XACML 101 – A quick intro to Attribute-based Access Control with XACML

Acronym

XACML: eXtensible Access Control Markup Language.

Highlights

XACML:

  1. is XML: you can actually read and write XACML with your favorite text editor (not that I would recommend writing XACML that way).
  2. is human-readable and verbose enough for users to get an understanding of what it’s doing
  3. belongs to the OASIS family of standards. You can download the latest standard material here.
  4. is eXtensible: you can add profiles to cater for specific scenarios e.g. a profile for hierarchical resources, for role-based access control, for export control…
  5. is about access control: authorizing who can do what when and how
  6. is an implementation of ABAC, attribute-based access control

What’s ABAC?

ABAC stands for attribute-based access control. It is a natural evolution from role-based access control which itself is a natural evolution from access control lists.

Access Control History in a Nutshell

Once upon a time, there were access control lists. Once a user authenticated, its identity was known and could be used in such lists. Think of clubs and VIP lists. If you appear on a VIP list, the bouncer (enforcer) will let you in. It doesn’t matter what your role in life is…

Then someone realized that the right to do something (authorizations, entitlements…) should rather be linked to a role. Bus drivers can drive public transport buses. The role is “bus driver”. It is simpler and safer to use a role as an abstraction away from the user. It effectively decouples user lists (which is really about authentication) from entitlements (the right to drive a bus in that case). Entitlements can be more efficiently managed.

But today’s environments are so complex and so rich that it is no longer enough. Take the bus analogy again. There are many different buses, different routes, different schedules. What if you want to express the following access control rules:

Bus drivers can only drive buses between 9 am and 5 pm on buses they are qualified to drive. With RBAC, you would have roles e.g. small-bus-morning-driver, medium-bus-morning-driver, big-bus-morning-driver… You get the picture. In this case, the size of the bus (small, medium, big) and the time of the day (morning, evening, night) are examples of attributes one wants to use to express finer-grained rules. This is where ABAC comes in.

The evolution from RBAC to ABAC is very well explained in the following presentation:

Attribute-based access control (ABAC): a new access control approach for service-oriented architectures, by Eric Yuan, Jin Tong, Ottawa New Challenges for Access Control Workshop, 27 April, 2005. View here (mirror).

What does XACML bring to the table?

XACML brings 3 things:

  1. an architecture: this helps understand where XACML fits in an existing architecture and how & where access control can be enforced
  2. a policy language: means to express access control rules in a standardized, interoperable, way. “Children can eat ice cream”
  3. a request/response language: the means to ask questions and to receive an answer in a standardized way: Can naughty children eat ice cream? No, they cannot.

Architecture overview

The XACML architecture contains the following points:

  1. the Policy Decision Point (PDP): the core of the architecture where policies are evaluated and decisions are reached. The PDP is to XACML what the Supreme Court is to US law.
  2. the Policy Enforcement Point (PEP): the integration items that can be anywhere in an application architecture. PEPs are extremely versatile depending on where they enforce access control. The PEP is to XACML and the PDP what police officers and judges are to courts and the law
  3. the Policy Retrieval Point (PRP): this is the point through which policies are read from the policy repository. Policy retrieval points ensure the independence of XACML from specific storage mechanisms. The PRP is to XACML what legislation is to a legal framework: the place where the law is written and maintained.
  4. The Policy Information Point (PIP): in ABAC and XACML, there is a need for attributes. Attributes are there to describe users, services, resources, actions, and the environment. Policy Information Points are attribute stores. They can be in any format and located anywhere. PIPs are to XACML what the DVLA, the set of police records, the census bureau, etc. are to a nation and its citizens.
  5. The Policy Administration Point (PAP): this is where you manage your policies.

None of the keywords are actually XACML-specific. PDP, PEP, PRP, and PIP are all defined in RFC 2904: AAA Authorization Framework.

Sample policy

I wrote the following using Axiomatics’s Policy Administration Point, part of their Axiomatics Policy Server. It uses XACML’s latest draft, XACML 3.0. More on XACML 3.0 can be found in Gerry Gebel’s XACML 3.0 presentation given at Kantara.

<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="child-eat-icecream" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<xacml3:Description>Define which children can eat ice-cream</xacml3:Description>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/Rec-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults><em><xacml3:Target>
 <xacml3:AnyOf>
 <xacml3:AllOf>
 <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">eat</xacml3:AttributeValue>
 <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"  AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
 </xacml3:Match>
 <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ice cream</xacml3:AttributeValue>
 <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"  AttributeId="food" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
 </xacml3:Match>
 </xacml3:AllOf>
 </xacml3:AnyOf>
 </xacml3:Target></em>
 <xacml3:Rule RuleId="children-eat" Effect="Permit">
 <xacml3:Description>let any child eat ice cream</xacml3:Description>
 <xacml3:Target>
 <xacml3:AnyOf>
 <xacml3:AllOf>
 <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">child</xacml3:AttributeValue>
 <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="urn:org:apache:tomcat:user-role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
 </xacml3:Match>
 </xacml3:AllOf>
 </xacml3:AnyOf>
 </xacml3:Target>
 </xacml3:Rule>
 <xacml3:Rule RuleId="naughty-children-punish" Effect="Deny">
 <xacml3:Description>do not let naughty children have ice cream</xacml3:Description>
 <xacml3:Target>
 <xacml3:AnyOf>
 <xacml3:AllOf>
 <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">child</xacml3:AttributeValue>
 <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="urn:org:apache:tomcat:user-role" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
 </xacml3:Match>
 <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
 <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">naughty</xacml3:AttributeValue>
 <xacml3:AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"  AttributeId="behavior" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
 </xacml3:Match>
 </xacml3:AllOf>
 </xacml3:AnyOf>
 </xacml3:Target>
 </xacml3:Rule>
</xacml3:Policy>

Sample request and response

Request: can a child eat ice cream?

<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<xacml-ctx:Attribute AttributeId="urn:org:apache:tomcat:user-role" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">child</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">eat</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
<xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<xacml-ctx:Attribute AttributeId="food" IncludeInResult="false">
<xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ice cream</xacml-ctx:AttributeValue>
</xacml-ctx:Attribute>
</xacml-ctx:Attributes>
</xacml-ctx:Request>

Response: yes he can!

<xacml-ctx:Response xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
 <xacml-ctx:Result>
 <xacml-ctx:Decision>Permit</xacml-ctx:Decision>
 <xacml-ctx:Status>
 <xacml-ctx:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
 </xacml-ctx:Status>
 </xacml-ctx:Result>
</xacml-ctx:Response>