xacml and role based access control
play

XACML and Role-Based Access Control Jason Crampton Royal Holloway, - PowerPoint PPT Presentation

Jun 17, 2023 •176 likes •499 views

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce XACML and RBAC/Introduction Jason Crampton Programme Examine the XACML standard and the XACML RBAC

  1. XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce

  2. XACML and RBAC/Introduction Jason Crampton Programme Examine the XACML standard and the XACML RBAC profile • Examine the XACML implementation of role-based access control policies • Identify any shortcomings • Identify any omissions • Propose some extensions and alternative approaches DIMACS Workshop on Security of Web Services and e-Commerce

  3. XACML and RBAC/Introduction Jason Crampton Outline of talk • Introduction to XACML • Introduction to RBAC • The XACML RBAC profile • An alternative approach to RBAC using XACML • Assigning subjects to roles • Separation of duty DIMACS Workshop on Security of Web Services and e-Commerce

  4. XACML and RBAC/XACML Jason Crampton XACML DIMACS Workshop on Security of Web Services and e-Commerce

  5. XACML and RBAC/XACML Jason Crampton Introduction XACML is a dialect of XML used to specify and enforce authorization policies XACML 2.0 was approved as OASIS standard on 1 February 2005 XACML is intended to provide • Interchangeable policy format • Support for fine- and coarse-grained authorization policies • Conditional authorization • Policy combination and conflict resolution • Independency from implementation DIMACS Workshop on Security of Web Services and e-Commerce

  6. XACML and RBAC/XACML Jason Crampton The XACML view of access control Resource PEP access request response request Subject attribute query Context PIP Handler attribute request context response context Policy or PolicySet PAP PDP DIMACS Workshop on Security of Web Services and e-Commerce

  7. XACML and RBAC/XACML Jason Crampton XACML building blocks <Request> <PolicySet> <Policy> <Subject> <Resource> <Action> <Target> <Subject> <Resource> <Action> <Rule> <Target> PDP <Subject> <Resource> <Action> Match subject, resource, action in request Match condition <Condition> Combine rules' results Combine policies' results Combine policy sets' results DIMACS Workshop on Security of Web Services and e-Commerce

  8. XACML and RBAC/ANSI RBAC Jason Crampton ANSI RBAC DIMACS Workshop on Security of Web Services and e-Commerce

  9. XACML and RBAC/ANSI RBAC Jason Crampton Core RBAC U UA R PA P DIMACS Workshop on Security of Web Services and e-Commerce

  10. XACML and RBAC/ANSI RBAC Jason Crampton Hierarchical RBAC U UA R PA P DIMACS Workshop on Security of Web Services and e-Commerce

  11. XACML and RBAC/The XACML RBAC profile Jason Crampton The XACML RBAC profile DIMACS Workshop on Security of Web Services and e-Commerce

  12. XACML and RBAC/The XACML RBAC profile Jason Crampton Introduction RB-XACML 2.0 approved as OASIS committee draft 30 September 2004 Implements core and hierarchical components of ANSI standard • Roles and role hierarchies • Permission-role assignment relation • User-role assignment relation Does not support separation of duty • RB-XACML 1.0 did support separation of duty DIMACS Workshop on Security of Web Services and e-Commerce

  13. XACML and RBAC/The XACML RBAC profile Jason Crampton RB-XACML policies • Role assignment is strongly Role <PolicySet> bound to role definition <Target> Any subject with manager role attribute • Permissions are strongly bound to roles • Role hierarchy is defined Manager Permission <PolicySet> <Target> implicitly using permission All purchase orders, sign aggregation • Extensive use is made of <PolicyIdReference> and Employee Permission <PolicySet>) <Target> <PolicySetIdReference> All purchase orders, create elements DIMACS Workshop on Security of Web Services and e-Commerce

  14. XACML and RBAC/A different formulation of RBAC using XACML Jason Crampton A different formulation of RBAC using XACML DIMACS Workshop on Security of Web Services and e-Commerce

  15. XACML and RBAC/A different formulation of RBAC using XACML Jason Crampton Introduction Aims are to • Obtain a closer correspondence between XACML policies and RBAC model • Provide a more natural way of defining – Role hierarchies – Permissions – Permission-role assignment • Support the idea of complex permissions DIMACS Workshop on Security of Web Services and e-Commerce

  16. XACML and RBAC/A different formulation of RBAC using XACML Jason Crampton Crampton’s role-based XACML policies Role <PolicySet> Manager Role <PolicySet> • Role set explicitly defines role Employee Role <PolicySet> hierarchy • No mechanism for associating Permission Assignment <PolicySet> subjects with roles Manager Permission <PolicySet> • Permissions are first-class Employee Permission <PolicySet> entities • Permission can (easily) be Permission <PolicySet> assigned to multiple roles <Target> All purchase orders, sign <Target> All purchase orders, create DIMACS Workshop on Security of Web Services and e-Commerce

  17. XACML and RBAC/A different formulation of RBAC using XACML Jason Crampton Complex permissions PA <PolicySet> PO Officer Permission <PolicySet> Useful for hierarchically structured resources • XML data (Crampton, ComplexPermission <PolicySet> SWS 2004) • File systems Permission <PolicySet> • Object-oriented <Target> applications All purchase orders, sign <Target> All purchase orders, create DIMACS Workshop on Security of Web Services and e-Commerce

  18. XACML and RBAC/Assigning subjects to roles Jason Crampton Assigning subjects to roles DIMACS Workshop on Security of Web Services and e-Commerce

  19. XACML and RBAC/Assigning subjects to roles Jason Crampton RB-XACML view of user-role assignment role attribute set Context in request context PEP PDP Handler role attribute role attribute query role assignment attribute policy or query Context policyset PIP PDP Handler attribute REA DIMACS Workshop on Security of Web Services and e-Commerce

  20. XACML and RBAC/Assigning subjects to roles Jason Crampton Observations The design of the REA and role assignment policies is rather unambitious • The REA matches subject IDs to role attributes using a Role Assignment <PolicySet> • Designed for centralized systems with a known user population – Hardly suitable for web services! In XACML the <Subject> of an access request can be defined in terms of the requester’s attributes rather than its identity • The context handler is responsible for constructing the request and verifying the authenticity of the attributes (using PIPs) • The PDP matches <Target> elements in policies and rules to attributes in the request context DIMACS Workshop on Security of Web Services and e-Commerce

  21. XACML and RBAC/Assigning subjects to roles Jason Crampton Attribute-based role assignment (1) Use policy that assigns subjects to roles based on requester attributes (RBTM, Author- X , TPL) • Attributes define <Subject> element in request • Context handler is responsible for obtaining and verifying the authenticity of the attributes PDP matches attributes in request to role(s) using Role Assignment <PolicySet> • Role is now explicitly defined by the attributes that are required to enter into the role DIMACS Workshop on Security of Web Services and e-Commerce

  22. XACML and RBAC/Assigning subjects to roles Jason Crampton Attribute-based role assignment (2) <Request> <Subject> <Attribute IssuedBy="..."> Matched by PDP Role Assignment <PolicySet> Manager Role Assignment <Policy> Permission Assignment <PolicySet> <Target> Manager Permission <PolicySet> Subject has these attributes issued by these authorities Employee Permission <PolicySet> Role <PolicySet> Permission <PolicySet> Manager Role <PolicySet> <Target> All purchase orders, sign <Target> Employee Role <PolicySet> All purchase orders, create DIMACS Workshop on Security of Web Services and e-Commerce

  23. XACML and RBAC/Separation of duty using XACML Jason Crampton Separation of duty using XACML DIMACS Workshop on Security of Web Services and e-Commerce

  24. XACML and RBAC/Separation of duty using XACML Jason Crampton Introduction Policy requirement: No purchase order can be created and signed by the same user One common solution (ANSI RBAC) is to ensure that no user has the permission to both create and sign a purchase order • This solution imposes a constraint on users – There does not exist a user that can create and sign a purchase order • The requirement is a constraint on purchase orders – There does not exist a purchase order that has been created and signed by the same user DIMACS Workshop on Security of Web Services and e-Commerce

  25. XACML and RBAC/Separation of duty using XACML Jason Crampton Separation of duty in RBAC This solution is particularly unattractive in a role-based context • The permissions to create and sign a purchase order must be assigned to different roles r create and r sign • No user can be assigned to both r create and r sign • No role can be more senior than both r create and r sign These disadvantages can be mitigated using dynamic rather than static separation of duty DIMACS Workshop on Security of Web Services and e-Commerce

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored by: Hal Lockhart Entegrity Solutions and OASIS XACML Draft Standard CS 6204, Spring 2005 1 2 Dataflow Model From: OASIS XACML Specification

929 views • 16 slides
Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado Distributed Multimedia Applications Group (DMAG) Universitat Politcnica de Catalunya (UPC) W3C Workshop on Access Control Application Scenarios

712 views • 24 slides
Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of

Role-based access control Role-based access control 1 RBAC: Motivations Complexity of security administration p y y For large number of subjects and objects, the number of authorizations can become extremely large For dynamic

536 views • 51 slides
An Automated Model-based Test Oracle for Access Control Systems Antonia Bertolino 1 , Said

An Automated Model-based Test Oracle for Access Control Systems Antonia Bertolino 1 , Said

An Automated Model-based Test Oracle for Access Control Systems Antonia Bertolino 1 , Said Daoudagh 1,2 , Francesca Lonetti 1 , Eda Marchetti 1 1 ISTI-CNR 2 University of Pisa Agenda Introduction Access Control Systems XACML policies

459 views • 31 slides
A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

613 views • 36 slides
Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody

Meta-policies for Distributed Role-based Access Control Andrs Belokosztolszki, Ken Moody {ab374,km}@cl.cam.ac.uk University of Cambridge, Computer Laboratory, OPERA Policy 2002 1 Outline Role-Based Access Control OASIS

480 views • 14 slides
Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System

Role-Based Access Control Corban Rivera CS 6204, Spring 2005 1 Trusted Computer System Evaluation Criteria (TCSEC) Background MAC Mandatory Access Control Firm security levels DAC Discretionary Access Control Access

240 views • 6 slides
PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1

PERMIS Role-Based Access Control Example System Presenter: Haiyan Cheng CS 6204, Spring 2005 1 PERMIS Review A role-based access control infrastructure Uses X.509 attribute certificate (AC) to store users roles All access

397 views • 8 slides
XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of

XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of

Department of Computer Sciences XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of Computer Sciences XACML OASIS standard for specifying access control policies in enterprise systems. XML

341 views • 11 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files &amp; processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
Delegation in Role-Based Access Control Controlling delegation Enforcing transfer delegation

Delegation in Role-Based Access Control Controlling delegation Enforcing transfer delegation

Introduction Delegation operations in hierarchical RBAC Delegation in Role-Based Access Control Controlling delegation Enforcing transfer delegation Jason Crampton Hemanth Khambhammettu semantics Conclusion Information Security

959 views • 57 slides
Role-Based Access Control CS461/ECE422 Spring 2012 Reading

Role-Based Access Control CS461/ECE422 Spring 2012 Reading

Role-Based Access Control CS461/ECE422 Spring 2012 Reading Material Chapter 4, sec?ons 4.5 and 4.6 [SFK00] DAC vs RBAC DAC Users, Groups

415 views • 25 slides
Constraints in Role-Based Access Control Jason Crampton Information Security Group, Royal

Constraints in Role-Based Access Control Jason Crampton Information Security Group, Royal

Constraints in Role-Based Access Control Jason Crampton Information Security Group, Royal Holloway University of London jason.crampton@rhul.ac.uk www.isg.rhul.ac.uk/~jason Outline Introduction Separation of duty Role-based

482 views • 14 slides
XACML, ABAC, Privacy preserving access-controls Oleksandr

XACML, ABAC, Privacy preserving access-controls Oleksandr

XACML, ABAC, Privacy preserving access-controls Oleksandr Bodriagov School of Computer Science and Communica9on KTH - The Royal Ins9tute of

509 views • 25 slides
Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File

Working Set- -Based Access Control for Based Access Control for Working Set Network File Systems Network File Systems Stephen Smaldone, Vinod Ganapathy, and Liviu Iftode DiscoLab - Department of Computer Science Rutgers, The State University

667 views • 23 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov

Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov

Cooperative Secondary Authorization Recycling Qiang Wei, Matei Ripeanu, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (lersse.ece.ubc.ca) University of British Columbia Typical Authorization

256 views • 23 slides
P r i v a c y b y D e f a u l t . P G P / G P G P G P P r e t t

P r i v a c y b y D e f a u l t . P G P / G P G P G P P r e t t

p r e t t y E a s y p r i v a c y s v a @p E p . f o u n d a t i o n h t t p s : / / p E p . f o u n d a t i o n t w i t t e r @s v a t w i t t e r @p E p f o u n d

1.21k views • 93 slides
T h e B l a c k M a g i c o f P y t h o n Wh e e l s E l a n a H a

T h e B l a c k M a g i c o f P y t h o n Wh e e l s E l a n a H a

T h e B l a c k M a g i c o f P y t h o n Wh e e l s E l a n a H a s h ma n P y t h o n P a c k a g i n g A u t h o r i t y P y C o n U S 2 0 1 9 C l e v e l a n d

581 views • 37 slides
through the PEP From September 2018 Any year group Current Attainment Emerging Exceeding

through the PEP From September 2018 Any year group Current Attainment Emerging Exceeding

Showing current Attainment through the PEP From September 2018 Any year group Current Attainment Emerging Exceeding Expected Current Attainment - detail Expected + Expected Expected - Any year group- 9 pots, the full picture Attitude to

321 views • 10 slides
Solar Neutrinos with Borexino Low Background Lessons for the JinPing Laboratory Frank Calaprice

Solar Neutrinos with Borexino Low Background Lessons for the JinPing Laboratory Frank Calaprice

Solar Neutrinos with Borexino Low Background Lessons for the JinPing Laboratory Frank Calaprice and Jingke Xu Department of Physics Princeton University 4/10/2014 1 Solar Neutrinos at Jin Ping Solar Neutrinos with Borexino First

485 views • 33 slides
Private Equity Fellows Program 2015-16 Information Session: Prospective Applicants April 15, 2015

Private Equity Fellows Program 2015-16 Information Session: Prospective Applicants April 15, 2015

Columbia Business School Private Equity Fellows Program 2015-16 Information Session: Prospective Applicants April 15, 2015 Margaret Cannella, Adjunct Professor and Administrative Director, Private Equity Program Greta Larson, Associate

303 views • 17 slides
A Framework for Managing and Analyzing Changes of Security Policies Achim D. Brucker Helmut

A Framework for Managing and Analyzing Changes of Security Policies Achim D. Brucker Helmut

A Framework for Managing and Analyzing Changes of Security Policies Achim D. Brucker Helmut Petritsch { achim.brucker, helmut.petritsch } @sap.com SAP Research Karlsruhe Germany IEEE International Symposium on Policies for Distributed Systems

662 views • 17 slides
Pythonic Coding Style A Foolish Consistency is the Hobgoblin of Little Minds Guido van Rossum

Pythonic Coding Style A Foolish Consistency is the Hobgoblin of Little Minds Guido van Rossum

Pythonic Coding Style A Foolish Consistency is the Hobgoblin of Little Minds Guido van Rossum (creator of Python) makes a point: code is read more often than it is written , so readability counts . Python is one of the few languages with an

555 views • 20 slides

More recommend