[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposal for XACML RBAC Profile
Dear RBACers, Attached is a draft proposal for how XACML can address the requirements for Role Based Access Control expressed in "Role Based Access Control", proposed ANSI Standard, BSR INCITS 359, 4/4/2003, available from http://csrc.nist.gov/rbac/rbac-std-ncits.pdf This has not yet been reviewed by the XACML TC, but I hope it will help make our discussions more productive by providing a concrete proposal and concrete examples. It is very much a draft, however. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692Title: XACML RBAC Profile
The proposal is followed by an example, then by a discussion of how the proposal satisfies each general requirement in Core RBAC, Hierarchical RBAC, Static Separation of Duty, and Dynamic Separation of Duty.
This proposal assumes the reader is somewhat familiar with XACML. A brief overview sufficient to understand these examples is available in [3].
XACML defines about 20 standard data types (string, integer, x500Name, etc.), along with standard functions for comparing and manipulating these data types. Any compliant XACML PDP can evaluate policies using any values of any of the XACML standard data types. XACML can be extended to use new data types and their corresponding functions without affecting the structure of the language.
An XACML Attribute may pertain to a Subject, a Resource, an Action, or to the Environment in which the access request is being made. In this Profile, a Role is defined as a Subject Attribute. XACML supports multiple subjects per access request, indicating various entities that may be involved in making the request. For example, there is usually a human user who initiates the request, at least indirectly. There are usually one or more applications or code bases that generate the actual low-level request on behalf of the User. There is some computing device on which the application or code base is executing, and this device may have an identity such an IP address. In this profile, a Role Attribute may be assigned to any of the types of subjects involved in making an access request.
In this Profile, there are two types of policies, each expressed as an XACML <PolicySet>.
Permission PolicySets need to be stored in the policy repository in such a way that they can never be used as the initial policy for an XACML Policy Decision Point (PDP). This is because A Permission PolicySet by itself needs to be applicable to any user (Subject) in order to allow Hierarchical RBAC. It is the Role PolicySet that controls which Permission PolicySets will be applied to holders of a particular role.
The Permission PolicySets that do not reference other Permission PolicySets could be XACML <Policy> elements rather than <PolicySet>. Requiring them to be <PolicySet> elements allows roles that were initially non-hierarchical to later include other permissions without requiring any change to the definitions of roles that reference them.
The two types of policies allow support for Hierarchical RBAC, where a more senior role can acquire the permissions of a more junior role. A simpler Profile supporting only the Core RBAC requirements is almost trivial to create with XACML. Designing the Profile to support both Core RBAC and for Hierarchical RBAC, however, seems preferable to having two separate profiles.
XACML does not handle the assignment of role attributes to users, so this Profile assumes that the presence in the XACML Request Context of a role attribute for a given user (Subject) is a valid assignment.
According to the proposal, there will be two Permission PolicySets:
These are Sign Purchase Order plus the permissions associated with the Manager role.
This is the one permission Submit Purchase Order.
There will also be two Role PolicySets:
This references the permissions in the Officer Permission PolicySet.
This references the permissions in the Manager Permission PolicySet.
In the following examples, a few liberties have been taken with the XACML syntax in order to make the examples more readable: DataType attributes are omitted, PolicySetIds and PolicyIds have been expressed as strings rather than as URNs, and the URNs for standard FunctionIds, AttributeIds, and Combining Algorithms are shortened. Anyone familiar with XACML should be able to convert these examples to fully compliant XACML policies easily.
Here are the two Permission PolicySets:
<PolicySet PolicySetId="Permission PolicySet for Officer Role" CombiningAlgorithm="permit-overrides"> <Target> <Subjects> <AnySubject/> </Subject> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> <Target> <Policy PolicyId="Permissions specifically for the Officer role" CombiningAlgorithm="permit-overrides"> <Target> <Subjects> <AnySubject/> </Subject> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="Permission to Sign Purchase Order" Effect="Permit"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="string-match"> <AttributeValue>Purchase Order</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="string-match"> <AttributeValue>Sign</AttributeValue> <ActionAttributeDesignator AttributeId="action-id"/> </ActionMatch> </Action> </Actions> </Target> </Rule> </Policy> <PolicySetIdReference>Permission PolicySet for Manager Role</PolicySetIdReference> </PolicySet>
<PolicySet PolicySetId="Permission PolicySet for Manager Role" CombiningAlgorithm="permit-overrides"> <Target> <Subjects> <AnySubject/> </Subject> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> <Target> <Policy PolicyId="Permissions specifically for Manager role" CombiningAlgorithm="permit-overrides"> <Target> <Subjects> <AnySubject/> </Subject> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="Permission to Submit Purchase Order" Effect="Permit"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="string-match"> <AttributeValue>Purchase Order</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="string-match"> <AttributeValue>Submit</AttributeValue> <ActionAttributeDesignator AttributeId="action-id"/> </ActionMatch> </Action> </Actions> </Target> </Rule> </Policy> <!-- PolicySetIdReferences can be added here if the Manager role later obtains permissions associated with any other role --> </PolicySet>
Here are the two Role PolicySets:
<PolicySet PolicySetId="Role PolicySet for Officer Role" CombiningAlgorithm="permit-overrides"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-match"> <AttributeValue>Officer</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </SubjectMatch> </Subject> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <PolicySetIdReference>Permission PolicySet for Officer Role</PolicySetIdReference> </PolicySet>
<PolicySet PolicySetId="Role PolicySet for Manager Role" CombiningAlgorithm="permit-overrides"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="string-match"> <AttributeValue>Manager</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </SubjectMatch> </Subject> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <PolicySetIdReference>Permission PolicySet for Manager Role</PolicySetIdReference> </PolicySet>
In the above example, two users Alice and Bob, could both possess a Role Attribute with a value of Manager. They would both receive the Permissions associated in the policies with the Manager Role.
XACML policies may be written to impose arbitrary restrictions on combinations of Attributes. For example, an XACML Policy can be written such that a user receives the union of all the Permissions associated with the user's multiple Roles. As another example, an XACML Policy can be written such that a user must possess two or more specific Roles in order to gain certain Permissions. XACML supports arbitrary Boolean combinations of predicates on Attributes, along with a rich set of functions for comparing and manipulating values of Attributes.
The example illustrates how the Profile supports General Hierarchical RBAC.
Limited Hierarchical RBAC is also supported, as the XACML policies can be written to impose arbitrary restrictions on the ways permissions are granted. These restrictions may be applied in two ways. Using the <Condition> element in an XACML <Rule>, a particular set of Permissions can be restricted to apply only under certain arbitrary conditions. Using combining algorithms, arbitrary restrictions can be imposed on the way various rules, policies, and policy sets are composed.
Dynamic Separation of Duty imposes restrictions on the activation of Role Attributes. In XACML terms, this is a policy to be applied to the entity that makes particular Attributes accessible in an XACML Request Context during a given user session, rather than to an access request from user for which certain roles have been activated.
The following XACML Policy example implements such restrictions. It expects the Role Activation Entity to submit the set of Roles already activated for the user during this session along with the proposed additional Role as values for Subject Attributes with AttributeId="Role". This example policy imposes the following two Role Set constraints:
Note that the standard XACML function n-of treats its first argument as the value for n. It returns true if at least n of the arguments is true. The desired relation is then expressed in terms of not n-of roles, where n is one greater than the maximum number of roles from the set allowed to be activated.
<Policy PolicyId="Role Activation Restrictions"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="string-match"> <AttributeValue>Role</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-id"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="string-match"> <AttributeValue>Activate</AttributeValue> <ActionAttributeDesignator AttributeId="action-id"/> </ActionMatch> </Actions> </Target> <Condition FunctionId="and"> <Apply FunctionId="not"> <Apply FunctionId="n-of"> <AttributeValue>3</AttributeValue> <Apply FunctionId="string-is-in"> <AttributeValue>A</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </Apply> <Apply FunctionId="string-is-in"> <AttributeValue>B</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </Apply> <Apply FunctionId="string-is-in"> <AttributeValue>C</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </Apply> <Apply FunctionId="string-is-in"> <AttributeValue>D</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </Apply> </Apply> </Apply> <Apply FunctionId="not"> <Apply FunctionId="n-of"> <AttributeValue>2</AttributeValue> <Apply FunctionId="string-is-in"> <AttributeValue>D</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </Apply> <Apply FunctionId="string-is-in"> <AttributeValue>E</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </Apply> <Apply FunctionId="string-is-in"> <AttributeValue>F</AttributeValue> <SubjectAttributeDesignator AttributeId="Role"/> </Apply> </Apply> </Apply> </Condition> </Policy>
[2] OASIS eXtensible Access Control Markup Language (XACML) Version 1.0, OASIS Standard, 18 February 2003. Available from http://www.oasis-open.org/apps/org/workgroup/xacml/download.php/1642/oasis-%23%23%23%23-xacml-1.0.pdf.
[3] A Brief Introduction to XACML, by Seth Proctor, 7 February 2003. Available in the XACML Programmers Guide located at http://sunxacml.sourceforge.net/guide.html. This is part of Sun's XACML Implementation , an Open Source BSD License implementation of XACML.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]