Going on vacation, how can I implement delegation in XACML?

Delegating access: the proxy-delegate pattern

Sometimes, as users, we want to delegate access to our resources. For instance, an account manager may want to delegate access to their accounts to another account manager. This typically happens when the first account manager, Alice, is on vacation or unavailable, and she wants to make sure another manager, Bob, can handle her accounts.

Continue reading
573 Hits
0 Comments

What is the main difference between XACML 3.0 and XACML 2.0?

To Axiomatics prospects and customers, standardization, or standards compliance, is of great importance and often one of the deciding factors in choosing Axiomatics over “homegrown” or vendor proprietary products.

A standards-based product will, among other things, allow the customer to source software from multiple, standard-compliant vendors and to reduce the business risk or “vendor lock-in.” When it comes to Attribute Based Access Control (ABAC), the only applicable standard is eXtensible Access Control Markup Language (XACML). This is the standard to which an organization should require compliance when looking at solutions for Externalized Access Management (the term that Gartner now uses) / fine-grained access control / Attribute Based Access Control.

Continue reading
548 Hits
0 Comments

In XACML, what is a bag?

Background

Attribute Based Access Control (ABAC) leverages attributes in combination with a set of policies to determine authorization decisions. A request is sent from an application, API gateway, or something else that acts as a Policy Enforcement Point (PEP). The Policy Decision Point (PDP) receives the request and applies it to the authorization policies that it has in place. While doing so, the PDP might leverage one or more Policy Information Points (PIP) in order retrieve additional attribute values.

Continue reading
500 Hits
0 Comments

Why don’t I get Obligations or Advice back on Indeterminate or Not Applicable responses?

Background

When a policy is being evaluated in XACML 3.0 Policy Decision Points (PDP), Obligations and Advice elements will be ignored for “Indeterminate” and “Not Applicable” results. Only a "Permit " or "Deny" condition will result in an Obligation or Advice message being returned. This installment of our Question of the Week explores the reason for this behavior. 

Continue reading
1206 Hits
0 Comments

How can the permit-unless-deny combining algorithm be dangerous?

Background

We haven’t discussed combining algorithms much, but they are just one of the many powerful features of an XACML-based authorization system.  You can think of combining algorithms as a way to assign weight to many partial answers to the same question.  Let’s use a background check as an example.  A background check has many different questions/tests in it, but how do you determine if someone passes or fails?  The administrator of the background check combines all of the individual answers to produce a final, all-encompassing pass/fail result.  They know which tests carry more weight and combine the results accordingly.  If you prefer a technical mumbo jumbo explanation, you can check out this post which also includes a truth table which explains how results are combined in XACML.

Continue reading
855 Hits
0 Comments

How do I use the map function in XACML?

In XACML, what are Map functions?

The short answer: a map function applies or maps another function to a set of values.

Background

XACML, the eXtensible Access Control Markup Language, is an authorization language that implements Attribute Based Access Control (ABAC). As the name indicates, XACML uses attributes with a policy language to convey authorization statements.

Continue reading
1134 Hits
0 Comments

How do I write authorization policies for Big Data?

 

When it comes to securing access to services and data, we see many different use cases and, with that, the enforcement of authorization rules at different layers in the IT stack. This spans all the way from the Web/Presentation tier down to the data tier as illustrated in Figure 1.

Enforcing authorization directly at the data level is incredibly powerful as it could mean minimal or no changes to the applications that are accessing the data itself. The approach could be designed in such a way that, regardless of what application (web application, business analysis, etc.) is accessing the data, access is systematically controlled and consistently enforced. With this model, you can achieve tremendous leverage to cover many applications with a single ABAC integration at the data source.

Continue reading
1098 Hits
0 Comments

How can commercial off-the-shelf (COTS) applications be supported with XACML?

As a Sales Engineer, it’s not uncommon to meet with a customer - or a prospective customer - who, along with securing APIs, microservices and a web portal, would also like to secure some commercial off-the-shelf application (“COTS application” from here on). And why not? They see themselves shifting from the limitations of RBAC to the possibilities of ABACso the question makes sense. The challenge, of course, is that the said COTS application isn’t built by your team, nor can you change its already compiled code. So what can be done about it?

Continue reading
657 Hits
0 Comments

How Can I Use Policy References in ALFA?

The Abbreviated Language For Authorization (Wikipedia) or ALFA is a domain specific language used to express XACML authorization policies. It is by far much easier to work with than writing the raw XML. Depending on who you ask it is easier to understand and work with than UI tools.

Currently there is only one way to write an ALFA policy and that is to use the ALFA plug-in for Eclipse. This is not going to be a post about ALFA in general but more specifically about how to define and use Policy and PolicySet references and what the end result ends up being.

Continue reading
591 Hits
0 Comments

How Can I Return the Reason for a Denial in a XACML Response?

The XACML standard provides a means of returning the reason for an access request denial through the use of the Obligations and Advice expressions, which were added in the 3.0 standard. A comprehensive explanation of Obligations and Advice can be found in our blog entry titledYou are not obliged to follow my advice: Obligations and Advice in XACML part 1. More specifically, an in-depth explanation of how denial reasons can be returned in an Advice message can be found in Obligations and Advice in XACML part 2.

Continue reading
497 Hits
0 Comments