l16 - CS 290C: Formal Models for Web Software Lectures 16:...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CS 290C: Formal Models for Web Software Lectures 16: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan Access Control Web-based applications are used to access all types of sensitive information such as bank accounts, employee records and even health records. Given the ease of access provided by the Web, it is crucial to provide access control mechanisms applications that deal with sensitive information. Moreover, due to the increasing use of service oriented architectures, it is necessary to develop techniques for keeping the access control policies consistent across heterogeneous systems and applications spanning multiple organizations. XACML eXtensible Access Control Markup Language (XACML), is an XML-based language for expressing access rights to arbitrary objects that are identified in XML It particularly focuses on the composition of many individual policies into a single super-policy Role Based Access Control (RBAC) XACML uses Role Based Access Control (RBAC) Instead of identifying a set of access rules for individual users, the users are grouped into a set of roles Then the access control rules are specified based on roles and combined into an access control policy A user with a particular role obtains access for an operation if that role has access to that operation based on the access control policy XACML Policy Enforcement XACML policy enforcement consists of three main components: A policy A Policy Enforcement Point (PEP) A Policy Decision Point (PDP) XACML Components An XACML Policy Enforcement Point (PEP) is the gateway that determines whether an action is permitted or not PEP takes access requests, which are specially formatted XML documents that define a set of data values PEP forwards the request to Policy Decision Point (PDP) XACML Components Policy Decision Point (PDP) evaluates the request and sends back a response To get to the policies, the PDP uses the Policy Access Point (PAP), which stores the policies and makes them available to the PDP PDP may also invoke the Policy Information Point (PIP) service to retrieve the attribute values related to the subject, the resource, or the environment XACML Result After the request is evaluated, the Policy Enforcement Points yield one of four results: Permit, meaning that the access request is permitted; Deny, meaning that the access request will not be permitted; Not Applicable, meaning that this particular policy says nothing about the request; Indeterminate, which means that something unexpected has occurred and the execution of the policy has failed. Which result occurs depends on what result the policy dictates, given the data in the access request. XACML Policies XACML policies are written in XML, and typically authored using a dedicated policy editor....
View Full Document

This note was uploaded on 12/27/2011 for the course CMPSC 290h taught by Professor Chong during the Fall '09 term at UCSB.

Page1 / 46

l16 - CS 290C: Formal Models for Web Software Lectures 16:...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online