OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: access control vs audit - xacml applicable?


I wanted to know your opinion on applicability of XACML to solve a  
problem, which is not exactly in XACML's domain. It's access control  
auditing of the enterprise.

Suppose, the company has a heterogeneous IT infrastructure, i.e. a variety  
of systems with proprietary access control mechanisms, such as Unix,  
Windows, Mainframes, mini-computers, physical access control (RFID badges)  
and so on.

In the dream world, there'd be a company wide PEP with all required  
policies in XACML. All these systems would communicate with PEP, and setup  
their proprietary access control mechanisms according to these policies.

In reality, we have a bunch of different authorization technologies. They  
are so different that in order to review user rights on these platforms I  
had to learn much more about their access control technologies than I ever  
wanted. Everyone who has to audit access control in the large company will  
have the same problem. Clearly, there's an issue.

=========
I've been thinking to use XACML for this task. Here's what I was thinking  
about.

All platforms/OSs/systems have their own access control tools, but there's  
something common in (almost) all of them - they can be mapped to ACL, i.e.  
resource-subject-action triad. At least in those systems which I worked  
with, ACL concept can be used. Although it's not always straightforward.

The way I approach auditing is to express user access rights in the system  
in terms of ACL, then analysis becomes easier, because there's a common  
vocabulary and sismilar reporting.

Now, the next step would be to have a standard way of reporting the access  
control setup in the system. One approach is to analyze proprietary  
authorization tool, and convert its rules into XACML policies. This would  
have one benefit: the auditor has to learn only one policy language -  
XACML. For example, if you take mainframe security, there's one tool  
called CA-ACF2. It has rules, similar to other ACL tools. It takes time to  
learn the syntax, and most business people don't know it. It's an issue  
because these same people have to approve rules of access to their data.  
Translating these rules into XACML would simplify auditors and manager's  
life a bit, but not much. Besides, I'm not sure if it's possible to  
translate these rules into XACML.

The approach which I'm about to take is querying the system instead of  
going after rules. For example, in Unix I'd run "ls -l" in the directory,  
this would give me information about rights to files/dirs. Ok, this is not  
a complete information yet, because there could be facl (i.e. acl for  
files), there could be clusters etc. I'd take into account all these  
"complications", then return an answer "file FILE1 can be READ by users in  
the group WEB, can be WRITTEN by owner ARGYN only". I can run a bunch of  
queries and produce a report. If I have a standard language then I can  
produce consolidated reports acrros different platforms, then  
auditors/managers would learn to read it.

Having only XACML at hand, I was thinking to use Request of Context schema  
of XACML to report access rights from the system. Normally, we use Request  
to query PEP, which answers us with Response. However, for audit  
reporting, Request schema is more appropriate, as it contains all three  
elements: subj, resource and action. I'd get a bunch of Requests whihc  
describe the actual access rights of users to system resources.  
Alternatively, Policy syntax can be used. In this case, the query would  
return resluts as a set of Rules, which describe access rights to  
resources. Or maybe I've to define my own schema for this purpose. I'd  
prefer to use some standard language though.

I was wandering if anyone tried to use XACML for this sort of a problem.

Thanks,
Argyn




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]