Upload File

why using xacml as onem2m access control policy group name: wg4 source: wei zhou, catt,...

16
Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, [email protected] Meeting Date: <2014-09-22> Agenda Item: <agenda item topic name>

Upload: jaylan-yandell

Post on 14-Dec-2015

219 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

Why Using XACML as oneM2M Access Control Policy

Group Name: WG4Source: Wei Zhou, CATT, [email protected] Date: <2014-09-22>Agenda Item: <agenda item topic name>

Page 2: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

What is XACML

• eXtensible Access Control Markup Language (XACML) is an XML-based access control language defined by the Organization for the Advancement of Structured Information Standards (OASIS). XACML access control framework conforms to the Attribute Based Access Control (ABAC).(Version 2.0, 2005; Version 3.0, 2013)

• The oneM2M authorization system shall select XACML as its access control policy description language.

Page 3: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML Policy Structure

Page 4: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML <Target> Element Structure

<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">physician</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:role" DataType="http://www.w3.org/2001/XMLSchema#string"/></Match>

Value in policyMatch function

Value from request

Page 5: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML <Condition> Element Structure

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example: attribute:physician-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="md:record/md:primaryCarePhysician/md:registrationID/text()" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply></Apply>

Page 6: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML Attribute Categories

• Subject attribute category: Originator, Role, …• Resource attribute category: Resource URI, Creation

time, …• Action attribute category: Retrieve, Update, …• Environment attribute category: current time, IP

Address, …• It is extensible

Page 7: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML Defines 8 Rule and Policy Combining Algorithms

1. Deny-overrides2. Ordered-deny-overrides3. Permit-overrides4. Ordered-permit-overrides5. Deny-unless-permit6. Permit-unless-deny7. First-applicable8. Only-one-applicable

Page 8: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML Defines a lot of Attribute Identifiers

Identifier M/O

urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name O

urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address O

urn:oasis:names:tc:xacml:1.0:subject:authentication-method O

urn:oasis:names:tc:xacml:1.0:subject:authentication-time O

urn:oasis:names:tc:xacml:1.0:subject:key-info O

urn:oasis:names:tc:xacml:1.0:subject:request-time O

urn:oasis:names:tc:xacml:1.0:subject:session-start-time O

urn:oasis:names:tc:xacml:1.0:subject:subject-id O

urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier O

urn:oasis:names:tc:xacml:1.0:subject-category:access-subject M

urn:oasis:names:tc:xacml:1.0:subject-category:codebase O

urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject O

urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject O

urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine O

urn:oasis:names:tc:xacml:1.0:resource:resource-location O

urn:oasis:names:tc:xacml:1.0:resource:resource-id M

urn:oasis:names:tc:xacml:1.0:resource:simple-file-name O

urn:oasis:names:tc:xacml:1.0:action:action-id O

urn:oasis:names:tc:xacml:1.0:action:implied-action O

Page 9: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML Defines a lot of Data Types

Data-type M/O

http://www.w3.org/2001/XMLSchema#string M

http://www.w3.org/2001/XMLSchema#boolean M

http://www.w3.org/2001/XMLSchema#integer M

http://www.w3.org/2001/XMLSchema#double M

http://www.w3.org/2001/XMLSchema#time M

http://www.w3.org/2001/XMLSchema#date M

http://www.w3.org/2001/XMLSchema#dateTime M

http://www.w3.org/2001/XMLSchema#dayTimeDuration M

http://www.w3.org/2001/XMLSchema#yearMonthDuration M

http://www.w3.org/2001/XMLSchema#anyURI M

http://www.w3.org/2001/XMLSchema#hexBinary M

http://www.w3.org/2001/XMLSchema#base64Binary M

urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name M

urn:oasis:names:tc:xacml:1.0:data-type:x500Name M

urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression O

urn:oasis:names:tc:xacml:2.0:data-type:ipAddress M

urn:oasis:names:tc:xacml:2.0:data-type:dnsName M

Page 10: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML Defines a lot of FunctionsFunction M/Ourn:oasis:names:tc:xacml:1.0:function:string-equal Murn:oasis:names:tc:xacml:1.0:function:boolean-equal Murn:oasis:names:tc:xacml:1.0:function:integer-equal Murn:oasis:names:tc:xacml:1.0:function:double-equal Murn:oasis:names:tc:xacml:1.0:function:date-equal Murn:oasis:names:tc:xacml:1.0:function:time-equal Murn:oasis:names:tc:xacml:1.0:function:dateTime-equal Murn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal Murn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal Murn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case Murn:oasis:names:tc:xacml:1.0:function:anyURI-equal Murn:oasis:names:tc:xacml:1.0:function:x500Name-equal Murn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal Murn:oasis:names:tc:xacml:1.0:function:hexBinary-equal Murn:oasis:names:tc:xacml:1.0:function:base64Binary-equal Murn:oasis:names:tc:xacml:1.0:function:integer-add Murn:oasis:names:tc:xacml:1.0:function:double-add Murn:oasis:names:tc:xacml:1.0:function:integer-subtract Murn:oasis:names:tc:xacml:1.0:function:double-subtract Murn:oasis:names:tc:xacml:1.0:function:integer-multiply Murn:oasis:names:tc:xacml:1.0:function:double-multiply Murn:oasis:names:tc:xacml:1.0:function:integer-divide Murn:oasis:names:tc:xacml:1.0:function:double-divide Murn:oasis:names:tc:xacml:1.0:function:integer-mod M

Page 11: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML Request and Response Contexts

Attribute categories:•Subject•Resource•Action•Environment•New defined attribute categories (e.g. Token)

Authorization decision:•"Permit"•"Deny"•"Indeterminate"•"NotApplicable"

Page 12: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

Using XACML in oneM2M Authorization Architecture

Access Requester

Resource

PolicyEnforcement

Point(PEP)

PolicyDecision

Point(PDP)

Access Request Access

PolicyInformation

Point(PIP)

PolicyRetrieval

Point(PRP)

XACML RequestContext

XACML ResponseContext

XACML Request Context

XACML Policy Set

Attribute Request

Attribute Response

Page 13: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

Mapping oneM2M request parameters to the XACML request context

Parameter in oneM2M

Description Attributes Category in XACML

AttributeId in XACML

DataType in XACML

to URI of target resource urn:oasis:names:tc:xacml:3.0:attribute-category:resource

urn:oasis:names:tc:xacml:1.0:resource:resource-id

ttp://www.w3.org/2001/XMLSchema#anyURI

fr Identifier representing the originator of the request

urn:oasis:names:tc:xacml:1.0:subject-category:access-subject

urn:oasis:names:tc:xacml:1.0:subject:subject-id

http://www.w3.org/2001/XMLSchema#string

role Role of the originator urn:oasis:names:tc:xacml:1.0:subject-category:access-subject

TBD http://www.w3.org/2001/XMLSchema#string

op Requested operation urn:oasis:names:tc:xacml:3.0:attribute-category:action

urn:oasis:names:tc:xacml:1.0:action:action-id

http://www.w3.org/2001/XMLSchema#string

rq_time Context information urn:oasis:names:tc:xacml:3.0:attribute-category:environment

urn:oasis:names:tc:xacml:1.0:environment:current-time

http://www.w3.org/2001/XMLSchema#time

rq_loc Context information urn:oasis:names:tc:xacml:3.0:attribute-category:environment

TBD TBD

rq_ip Context information urn:oasis:names:tc:xacml:3.0:attribute-category:environment

urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address

urn:oasis:names:tc:xacml:2.0:data-type:ipAddress

fc Filter criteria urn:oasis:names:tc:xacml:3.0:attribute-category:resource

TBD http://www.onem2m.org/xml/protocols#filterCriteria

Page 14: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

Mapping from oneM2M access control decision to XACML authorization decision

Access control decision in oneM2M

Description Authorization decision in XACML

TRUE or 1 The requested access is permitted.

“Permit”

FALSE or 0 The requested access is denied. “Deny”

Page 15: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

XACML is Extensible

<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">

<Attribute IncludeInResult="false" AttributeId="urn:onem2m:names:attribute:role" Issuer="onem2m.example.com">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" >002-Device Configuration</AttributeValue>

</Attribute> <Attribute IncludeInResult="false"

AttributeId="urn:onem2m:names:attribute:token" Issuer="onem2m.example.com">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#base64Binary">TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlzIHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2YgdGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGludWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRoZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=

</AttributeValue> </Attribute></Attributes>

Example of adding role and token in XACML request context

Page 16: Why Using XACML as oneM2M Access Control Policy Group Name: WG4 Source: Wei Zhou, CATT, zhouwei@catt.cn Meeting Date: Agenda Item:

What we should do if XACML is used in oneM2M

• Defining new attribute IDs, e.g. attribute ID for role• Defining new attribute categories, e.g. security token• Defining new functions, e.g. functions for location and

wildcard matching.• And so on…


2 eXtensible Access Control Markup Language 3 …docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0...2 eXtensible Access Control Markup Language 3 (XACML) Version 2.0 4 OASIS

eXtensible Access Control Markup Language (XACML) Version ...docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3... · xacml-3.0-core-spec-errata01-os-complete 12 July 2017 Standards

COSMO WG4 activities Oct. 2003-Sept. 2004 Pierre Eckert MétéoSuisse WG4 coordinator Interpretation and applications

XACML Data Loss Prevention / Network Access Control (DLP ...docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/... · XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile

OASIS XACML XML DSig Profile

XACML-Grid and XACML-NRP Attributes and Policy Profiles · XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf

Tutorial on XACML

04 Fn42434en80gla0 Xacml Examples

XACML v3.0 Hierarchical Resource Profile Version 1docs.oasis-open.org/xacml/3.0/hierarchical/v1.0/cs... · xacml-3.0-hierarchical-v1.0-cs02 18 May 2014 . The . . . . hierarchical

XACML MAP Authorization Profile Version 1 - OASISdocs.oasis-open.org/xacml/xacml-map-authz/v1.0/cs01/xacml-map-a… · XACML MAP Authorization Profile Version 1.0. Edited by Richard

03 Fn42433en80gla0 Xacml Access Rules

Cs Xacml Specification 01 1

XACML Profile for Role Based Access Control (RBAC)docs.oasis-open.org/xacml/cd-xacml-rbac-profile-01.pdf · 1 Introduction (non-normative) This specification defines a profile for

WG4 Pelvic girdle pain CONCEPT VERSION - Chiro · WG4 Pelvic girdle pain Objectives The focus of Working Group 4 (WG4) is to produce a guideline on pelvic girdle pain (PGP). The WG4

REST Profile of XACML v3.0 Version 1 - OASISdocs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1...1.5.2 Cloud Computing..... 7 1.5.3 REST ..... 8 1.5.4 RESTful Authorization as

Fine-grained authorization with XACML

JSON Profile of XACML 3.0 Version 1 - OASISdocs.oasis-open.org/xacml/xacml-json-http/v1.0/... · 4 The XACML architecture promotes a loose coupling between the component that enforces

XACML - XML Amsterdam2011

WG4 – Progress report

SAML 2.0 Profile of XACML 2.0 v2 - OASISdocs.oasis-open.org/xacml/3.0/xacml-profile-saml2.0-v2-spec-cs-01-en.pdfthis profile: 1) use of SAML 2.0 Attribute Assertions with XACML, including

XACML MAP Authorization Profile Version 1docs.oasis-open.org/xacml/xacml-map-authz/v1.0/os/xacml... · 2015. 1. 19. · xacml-map-authz-v1.0-os 19 January 2015 Standards Track Work

Web Services Profile of XACML (WS-XACML) Version 1

XACML v3.0 Related and Nested Entities Profile ... - OASISdocs.oasis-open.org/xacml/xacml-3.0-related... · OASIS takes no position regarding the validity or scope of any intellectual

eXtensible Access Control Markup Language (XACML) Version ...docs.oasis-open.org/xacml/access_control-xacml-2_0-core-spec-cd-0… · 10/11/2004  · access_control-xacml-2.0-core-spec-cd-04

eXtensible Access Control Markup Language (XACML) …docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf · xacml-3.0-core-spec-cs-01-en 10 August 2010 , , , , . . .

XACML Intellectual Property Control (IPC) Profile Version 1docs.oasis-open.org/xacml/3.0/ipc/v1.0/os/xacml-3.0-ipc... · 2015-01-19 · XACML Intellectual Property Control (IPC) Profile

Administrative Policies in XACML

XACML MAP Authorization Profile Version 1 - OASISdocs.oasis-open.org/xacml/xacml-map-authz/v1.0/csprd01/xacml-ma… · John Tolbert ([email protected]), The Boeing Company

FAIRMODE WG4 - Planning - IIASA - International Institute ... · What do we intend by planning in WG4 ? WG1: assessment Base case model validation . WG4: planning Scenario model validation

SAML 2.0 profile of XACML - OASISdocs.oasis-open.org/xacml/access_control-xacml-2.0-saml... · 2004. 12. 10. · This profile defines how to use SAML 2.0 to protect, transport, and

XACML-Grid and XACML-NRP Attributes and Policy Profiles

XACML v3.0 Core and Hierarchical Role Based …docs.oasis-open.org/xacml/3.0/rbac/v1.0/cs02/xacml-3.0...Core and hierarchical role based access control (RBAC) profile of XACML v2.0

OASIS XACML Update

XACML Data Loss Prevention / Network Access Control (DLP ...docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/cs01/…  · Web viewTraffic flows between devices according to defined

XACML - Fight For Your Love