Article

Home » Client-side Coding » XML, XSLT & Web Services » Getting Started with XML Security

Getting Started with XML Security

Page: 1 2 3 4 5 6 7 8 9 10 11 12 Next

Authorization Rules: XML Access Control Markup Language (XACML)

Purpose and Benefits

Although SAML provides a mechanism for making authentication and authorization assertions and conveying these assertions using XML protocol, a vocabulary is also needed for expressing the rules needed to make authorization decisions. One XML vocabulary created specifically for expressing authorization rules is the XML Access Control Markup Language [ XACML ].

Features

XACML defines:

  1. An XML vocabulary for expressing authorization rules

  2. An XML vocabulary for expressing a variety of conditions to be used in creating rules.

  3. How rules are to be combined and evaluated

  4. A means for creating policy statements, a collection of rules applicable to a subject.

Key Concepts

  1. The XACML draft uses the SAML definitions for subjects and actions.

  2. XACML defines rules as targets, effects and conditions.

  3. A target includes resources, subjects and actions, as defined in SAML.

  4. An effect is either "Allow" or "Deny".

  5. Conditions are predicates and attributes defined in the XACML specification.

Examples

To make this concrete, consider the following rule taken from the XACML draft. This example will grant read access to records documents on the medico web site only if the SAML subject is the patient:

<Rule RuleId="//medico.corules/rule3" Effect="Permit">        
 <Target>        
   <Subjects>        
     <saml:Attribute AttributeName="RFC822Name"        
                     AttributeNamespace="//medico.com">        
       <saml:AttributeValue>*</saml:AttributeValue>        
     </saml:Attribute>        
   </Subjects>        
   <Resources>        
     <saml:Attribute AttributeName="documentURI"        
                     AttributeNamespace="//medico.com">              
       <saml:AttributeValue>//medico.com/records.*</saml:AttributeValue>        
     </saml:Attribute>        
   </Resources>        
   <Actions>        
     <saml:Action>read</saml:Action>        
   </Actions>        
 </Target>        
 <Condition>        
   <Equal>        
     <AttributeDesignator        
AttributeName="urn:oasis:names:tc:xacml:identifiers:AccessSubject" />        
     <AttributeDesignator AttributeName="patientName" />        
   </Equal>        
 </Condition>        
</Rule>
Example 14 - XACML Access Rule

Rules may be combined, and the XACML includes a specification on how this is done. In addition, rules may be collected into policy statements, including a target, rule-combining algorithm specification, a set of rules, and obligations. The target of a policy statement is used to determine where the policy is applicable and may be stated explicitly or derived from the targets of the policy rules. An obligation is an action to be performed once the authorization decision is complete. An example is sending a patient a notification email each time his or her record is accessed.

If you liked this article, share the love:
Print-Friendly Version Suggest an Article

Sponsored Links

Topics

SitePoint Jobs

ยป We're Hiring!

SitePoint Newsletters

Get all the latest tips on Advanced Design and Layout by signing up to all of SitePoint’s informative newsletters.

HTML   Plain


View Our Privacy Policy
Sample Our Newsletter Archives

Follow SitePoint on...

Related Forum Discussions

Related Forum: Databases

  1. How can I relate this two tables?
  2. How Does Indexing Work?
  3. help with this Select statment...
  4. Count of users who authenticated this month
  5. SQL Server: MS Exchange as a linked server?