In the land of XACML, general access control queries are of the form “can user A read document D?” The Policy Enforcement Point (PEP) sends these request to Policy Decision Point (PDP) and enforces the response decision Permit/Deny. But in most of enterprises, the access control queries are not confined to just these types of direct queries. There is often the need for queries like “Which conditions should be fulfilled by a user to get Permit for accessing document D”, “ What are the conditions which denies access to a document for user A”, “Which elements in the current set of policies can deny read access to any user” etc.
It is a general perception that ABAC is not capable of answering this kind of reverse queries in an elegant manner as RBAC. For more information on challenges that ABAC faces, refer the blog posts Challanges of ABAC-Part 1 and Part 2. Axiomatics Reverse Query (ARQ) is the solution to such access control queries.
The typical XACML architecture looks like this
Policy Administration Point (PAP) provides facilities to author policies, change management and deployment . All the resource access go through the Policy Enforcement Point (PEP). PEP sends the request to Policy Decision Point (PDP) which evaluates the policy for the given request to Permit/Deny decision. The PDP can fetch more attributes necessary for the particular request from Policy Information Point (PIP) to complete the policy evaluation.
For more details on the XACML architecture, refer the blog post on XACML Reference Architecture.
Reverse Query architecture
In many situations, some attributes of the resource, user or action may be known while we need to find the conditions on the rest of the attributes with currently deployed policies to get the desired decision. This kind of open query is what we call XACML reverse query. Axiomatics Reverse Query (ARQ) is an authorization service that accepts this reverse query as input and gives the condition on attributes which should be satisfied to get the desired decision.
How Axiomatics Reverse Query (ARQ) fits in the XACML architecture is shown in the diagram below
The architecture is similar to general XACML architecture, except that the input is a reverse query. For example, “What are the documents Alice can view”. ARQ takes the reverse query as input, evaluates the request against the XACML policy and returns the conditions which should be satisfied to access a document.
PEPs can use ARQ to control access dynamically in many ways including:
- Web portal PEP: Dynamically change the page content based on the user logged in.
Administrators can use ARQ to audit the policies, generate the audit reports, generate lists:
- List generation: ARQ can produce the output in various formats. One of the formats is to generate SQL queries based on the conditions. If all the data is found in a federated or virtualized database, then ARQ provides out of the box API’s to query lists. For example, “List the documents Alice can read”, “List the users who can write document D”.
- Policy analysis – If the reverse query contains empty list of known attributes and the desired decision, ARQ produces all the possible ways to get the desired decision.
- Report Generation – ARQ can be used to generate conditions in runtime to filter data dynamically. It can also be used to generate audit reports periodically.
- Policy auditing – ARQ allows you to audit the policy elements which contributed to reach a particular decision.
Open authorization queries or reverse queries often hinders the use of ABAC solutions. In this post we introduced the concept of a XACML reverse query and how Axiomatics uses it to answers these open queries, using Axiomatics Reverse Query.