Mark is a part of the Axiomatics Sales team where he helps our customers become ABAC proficient.

How can many complex permit rules for the same policy be managed?

Background

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute Based Access Control (ABAC). As the name indicates, XACML uses attributes inside policies to convey authorization statements. Policy authoring can be an art form, and we won’t get into every aspect of policy authoring today. For a brief overview of what a policy is, click here.

Continue reading
437 Hits
0 Comments

How can the permit-unless-deny combining algorithm be dangerous?

Background

We haven’t discussed combining algorithms much, but they are just one of the many powerful features of an XACML-based authorization system.  You can think of combining algorithms as a way to assign weight to many partial answers to the same question.  Let’s use a background check as an example.  A background check has many different questions/tests in it, but how do you determine if someone passes or fails?  The administrator of the background check combines all of the individual answers to produce a final, all-encompassing pass/fail result.  They know which tests carry more weight and combine the results accordingly.  If you prefer a technical mumbo jumbo explanation, you can check out this post which also includes a truth table which explains how results are combined in XACML.

Continue reading
674 Hits
0 Comments

Why Does Retrieving Attribute Values from a Secure LDAP Slow Performance?

This week's question gets into a very specific XACML implementation detail but it is one that I encounter often so I thought this might be a good place to raise awareness. You are probably already aware that one of the key features of an Attribute Based Access Control system (ABAC) is the ability to use many attributes to make fine-grained authorization decisions.  The XACML reference architecture makes getting these attributes easier by defining Policy Information Points (PIP’s) but what happens when the underlying datasource requires a secure LDAP connection? 

Continue reading
672 Hits
0 Comments

What is an XACML Policy Reference?

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute­Based Access Control (ABAC). XACML uses attributes inside policies to convey authorization statements. Policy authoring can be an art form and we won’t be getting into every aspect of policy authoring in this article. For a brief overview of what a policy is check this Axiomatics article out.

Continue reading
911 Hits
0 Comments

Why Should I Define Attribute Connectors Using JNDI?

One of the key benefits of an Attribute Based Access Control (ABAC) system is the ability to use many attributes to make fine-grained authorization decisions. The XACML reference makes getting these attributes easier by defining Policy Information Points (PIP).

Tags:
Continue reading
1313 Hits
1 Comment

What are the Possible XACML REST PDP Response Codes?

The Axiomatics Policy Server provides both a SOAP and a REST endpoint to which authorization requests can be sent to. This blog will focus on the REST endpoint.

Continue reading
1527 Hits
0 Comments