Merry XACML and Happy Access Control!

As ’Tis the season to be jolly without having to be worried over unauthorized access, in this blog I’d like to discuss fine-grained access control with XACML.

What’s Access Control?

While authorization grants permission to access a protected resource, access control enables you to control/restrict access to protected resources.

Let’s say I have a chimney and I won't tolerate if people try to use it as an entrance to get inside my house unless it’s for a planned chimney sweeping effort. However, on Christmas eve, I permit Santa to use it between 11:00 PM to midnight so that he can fill my socks with X’Mas gifts! :D

Ref: https://www.freepik.com/free-vector/santa-claus-elf-chimney_5341272.htm

In this case,

• The protected resource is the chimney.
• The subject that is going to access this protected resource is Santa.
• The action that the subject is granted is sliding through the chimney.
• The attributes related to this permission are the date and time during which Santa can use the chimney.

This means, that only the subject is authorized to gain access to the protected resource.

Access Control Models

There are various access control models that have been used over the years:

• Mandatory Access Control: This enables the administrator to create certain access levels and link each user to a specific access level so that a user can access all the resources that are not beyond the user’s access level.
• Discretionary Access Control: In this model, the administrator maintains a list of users who can access a resource. Discretionary Access Control provides access based on the user’s identity (not by permission level).
• Role-Based Access Control: In this model, authorization decisions are made based on the user’s role.
• Attribute-Based Access Control: This model also known as fine-grained access control considers user attributes, the attributes associated with the application, and environmental conditions when making the authorization decisions.

What’s XACML?

eXtensible Access Control Markup Language that is most commonly known as XACML (pronounced as ‘za-ka-mull’) is an industry-standard that enables fine-grained access control. Following are some key features of XACML:

• XACML facilitates a standard way to write access control rules and evaluate access requests according to the rules defined in policies.
• As XACML is a request/response language, it enables a standard mechanism of querying authorization requests and responding with the authorization decisions.
• XACML lets you compose a query to ask whether the given action should be allowed or not, and interprets the result.
• XACML supports standard extension points for defining new functions, data types, combining logic, etc.

Reference Architecture of XACML

The reference architecture of XACML has some standard components that an authorization system will have.

The administrator adds the XACML policies that enforce access control to the Policy Store via the Policy Administration Point (PAP).

When a user wants to access a particular resource in a XACML-implemented setup, the access request first reaches the Policy Enforcement Point (PEP) after which the following takes place:

1. The PEP then communicates that access request to the Policy Decision Point (PDP).
2. The PDP in turn requests for the attributes that are relevant to verify the legitimacy of the access request from the Policy Information Point (PIP).
3. Next, PIP forwards this access request to the Attribute Store.
4. The Attribute Store sends the relevant attributes back to the PIP.
5. PIP then forwards these attributes to the PDP.
6. Next, the PDP requests for the policies that are relevant to verify the legitimacy of this access request from the PAP.
7. PAP forwards this request to the Policy Store.
8. The Policy Store then sends the relevant policies back to the PAP.
9. PAP forwards these policies to the PDP.
10. Finally, the PDP after considering the received attributes and policies decides whether to grant permission to access the requested resources or not and sends this decision back to the PEP.

Pros and Cons

Pros:

• XACML has a standard way of processing authorization requests, defining authorization policies, and sending standard requests and responses. This leads to interoperability and easy integration.
• The components of the XACML reference architecture are loosely coupled. So, each component needs to be aware of each others’ internals. This gives the freedom to have these components from different vendors, which makes the solution vendor-neutral.

Cons:

• Writing XACML policies is not an easy task.
• As the policies can be bulky, there could be a negative impact on the performance.

I hope you got a brief intro on how XACML enables fine-grained access control!

• For a quick tutorial on implementing XACML with WSO2 Identity Server, see Configuring Fine-Grained Access Control with XACML.
• For more information, see Access Control and Working with XACML.
• To check out some cheerful Christmas tunes, visit https://youtu.be/xbPQWEb9Dgk, https://youtu.be/N2LmlidHdoQ, and https://youtu.be/Xw38pGhPXIk.