Embed Size (px)
Citation preview
Policy-based access controlWillem De Groef, iMinds-DistriNet
2
3
4
● Software artifact● Declarative specification of access rules● Independent from enforcement mechanism
PBAC and what it can mean for your business
Businesspolicy
Employees
Go
vern
ance
Op
era
tion
al
5
Explaining PBAC
6
User Subject Principal
Guard
Protected resource
Action
1. How and where to implement the guard
2. How to encode the access rules 7
General Access Control System
Basic approach: rules in code
[....]
if (! (“manager” in user.roles
and doc.owner == user
and 8h00 < now() < 17h00 )) {
[...]
}
+ straightforward
+ you can encode almost anything
- access rules are code
- no separation of concerns
- no modularity leads to audit challenge
- what if rules change?▪ update application code▪ updates all over the place
8
More advanced approach: modularization
@authz(user, “read”, result)
public Document getDoc(docId) { [...] }
+ central definition of rules
+ easier to audit
- access rules are code
- IT is still in charge
- no separation of concerns
- what if rules change?▪ update application code▪ updates all over the place
9
public boolean authz(
subject, action, resource) {
if (! (“manager” in user.roles and …)) { [...] }
Most advanced approach: policy-based
@authz(user, “read”, result)
public Document getDoc(docId) { [...] }
PolicyDecisionPoint
Policy
+ central authorization logic
+ central definition of rules
+ easy to audit
+ access rules independent artifacts
+ clear separation of concerns
+ rule updates at run-time
10
Not all rainbows and unicorns
11
PBAC and what it can mean for your business
Businesspolicy
Employees
Go
vern
ance
Op
era
tion
al
12
<Policy PolicyId=“dynamic-separation-of-duty" RuleCombiningAlgId=“deny-overrides"> <Description>Dynamic separation of duty</Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="string-equal"> <AttributeValue DataType="string">doc123</AttributeValue> <ResourceAttributeDesignator AttributeId="resource:id" DataType="string"/> </ResourceMatch> </Resource> </Resources> </Target> <Rule RuleId="deny" Effect=“Deny"> <Description>Deny if viewed other doc</Description> <Condition> <Apply FunctionId="string-is-in"> <AttributeValue DataType="string">doc456</AttributeValue> <SubjectAttributeDesignator AttributeId="subject:historyy" DataType="string"/> </Apply> </Condition> </Rule> <Rule RuleId=“default-permit" Effect=“Permit"> </Rule> <Obligations> <Obligation ObligationId="append-attribute" FulfillOn="Permit"> <AttributeAssignment AttributeId="value" DataType="string"> <SubjectAttributeDesignator AttributeId="resource:id" DataType="string"/> </AttributeAssignment> <AttributeAssignment AttributeId="attribute-id" DataType="string">subject:history</AttributeAssignment> </Obligation> </Obligations></Policy>
13
Independent declarative policy specification
1. Easy-to-use Policy languages
14
15
XACML policy editor
16
IDE for ALFA policy language
Simple Tree-structured Attribute-based Policy Language
17https://goo.gl/F2RE8g
val policy = Policy("e-health example") :=
when ((action.id === "view") &
(resource.type_ === "patient-data") &
("physician" in subject.roles))
apply PermitOverrides to (
Rule("requirement-for-permit") := permit
iff (resource.owner_id in subject.treated),
Rule("default deny") := deny
)
2. Correctness & completeness support
18
19
20
Only syntactically correctness checks
21
Decoupling from application logic is hard
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBuckets", "Resource": "arn:aws:s3:::example_bucket" }}
s3:ListBucket
Open research challenges
● Improve performance & scalability of the PDP
● Interoperability across multiple applications
● Access rules for the database layer
● Conflict resolution in policies
● Management of policies
● Supporting organizational processes
22
Conclusions
23
Conclusions
24
Policy-based access control
● Enables exciting new opportunities○ Allows decent access management processes○ Keep access control system in sync with your business
● Technology-wise still some hurdles● Be future-proof by modularizing authorization!
Policy-basedaccess control
Any further questions?
Contact us [email protected]
Interested in our events?
Subscribe herehttp://bit.ly/DistrinetAccessControl
