Access Control (or the lack thereof) in litterature: how not to implement border control…

I have started reading Hemingway’s masterpiece “Fiesta, the sun also rises” during my commute to/from work. Apart from being an interesting insight into post-war Europe, it also gave a brilliant example of access control being overturned… Just then an old man with long, sunburned hair and beard, and clothes that looked as though they were made of gunny- sacking, came striding up to the bridge. He was carrying a long staff, and he had a kid slung on his back, tied by the four legs, the head hanging down. The carabineer waved him back with his sword. The man turned without saying anything, and started back up the white road into Spain. “What’s the matter with the old one?” I […]

XACML, transports, crypto, and management – a dev’s view

Travis Spencer (@travisspencer) with whom my colleague Gerry (@ggebel) and I have had chats over the past few months, recently published an interesting article on XACML, its shortcomings, and the possible solutions. Travis structured his ideas around 3 main points: transport / communication protocols, trust, and management. Following this, Gerry had a bit of chat with our folks in Sweden (@axiomatics) and came up with a response which you can read on his blog. I wanted to take a few minutes to look back at the challenges from a developer’s / architect’s perspective. It’s worth remembering that XACML define 3 particular areas: the policy language; the request / response protocol; and the architecture. A XACML request by any other protocol […]

Free strawberry ice-cream melting image

XACML 101 – A quick intro to Attribute-based Access Control with XACML

Acronym XACML: eXtensible Access Control Markup Language. Highlights XACML: What’s ABAC? ABAC stands for attribute-based access control. It is a natural evolution from role-based access control which itself is a natural evolution from access control lists. Access Control History in a Nutshell Once upon a time, there were access control lists. Once a user authenticated, its identity was known and could be used in such lists. Think of clubs and VIP lists. If you appear on a VIP list, the bouncer (enforcer) will let you in. It doesn’t matter what your role in life is… Then someone realized that the right to do something (authorizations, entitlements…) should rather be linked to a role. Bus drivers can drive public transport buses. […]

Enhancements and new features in #XACML 3.0

I recently had a chat with the editor of XACML 3.0, Erik Rissanen – also the CTO of Axiomatics – about the latest news on XACML 3.0: the enhancements the standard has gone through and the new features we can look forward to. Multiple Decision Profile: Multiple resource request (XACML 2.0) was renamed Multiple Decision Profile (XACML 3.0) and enhanced with new variants. This profile lets a requestor –typically the Policy Enforcement Point (PEP) ask several questions in one go to which the Policy Decision Point (PDP) returns one answer with multiple decisions. This profile is particularly useful in web-portal-based scenarios where decisions have to be reached for different parts of a portal within a given page for a given […]

#XACML Architecture Implementations should be modular

When customers decide to externalize their authorization and to go for a standards-based solution, namely a XACML-based solution, they need to be extremely careful how the vendor implements XACML. It is not just about implementing XACML’s request-response protocol. It is not just about authoring policies natively in XACML. It is also about implementing in an elegant, efficient, and modular way the XACML architecture. The latter contains several key components as listed hereafter: 1. Firstly, the Policy Decision Point (PDP): this is where policies are evaluated and a decision is reached. 2. Secondly, the Policy Enforcement Point: this is where the request is created sent to the PDP and the response received and handled. The PEP can be application-specific. 3. Thirdly […]