handle Free Variables Will Klieber , Mikol a s Janota,

Extending DPLL-Based QBF Solvers to Handle Free Variables Will Klieber , Mikol a s Janota,

Extending DPLL-Based QBF Solvers to Handle Free Variables Will Klieber , Mikol a s Janota, Joao Marques-Silva, Edmund Clarke July 9, 2013 1 Open QBF Closed QBF: All variables quantified; answer is True or False. Open QBF: Contains

472 views • 46 slides
Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado Distributed Multimedia Applications Group (DMAG) Universitat Politcnica de Catalunya (UPC) W3C Workshop on Access Control Application Scenarios

712 views • 24 slides
XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored by: Hal Lockhart Entegrity Solutions and OASIS XACML Draft Standard CS 6204, Spring 2005 1 2 Dataflow Model From: OASIS XACML Specification

929 views • 16 slides
XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br)

XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br)

Policy 2007 13-15 June 2007 - Bologna, Italy XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br) Joseane Fidalgo (joseane@gprt.ufpe.br) Ramide Dantas (ramide@gprt.ufpe.br) Djamel Sadok

468 views • 22 slides
XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of

XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of

Department of Computer Sciences XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of Computer Sciences XACML OASIS standard for specifying access control policies in enterprise systems. XML

341 views • 11 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
Possible scenarios for the Bellezane modelling EMRAS II WG 2, Vienna, 24-28 January 2011

Possible scenarios for the Bellezane modelling EMRAS II WG 2, Vienna, 24-28 January 2011

Possible scenarios for the Bellezane modelling EMRAS II WG 2, Vienna, 24-28 January 2011 Overview of site Uranium mining (underground + open pit) between 1975 and 1992 two millions tons of rock extracted open pit mines (MCO 68 + MCO 105)

111 views • 10 slides
Open vSwitch: Extending Networking into the Virtualization Layer Ben Pfaff Justin Pettit Teemu

Open vSwitch: Extending Networking into the Virtualization Layer Ben Pfaff Justin Pettit Teemu

Open vSwitch: Extending Networking into the Virtualization Layer Ben Pfaff Justin Pettit Teemu Koponen Keith Amidon Martin Casado Nicira Networks, Inc. Scott Shenker UC Berkeley, Computer Science Division Outline Virtualization and

208 views • 17 slides
XACML, ABAC, Privacy preserving access-controls Oleksandr

XACML, ABAC, Privacy preserving access-controls Oleksandr

XACML, ABAC, Privacy preserving access-controls Oleksandr Bodriagov School of Computer Science and Communica9on KTH - The Royal Ins9tute of

509 views • 25 slides
DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge Supervisor: Fatih Turkmen August 19, 2016 System and Network Engineering University of Amsterdam WHY Customer data more and more valuable Data stored

565 views • 20 slides
OBServ Open Library of Pollinator Biodiversity and Ecosystem Services Scenarios

OBServ Open Library of Pollinator Biodiversity and Ecosystem Services Scenarios

OBServ Open Library of Pollinator Biodiversity and Ecosystem Services Scenarios springuniversity.bc3research.org 1 - Pollination is a critical ecosystem service and relies upon multiple species of pollinators, mainly insects - The total

435 views • 7 slides
Information Visualization domain situation details of an application domain Characterize

Information Visualization domain situation details of an application domain Characterize

Nested model: Four levels of visualization design Domain characterization Design Process Information Visualization domain situation details of an application domain Characterize Domain Situation who are the target users?

268 views • 3 slides
Modular static analysis of string manipulations in C programs a Matthieu Journault, Antoine Min

Modular static analysis of string manipulations in C programs a Matthieu Journault, Antoine Min

Modular static analysis of string manipulations in C programs a Matthieu Journault, Antoine Min e, Abdelraouf Ouadjaout August 30, 2018 a This work is supported by the European Research Council under Consolidator Grant Agreement 681393

563 views • 31 slides
SMT Techniques for Fast Predicate Abstraction Shuvendu K. Lahiri 1 , Robert Nieuwenhuis 2 , and

SMT Techniques for Fast Predicate Abstraction Shuvendu K. Lahiri 1 , Robert Nieuwenhuis 2 , and

SMT Techniques for Fast Predicate Abstraction Shuvendu K. Lahiri 1 , Robert Nieuwenhuis 2 , and Albert Oliveras 2 1 Microsoft Research, Redmond 2 Technical University of Catalonia CAV06, Seattle SMT Techniques for Fast Predicate Abstraction

822 views • 41 slides
Structured Programming Week 3 INFM 603 Muddiest Points Emergent behavior of the Web

Structured Programming Week 3 INFM 603 Muddiest Points Emergent behavior of the Web

Structured Programming Week 3 INFM 603 Muddiest Points Emergent behavior of the Web &lt;head&gt; &lt;style type=&quot;text/css&quot;&gt; p.style1 { font-family:arial; color:blue} p.style2 { font-family:serif; color:red} HTML

613 views • 44 slides
JPF2: Predicate Abstraction CS 510 / 10 Predicate Abstraction Extract a finite state model from

JPF2: Predicate Abstraction CS 510 / 10 Predicate Abstraction Extract a finite state model from

JPF2: Predicate Abstraction CS 510 / 10 Predicate Abstraction Extract a finite state model from an infinite state system Used to prove assertions or safety properties Successfully applied for verification of C programs SLAM (used in windows

543 views • 42 slides
Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of

Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of

Object-Oriented Programming 1908 Harry Beck, 1933 Abstraction Abstraction is the process of capturing only those ideas about a concept that are relevant to the current situation. Irrelevant ideas are left out. Abstraction Control

335 views • 14 slides
The Power of Abstraction Barbara Liskov March 2013 MIT CSAIL Software is Complex Systems

The Power of Abstraction Barbara Liskov March 2013 MIT CSAIL Software is Complex Systems

The Power of Abstraction Barbara Liskov March 2013 MIT CSAIL Software is Complex Systems are big and they do complicated things and they may be distributed and/or concurrent Addressing Complexity Algorithms, data structures,

628 views • 51 slides
Kill-Safe Synchronization Abstractions Matthew Flatt Robert Bruce Findler University of Utah

Kill-Safe Synchronization Abstractions Matthew Flatt Robert Bruce Findler University of Utah

Kill-Safe Synchronization Abstractions Matthew Flatt Robert Bruce Findler University of Utah University of Chicago 1 Sibling Food-Sharing Protocol 2 Sibling Food-Sharing Protocol 3 Sibling Food-Sharing Protocol 4 Sibling Food-Sharing

883 views • 70 slides

More recommend