extending xacml for open web based scenarios
play

Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 - PowerPoint PPT Presentation

Jul 24, 2023 •12 likes •202 views

Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 Sabrina De Capitani di Vimercati 1 Stefano Paraboschi 2 Eros Pedrini 1 Pierangela Samarati 1 Mario Verdicchio 2 (1) Universit` a degli Studi di Milano, (2) Universit` a degli Studi

  1. Extending XACML for Open Web-based Scenarios Claudio A. Ardagna 1 Sabrina De Capitani di Vimercati 1 Stefano Paraboschi 2 Eros Pedrini 1 Pierangela Samarati 1 Mario Verdicchio 2 (1) Universit` a degli Studi di Milano, (2) Universit` a degli Studi di Bergamo W3C Workshop on Access Control Application Scenarios Luxemboug, 17-18 November 2009 c � Pierangela Samarati 1/19

  2. Motivation • Open Web service systems receive access requests from remote parties to access Web services • These systems may not have prior knowledge of users (relationships with authentication may change) ⇒ Need for access control based on properties/certificates = ⇒ Need for interactive access control systems = ⇒ Need for an expressive and simple access control solution = applicable in practice c � Pierangela Samarati 2/19

  3. Goal and Contributions Extending XACML (the most significant proposal for access control over the Web) for supporting the new access control paradigm needed in open scenarios • depart from traditional authenticate/authorize approach (credential-based authorizations) • support of abstractions • provide access control authorizations with reasoning capability (recursive reasoning) • communication of protection requirements while protecting access policy and related information (dialog management and interactive access control) With a limited impact on the original XACML specification c � Pierangela Samarati 3/19

  4. Credential-based Authorizations • Allow reference to digital certificates • Allow fine-grained reference to properties they certify and to conditions about them ◦ Attributes represent the content of the credentials (e.g., last name) ◦ Metadata represent properties on the credentials (e.g., type) • What users can do then depend on assertions (attributes) they can prove presenting certificates • Access control can respond with requirements that the requester must satisfy to get access c � Pierangela Samarati 4/19

  5. Credential-based Authorizations – XACML Credentials/Metadata are represented as a new XML schema • Root element certifications contains one or more elements certification (class of certificates) • Element certification defines a condition on metadata and has an attribute id • Each element certification contains one or more alternative group elements representing restrictions on metadata Attributes are treated like any other property in XACML • Each occurrence of a certified attribute is translated into a XACML element SubjectAttributeDesignator ◦ Attribute AttributeId is the attribute name ◦ Attribute Issuer points to a credential c � Pierangela Samarati 5/19

  6. Credential-based Authorizations – Example < certifications > < Rule RuleId=“ExampleRule” Effect=“Permit” > < certification id=“IT IC” > < Target/ > < group > < Condition < type > FunctionId=“urn:oasis:names:tc:xacml:1.0:function:and” > identity card < Apply < /type > FunctionId=“urn:oasis:names:tc:xacml:2.0:function:string-equal” > < issuer > < SubjectAttributeDesignator DataType=“XMLSchema#string” IT Gov Issuer=“urn:ext:cred-reference:IT IC” < /issuer > AttributeId=“urn:oasis:names:tc:xacml:2.0:attribute:city-birth”/ > < method > < AttributeValue DataType=“XMLSchema#string” > X.509 Milan < /method > < /AttributeValue > < /group > < /Apply > < group > < Apply < type > FunctionId=“urn:oasis:names:tc:xacml:2.0:function:integer-less-than” > passport < SubjectAttributeDesignator DataType=“XMLSchema#integer” < /type > Issuer=“urn:ext:cred-reference:IT IC” < issuer > AttributeId=“urn:oasis:names:tc:xacml:2.0:attribute:year-birth”/ > IT Gov < AttributeValue DataType=“XMLSchema#integer” > < /issuer > 1981 < method > < /AttributeValue > SAML < /Apply > < /method > < /Condition > < /group > < /Rule > < /certification > < /certifications > Metadata XACML policy with conditions on certified attributes c � Pierangela Samarati 6/19

  7. Abstractions • Allow for the derivation of new concepts from existing ones • Represent a shorthand by which a single concept represents a more complex one Example id document (abstraction head) defined as an abstraction of credentials: { identity card, driver license, passport } (abstraction tail) A policy that requires an id document is satisfied by providing any of the three credentials c � Pierangela Samarati 7/19

  8. Abstractions – XACML To manage abstraction specifications XACML is integrated with XQuery • Abstractions are represented as a new XML schema ◦ Root element abstractions contains one or more elements abstraction ◦ Each element abstraction has an attribute id (abstraction head) and a set of equivalences in element is (abstraction tail) • Abstractions can be embedded in XACML conditions via an XQuery invocation ◦ An XQuery function takes in input an abstraction head and returns an abstraction tail c � Pierangela Samarati 8/19

  9. Abstractions – Example < abstractions > < certifications > < abstraction id=“id document” > < certification id=“IT ABBR” > < is > < group > < item > identity card < /item > < type > < item > driver license < /item > local:expand(’id document’) < item > passport < /item > < /type > < /is > < /group > < /abstraction > < /certification > < /abstractions > < /certifications > Abstraction definition Abstraction-based metadata condition c � Pierangela Samarati 9/19

  10. Recursive Conditions • Recursion can be exploited to specify conditions on data with a recursive structure (e.g., delegation, supervisor) • Recursive reasoning is needed, for example: ◦ for expressing policies based on chain of credentials ◦ for supporting delegation c � Pierangela Samarati 10/19

  11. Recursive Conditions – XACML • Like for abstraction, recursion is supported by integrating XACML with an XQuery engine ◦ Recursive conditions defined via recursive XQuery functions ◦ Recursive functions embedded and referenced in the policies (no changes to the language) to define policy conditions based on recursive concepts ◦ Recursive functions take in input the XACML context, and produce new information to be used in policy evaluation c � Pierangela Samarati 11/19

  12. Recursive Conditions – Example < context > < Condition < doctor id=“1” > FunctionId=“urn:oasis:names:tc:xacml:2.0:function:string-equal” > < first name > George < /first name > < SubjectAttributeDesignator < last name > Williams < /last name > DataType=“http://www.w3.org/2001/XMLSchema#string” < specialized > Surgery < /specialized > AttributeId=“urn:oasis:names:tc:xacml:2.0:attribute:doctor-id”/ > < sex > M < /sex > < AttributeSelector RequestContextPath= < supervisor/ > “local:getSupervisor(//doctor[@id= < /doctor > //patient[@id=urn:oasis:names:tc:xacml:2.0:attribute:patient-id] < doctor id=“2” > /doctorid])/@id” < first name > Charles < /first name > DataType=“http://www.w3.org/2001/XMLSchema#string”/ > < last name > White < /last name > < /Condition > < specialized > Pediatric Surgery < /specialized > < sex > M < /sex > < supervisor > < doctorid > 1 < /doctorid > < /supervisor > < /doctor > < doctor id=“3” > < first name > Mary < /first name > < last name > Wilson < /last name > < specialized > Pediatric Allergy < /specialized > < sex > F < /sex > < supervisor > < doctorid > 1 < /doctorid > < /supervisor > < /doctor > < /context > XACML Context XACML Recursive Condition c � Pierangela Samarati 12/19

  13. Dialog – 1 • The server may not have all the information it needs to decide whether or not an access should be granted • The requester may not know which certificates she needs to present to a server to get access ⇒ Dialog management supports a new way of enforcing the = access control process • The server can communicate which information is needed to evaluate a policy • Allows the requester to hand over only the necessary credentials c � Pierangela Samarati 13/19

  14. Dialog – 2 Issue to be addressed: communication of access control restrictions to be satisfied • Safeguard privacy of the involved parties ◦ avoid unnecessary release of certificates and information ◦ avoid leakage of access control policies and information ⇒ Disclosure policies = • We distinguish five different disclosure policies. Each one potentially used independently in any condition appearing in an expression c � Pierangela Samarati 14/19

  15. Dialog – 3 Example: identity card.age > 18 • Condition: the condition can be fully disclosed as it is E.g., identity card.age > 18 • Predicate: only the information that a property needs to be evaluated with respect to a predicate can be released E.g., identity card.age > • Property: only the information that a property needs to be evaluated can be released E.g., identity card.age • Credential: only the information that there is a condition about a credential can be released E.g., identity card • None: nothing can be disclosed about the condition c � Pierangela Samarati 15/19

Recommend

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed Applications Yuri Demchenko SNE Group, University of Amsterdam On behalf of Y. Demchenko, C. de Laat, O. Koeroo, H. Sagehaug MGC 2008 - 6th

488 views • 31 slides
XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce XACML and RBAC/Introduction Jason Crampton Programme Examine the XACML standard and the XACML RBAC

499 views • 32 slides
XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf of OSG/EGEE AuthZ Interoperability WG and Phosphorus project SNE Group, University of Amsterdam TF-EMC2 Meeting 3

633 views • 50 slides
Extending and Contributing to an Open Source Web-based System for the Assessment of Programming

Extending and Contributing to an Open Source Web-based System for the Assessment of Programming

in CS Extending and Contributing to an Open Source Web-based System for the Assessment of Programming Dr. Christelle Scharff Dr. Olly Gotel Pace University, New York, USA Dr. Andrew Wildenberg Cornell College, Iowa, USA in CS Outline

273 views • 26 slides
Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri Demchenko, Leon Gommans, Cees de Laat System and Network Engineering Group University of Amsterdam POLICY2007 Workshop 13-15 June 2007, Bologna Outline

532 views • 25 slides
Extending DPLL-Based QBF Solvers to Handle Free Variables Will Klieber , Mikol a s Janota,

Extending DPLL-Based QBF Solvers to Handle Free Variables Will Klieber , Mikol a s Janota,

Extending DPLL-Based QBF Solvers to Handle Free Variables Will Klieber , Mikol a s Janota, Joao Marques-Silva, Edmund Clarke July 9, 2013 1 Open QBF Closed QBF: All variables quantified; answer is True or False. Open QBF: Contains

472 views • 46 slides
Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado Distributed Multimedia Applications Group (DMAG) Universitat Politcnica de Catalunya (UPC) W3C Workshop on Access Control Application Scenarios

712 views • 24 slides
XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored by: Hal Lockhart Entegrity Solutions and OASIS XACML Draft Standard CS 6204, Spring 2005 1 2 Dataflow Model From: OASIS XACML Specification

929 views • 16 slides
XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br)

XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br)

Policy 2007 13-15 June 2007 - Bologna, Italy XACML-Based Composition Policies for Ambient Networks Carlos Kamienski (cak@ufabc.edu.br) Joseane Fidalgo (joseane@gprt.ufpe.br) Ramide Dantas (ramide@gprt.ufpe.br) Djamel Sadok

468 views • 22 slides
XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of

XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of

Department of Computer Sciences XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of Computer Sciences XACML OASIS standard for specifying access control policies in enterprise systems. XML

341 views • 11 slides
Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns

Outline Extending ns Extending ns In OTcl In C++ Debugging Padma Haldar USC/ISI 1 2 ns Directory Structure Extending ns in OTcl ns-allinone If you dont want to compile source your changes in your sim Tcl8.3 TK8.3

303 views • 9 slides
Possible scenarios for the Bellezane modelling EMRAS II WG 2, Vienna, 24-28 January 2011

Possible scenarios for the Bellezane modelling EMRAS II WG 2, Vienna, 24-28 January 2011

Possible scenarios for the Bellezane modelling EMRAS II WG 2, Vienna, 24-28 January 2011 Overview of site Uranium mining (underground + open pit) between 1975 and 1992 two millions tons of rock extracted open pit mines (MCO 68 + MCO 105)

111 views • 10 slides
Open vSwitch: Extending Networking into the Virtualization Layer Ben Pfaff Justin Pettit Teemu

Open vSwitch: Extending Networking into the Virtualization Layer Ben Pfaff Justin Pettit Teemu

Open vSwitch: Extending Networking into the Virtualization Layer Ben Pfaff Justin Pettit Teemu Koponen Keith Amidon Martin Casado Nicira Networks, Inc. Scott Shenker UC Berkeley, Computer Science Division Outline Virtualization and

208 views • 17 slides
XACML, ABAC, Privacy preserving access-controls Oleksandr

XACML, ABAC, Privacy preserving access-controls Oleksandr

XACML, ABAC, Privacy preserving access-controls Oleksandr Bodriagov School of Computer Science and Communica9on KTH - The Royal Ins9tute of

509 views • 25 slides
DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge Supervisor: Fatih Turkmen August 19, 2016 System and Network Engineering University of Amsterdam WHY Customer data more and more valuable Data stored

565 views • 20 slides
OBServ Open Library of Pollinator Biodiversity and Ecosystem Services Scenarios

OBServ Open Library of Pollinator Biodiversity and Ecosystem Services Scenarios

OBServ Open Library of Pollinator Biodiversity and Ecosystem Services Scenarios springuniversity.bc3research.org 1 - Pollination is a critical ecosystem service and relies upon multiple species of pollinators, mainly insects - The total

435 views • 7 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
Extending Consequence-Based Reasoning to Andrew Bate, Boris Motik, Bernardo Cuenca

Extending Consequence-Based Reasoning to Andrew Bate, Boris Motik, Bernardo Cuenca

Extending Consequence-Based Reasoning to Andrew Bate, Boris Motik, Bernardo Cuenca Grau, Frantiek Simank , and Ian Horrocks Department of Computer Science University of Oxford Motivation Most reasoners based on

755 views • 39 slides
LAND REFORM FUTURES Four scenarios for land reform in South Africa WHY AND HOW WERE THESE

LAND REFORM FUTURES Four scenarios for land reform in South Africa WHY AND HOW WERE THESE

LAND REFORM FUTURES Four scenarios for land reform in South Africa WHY AND HOW WERE THESE SCENARIOS DEVELOPED? The scenarios were developed to trigger an open and constructive search for strategic responses to the future of land reform. TH E

506 views • 47 slides
Goal-Directed Design: Scenarios User Stories Setting the Vision Scenarios Scenario- Based

Goal-Directed Design: Scenarios User Stories Setting the Vision Scenarios Scenario- Based

Introduction Goal-Directed Design: Scenarios User Stories Setting the Vision Scenarios Scenario- Based Design Jrg Cassens Tutorial References SoSe 2019 Contextual Design of Interactive Systems SoSe 2019 Jrg Cassens

1.02k views • 90 slides
Supporting User Privacy Preferences on Information Release in Open Scenarios Claudio A. Ardagna 1

Supporting User Privacy Preferences on Information Release in Open Scenarios Claudio A. Ardagna 1

Supporting User Privacy Preferences on Information Release in Open Scenarios Claudio A. Ardagna 1 Sabrina De Capitani di Vimercati 1 Sara Foresti 1 Stefano Paraboschi 2 Pierangela Samarati 1 (1) DTI - Universit degli Studi di Milano (2) DIIMM -

195 views • 18 slides
Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++

Extending ns Padma Haldar USC/ISI 1 Outline Extending ns In OTcl In C++ Debugging 2 ns Directory Structure ns-allinone Tcl8.3 TK8.3 OTcl tclcl ns-2 nam-1 ... tcl C+ + code ex test mcast ... lib examples

965 views • 52 slides
Open House State Highway 19 Improvements (Beginning 5 Miles East of US-81, Extending East 8.35

Open House State Highway 19 Improvements (Beginning 5 Miles East of US-81, Extending East 8.35

Open House State Highway 19 Improvements (Beginning 5 Miles East of US-81, Extending East 8.35 Miles to the Roaring Creek Bridge, Grady County) June 29, 2017 State Highway 19 Improvements Open House Purpose Purpose and need for SH-19

417 views • 30 slides
Problem -based Scenarios in Practice E-learning for plant disease diagnosis Problem-based

Problem -based Scenarios in Practice E-learning for plant disease diagnosis Problem-based

Problem -based Scenarios in Practice E-learning for plant disease diagnosis Problem-based Scenarios for Plant Disease Diagnosis The why? Diagnosis is more than just identification of a suspected causal agent The diagnostician:

517 views • 25 slides

More recommend