XACML and Role-Based Access Control Jason Crampton Royal Holloway, - - PowerPoint PPT Presentation

xacml and role based access control
SMART_READER_LITE
LIVE PREVIEW

XACML and Role-Based Access Control Jason Crampton Royal Holloway, - - PowerPoint PPT Presentation

Jun 17, 2023 176 likes •502 views

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce XACML and RBAC/Introduction Jason Crampton Programme Examine the XACML standard and the XACML RBAC

slide-1
SLIDE 1

XACML and Role-Based Access Control

Jason Crampton

Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce

slide-2
SLIDE 2

XACML and RBAC/Introduction Jason Crampton

Programme

Examine the XACML standard and the XACML RBAC profile

  • Examine the XACML implementation of role-based access

control policies

  • Identify any shortcomings
  • Identify any omissions
  • Propose some extensions and alternative approaches

DIMACS Workshop on Security of Web Services and e-Commerce

slide-3
SLIDE 3

XACML and RBAC/Introduction Jason Crampton

Outline of talk

  • Introduction to XACML
  • Introduction to RBAC
  • The XACML RBAC profile
  • An alternative approach to RBAC using XACML
  • Assigning subjects to roles
  • Separation of duty

DIMACS Workshop on Security of Web Services and e-Commerce

slide-4
SLIDE 4

XACML and RBAC/XACML Jason Crampton

XACML

DIMACS Workshop on Security of Web Services and e-Commerce

slide-5
SLIDE 5

XACML and RBAC/XACML Jason Crampton

Introduction

XACML is a dialect of XML used to specify and enforce authorization policies XACML 2.0 was approved as OASIS standard on 1 February 2005 XACML is intended to provide

  • Interchangeable policy format
  • Support for fine- and coarse-grained authorization policies
  • Conditional authorization
  • Policy combination and conflict resolution
  • Independency from implementation

DIMACS Workshop on Security of Web Services and e-Commerce

slide-6
SLIDE 6

XACML and RBAC/XACML Jason Crampton

The XACML view of access control

PEP Context Handler PDP PIP PAP Resource request response request context response context attribute query attribute Policy or PolicySet Subject access request

DIMACS Workshop on Security of Web Services and e-Commerce

slide-7
SLIDE 7

XACML and RBAC/XACML Jason Crampton

XACML building blocks

<PolicySet> <Policy> <Rule> <Target>

<Subject> <Action> <Resource> <Subject> <Action> <Resource>

<Target> <Condition>

<Subject> <Action> <Resource>

<Request>

PDP

Match subject, resource, action in request Match condition Combine rules' results Combine policies' results Combine policy sets' results

DIMACS Workshop on Security of Web Services and e-Commerce

slide-8
SLIDE 8

XACML and RBAC/ANSI RBAC Jason Crampton

ANSI RBAC

DIMACS Workshop on Security of Web Services and e-Commerce

slide-9
SLIDE 9

XACML and RBAC/ANSI RBAC Jason Crampton

Core RBAC P U R UA PA

DIMACS Workshop on Security of Web Services and e-Commerce

slide-10
SLIDE 10

XACML and RBAC/ANSI RBAC Jason Crampton

Hierarchical RBAC P U R UA PA

DIMACS Workshop on Security of Web Services and e-Commerce

slide-11
SLIDE 11

XACML and RBAC/The XACML RBAC profile Jason Crampton

The XACML RBAC profile

DIMACS Workshop on Security of Web Services and e-Commerce

slide-12
SLIDE 12

XACML and RBAC/The XACML RBAC profile Jason Crampton

Introduction

RB-XACML 2.0 approved as OASIS committee draft 30 September 2004 Implements core and hierarchical components of ANSI standard

  • Roles and role hierarchies
  • Permission-role assignment relation
  • User-role assignment relation

Does not support separation of duty

  • RB-XACML 1.0 did support separation of duty

DIMACS Workshop on Security of Web Services and e-Commerce

slide-13
SLIDE 13

XACML and RBAC/The XACML RBAC profile Jason Crampton

RB-XACML policies

Any subject with manager role attribute Role <PolicySet> <Target> All purchase orders, sign Manager Permission <PolicySet> <Target> All purchase orders, create Employee Permission <PolicySet>) <Target>

  • Role assignment is strongly

bound to role definition

  • Permissions are strongly

bound to roles

  • Role hierarchy is defined

implicitly using permission aggregation

  • Extensive use is made of

<PolicyIdReference> and <PolicySetIdReference> elements

DIMACS Workshop on Security of Web Services and e-Commerce

slide-14
SLIDE 14

XACML and RBAC/A different formulation of RBAC using XACML Jason Crampton

A different formulation of RBAC using XACML

DIMACS Workshop on Security of Web Services and e-Commerce

slide-15
SLIDE 15

XACML and RBAC/A different formulation of RBAC using XACML Jason Crampton

Introduction

Aims are to

  • Obtain a closer correspondence between XACML policies and

RBAC model

  • Provide a more natural way of defining

– Role hierarchies – Permissions – Permission-role assignment

  • Support the idea of complex permissions

DIMACS Workshop on Security of Web Services and e-Commerce

slide-16
SLIDE 16

XACML and RBAC/A different formulation of RBAC using XACML Jason Crampton

Crampton’s role-based XACML policies

Role <PolicySet> All purchase orders, sign Permission Assignment <PolicySet> <Target> All purchase orders, create <Target> Permission <PolicySet> Manager Permission <PolicySet> Employee Permission <PolicySet> Manager Role <PolicySet> Employee Role <PolicySet>

  • Role set explicitly defines role

hierarchy

  • No mechanism for associating

subjects with roles

  • Permissions are first-class

entities

  • Permission can (easily) be

assigned to multiple roles

DIMACS Workshop on Security of Web Services and e-Commerce

slide-17
SLIDE 17

XACML and RBAC/A different formulation of RBAC using XACML Jason Crampton

Complex permissions

All purchase orders, sign PA <PolicySet> <Target> All purchase orders, create <Target> Permission <PolicySet> PO Officer Permission <PolicySet> ComplexPermission <PolicySet>

Useful for hierarchically structured resources

  • XML data (Crampton,

SWS 2004)

  • File systems
  • Object-oriented

applications

DIMACS Workshop on Security of Web Services and e-Commerce

slide-18
SLIDE 18

XACML and RBAC/Assigning subjects to roles Jason Crampton

Assigning subjects to roles

DIMACS Workshop on Security of Web Services and e-Commerce

slide-19
SLIDE 19

XACML and RBAC/Assigning subjects to roles Jason Crampton

RB-XACML view of user-role assignment

Context Handler Context Handler role attribute query role attribute PIP PDP attribute query attribute role assignment policy or policyset

REA

role attribute set in request context PEP PDP

DIMACS Workshop on Security of Web Services and e-Commerce

slide-20
SLIDE 20

XACML and RBAC/Assigning subjects to roles Jason Crampton

Observations

The design of the REA and role assignment policies is rather unambitious

  • The REA matches subject IDs to role attributes using a Role

Assignment <PolicySet>

  • Designed for centralized systems with a known user population

– Hardly suitable for web services! In XACML the <Subject> of an access request can be defined in terms of the requester’s attributes rather than its identity

  • The context handler is responsible for constructing the request

and verifying the authenticity of the attributes (using PIPs)

  • The PDP matches <Target> elements in policies and rules to

attributes in the request context

DIMACS Workshop on Security of Web Services and e-Commerce

slide-21
SLIDE 21

XACML and RBAC/Assigning subjects to roles Jason Crampton

Attribute-based role assignment (1)

Use policy that assigns subjects to roles based on requester attributes (RBTM, Author-X, TPL)

  • Attributes define <Subject> element in request
  • Context handler is responsible for obtaining and verifying the

authenticity of the attributes PDP matches attributes in request to role(s) using Role Assignment <PolicySet>

  • Role is now explicitly defined by the attributes that are required

to enter into the role

DIMACS Workshop on Security of Web Services and e-Commerce

slide-22
SLIDE 22

XACML and RBAC/Assigning subjects to roles Jason Crampton

Attribute-based role assignment (2)

All purchase orders, sign Permission Assignment <PolicySet> <Target> All purchase orders, create <Target> Permission <PolicySet> Manager Permission <PolicySet> Employee Permission <PolicySet> Role <PolicySet> Manager Role <PolicySet> Employee Role <PolicySet> Manager Role Assignment <Policy> Role Assignment <PolicySet> <Target> Subject has these attributes issued by these authorities <Request> <Subject> <Attribute IssuedBy="...">

Matched by PDP

DIMACS Workshop on Security of Web Services and e-Commerce

slide-23
SLIDE 23

XACML and RBAC/Separation of duty using XACML Jason Crampton

Separation of duty using XACML

DIMACS Workshop on Security of Web Services and e-Commerce

slide-24
SLIDE 24

XACML and RBAC/Separation of duty using XACML Jason Crampton

Introduction

Policy requirement: No purchase order can be created and signed by the same user One common solution (ANSI RBAC) is to ensure that no user has the permission to both create and sign a purchase order

  • This solution imposes a constraint on users

– There does not exist a user that can create and sign a purchase order

  • The requirement is a constraint on purchase orders

– There does not exist a purchase order that has been created and signed by the same user

DIMACS Workshop on Security of Web Services and e-Commerce

slide-25
SLIDE 25

XACML and RBAC/Separation of duty using XACML Jason Crampton

Separation of duty in RBAC

This solution is particularly unattractive in a role-based context

  • The permissions to create and sign a purchase order must be

assigned to different roles rcreate and rsign

  • No user can be assigned to both rcreate and rsign
  • No role can be more senior than both rcreate and rsign

These disadvantages can be mitigated using dynamic rather than static separation of duty

DIMACS Workshop on Security of Web Services and e-Commerce

slide-26
SLIDE 26

XACML and RBAC/Separation of duty using XACML Jason Crampton

Blacklists

An alternative solution is to implement user-based separation of duty at the object instance level (Crampton, SACMAT 2003)

  • Inspired by history matrix concept from Chinese wall model and

capability lists derived from access control matrix model

  • Maintain dynamic “anti-capability-lists” or blacklists for each

user

  • If Jason creates purchase order p then the permission (p, sign) is

appended to Jason’s blacklist

  • Concept can be generalized to implement other forms of

separation of duty

DIMACS Workshop on Security of Web Services and e-Commerce

slide-27
SLIDE 27

XACML and RBAC/Separation of duty using XACML Jason Crampton

Blacklists using XACML

<PolicySet PolicySetId="blacklists" ...> <Target> ... anyone ... any resource ... any action ... </Target> <PolicyIdReference>blacklist:jason</PolicyIdReference> . . . </PolicySet> <Policy PolicyId="blacklist:jason" ... RuleCombiningAlgorithm="deny-overrides" ... > <Target> ... jason ... any resource ... any action ... </Target> <Rule Effect="Deny" ... > <Target> ... purchase-order-id="123" action="sign" ... </Target> </Rule> . . . </Policy>

DIMACS Workshop on Security of Web Services and e-Commerce

slide-28
SLIDE 28

XACML and RBAC/Separation of duty using XACML Jason Crampton

XACML <Obligations>

Policy requirement: A physician may write to a medical record provided an email is sent to the patient The (optional) <Obligations> element of an XACML <Policy> is a directive to the PEP to perform additional processing following the enforcement of an access control decision

  • Contains one or more <Obligation> elements
  • Typically references elements in the request context
  • Processing of <Obligations> elements is application-specific

DIMACS Workshop on Security of Web Services and e-Commerce

slide-29
SLIDE 29

XACML and RBAC/Separation of duty using XACML Jason Crampton

Putting it all together (1)

Basic idea is to exploit the <Obligations> mechanism to update blacklists

  • The permission to create purchase orders must include an

<Obligation> element

  • The <Obligation> element requires that the PEP write a new

rule to the appropriate blacklist <Policy> – If a request by Jason to create a purchase order is permitted . . . – . . . then a new <Rule> must be added to Jason’s blacklist

DIMACS Workshop on Security of Web Services and e-Commerce

slide-30
SLIDE 30

XACML and RBAC/Separation of duty using XACML Jason Crampton

Putting it all together (2)

<PolicySet ... PolicySetId="Permission:Set" ... > <Policy ... PolicyId="permission:po:create" ... > <Rule ... > <Target> ... purchase orders ... create </Target> </Rule> <Obligations ... > <Obligation FulfillOn="Permit" ... > add permission (this-purchase-order,sign) to subject’s blacklist </Obligation> </Obligations> </Policy> . . . </PolicySet>

DIMACS Workshop on Security of Web Services and e-Commerce

slide-31
SLIDE 31

XACML and RBAC/Separation of duty using XACML Jason Crampton

Putting it all together (3)

PEP Context Handler PDP PIP PAP Resource request response request context response context attribute query attribute Policy or PolicySet Subject a c c e s s r e q u e s t process

  • bligations
  • bligations

DIMACS Workshop on Security of Web Services and e-Commerce

slide-32
SLIDE 32

XACML and RBAC/Future work Jason Crampton

Future work

  • Liaise with XACML TC

– Explore the advantages of the alternative formulation of RBAC using XACML – Include separation of duty in XACML RBAC profile

  • Investigate the extent to which obligations, XACML policies.

and role-based administrative models can be used to manage XACML RBAC policies

  • Investigate to what extent SAML and XACML can inter-operate

to support – Attribute-based role assignment – Discovery of distributed credentials and credential chains

DIMACS Workshop on Security of Web Services and e-Commerce