PERMIS PMI. David Chadwick. 7 November TrueTrust Ltd 1

Size: px

Start display at page:

Download "PERMIS PMI. David Chadwick. 7 November TrueTrust Ltd 1"

Maurice Richardson
6 years ago
Views:

1 PERMIS PMI David Chadwick 7 November TrueTrust Ltd 1

2 X.812 ISO Access Control Framework Initiator Submit Access Request AEF Present Access Request Target Decision Request Decision ADF 7 November TrueTrust Ltd 2

3 ADF API AEF Application specific Decision Request ADF API Decision Examples: OpenGroup AZN API IETF GAA API PERMIS API ADF Application independent 7 November TrueTrust Ltd 3

4 AZN API System Structure Authentication Mechanism Initiator Authentication Service Target AEF AZN API Initiator Security Attributes AZN API Implementation ADF Access Control Policy Rules 7 November TrueTrust Ltd 4

5 PERMIS API System Structure Initiator Submit Signed Access Request Application Gateway Decision Request Authentication Service AEF The PERMIS PMI API PERMIS API Implementation Decision ADF Present Access Request PKI Target LDAP Directory Retrieve Policy and Role ACs 7 November TrueTrust Ltd 5

6 PERMIS PMI Components Privilege Policy Schema/DTD This defines the meta rules that govern the creation of the Privilege Policy (Access Control Policy Rules) Privilege Allocator This tool allows an administrator to create and sign Attribute Certificates, including a Policy AC (this is a signed version of the Privilege Policy), and store them in an LDAP directory The PERMIS PMI Implementation This grants or denies Initiators access to resources, based on the Privilege Policy and the ACs of the Initiator. The ADF is accessed via the PERMIS API 7 November TrueTrust Ltd 6

7 Application Specific Components The Access Enforcement Function Its task is to ensure the Initiator is authenticated by the PKI, then to call the ADF, and give access to the target if allowed The PKI Any standard conforming PKI can be used Java PKCS#11 Interface to the PERMIS PMI The Privilege Policy in XML This must be written according to the schema/dtd LDAP Directory To store the Policy and Initiator ACs 7 November TrueTrust Ltd 7

8 PERMIS X.509 PMI RBAC Policy Role Based Access Control Policy written in XML Initiators are given Role Assignment ACs A role is loosely defined as any Attribute Type and Attribute Value Role values can form a hierarchy, where superiors inherit the privileges of their subordinates e.g. CTO>PM>TL>TM ACs can be issued by any trusted AA Access is based on the Roles Published by XML.org at 7 November TrueTrust Ltd 8

9 An Example Policy - the Header <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE X.509_PMI_RBAC_Policy SYSTEM "file://localhost/c:/research/permis/policy7.dtd"> <X.509_PMI_RBAC_Policy OID=" "> 7 November TrueTrust Ltd 9

10 Role Assignment Policy Components Subject Policy Specifies subject domains based on LDAP subtrees Role Hierarchy Policy Specifies hierarchy of role values SOA Policy Specifies who is trusted to issue ACs Role Assignment Policy Says which roles can be given to which subjects by which SOAs, with which validity times and whether delegation is allowed 7 November TrueTrust Ltd 10

11 An Example Subject Policy <SubjectPolicy> <SubjectDomainSpec ID="Companies"> <Include LDAPDN= dc=myorg, dc=com"/> <Include LDAPDN="dc=co,dc=uk"/> </SubjectDomainSpec> <SubjectDomainSpec ID="Employees"> <Include LDAPDN="dc=salford,dc=gov,dc=uk"/> </SubjectDomainSpec> </SubjectPolicy> 7 November TrueTrust Ltd 11

12 An Example Role Hierarchy Policy <RoleHierarchyPolicy> <RoleSpec Type= permisrole OID= > <SupRole Value= TenderOfficer /> <SubRole Value= TenderClerk /> <SupRole Value= Tenderer /> <SupRole Value= TenderClerk /> </RoleSpec> </RoleHierarchyPolicy> Tenderer TenderOfficer TenderClerk 7 November TrueTrust Ltd 12

13 An Example SOA Policy <SOAPolicy> <SOASpec ID="Salford" LDAPDN="cn=David Hunter, ou=computing, dc=salford, dc=gov, dc=uk"/> <SOASpec ID="BSI" LDAPDN="o=bsi,c=gb"/> </SOAPolicy> 7 November TrueTrust Ltd 13

14 An Example Role Assignment Policy <RoleAssignment> <SubjectDomain ID="Employees"/> <Role Type= permisrole" Value="TenderOfficer"/> <Delegate Depth="0"/> <SOA ID="Salford"/> <Validity> <Absolute Start=" T17:00:00"/> </Validity> </RoleAssignment> 7 November TrueTrust Ltd 14

15 Policy Components (cont) Target Policy Specifies the target domains covered by this policy, using LDAP subtrees Action Policy Specifies the actions (operations) supported by the targets, along with their allowed operands Target Access Policy Specifies which roles are needed to access which targets for which actions, and under what conditions 7 November TrueTrust Ltd 15

16 Target Access Conditions A condition comprises: a comparison operator the LHS operand(variable), described by its source, name and type, and variable source is the action or the environment Eg. Source Read action, Name filename, Type string Eg. Source environment, Name time of day, Type time a series of one or more variables or constant values against which the LHS operand is to be compared Conditions may be combined using AND, OR, NOT 7 November TrueTrust Ltd 16

17 An Example Target Policy <TargetPolicy> <TargetDomainSpec ID="TenderStore"> <Include LDAPDN="cn=Tender Store, ou=computing, dc=salford,dc=gov,dc=uk"/> </TargetDomainSpec> </TargetPolicy> 7 November TrueTrust Ltd 17

18 An Example Action Policy <ActionPolicy> <Action Args="TenderNo" Name="Write" /> <Action Args="TenderNo" Name="Read"/> <Action Args="TenderNo" Name="Delete"/> </ActionPolicy> 7 November TrueTrust Ltd 18

19 An Example Target Access Policy <TargetAccess> <RoleList> <Role Type= permisrole" Value="TenderOfficer"/> </RoleList> <TargetList> <Target Actions= Delete"> <TargetDomain ID="TenderStore"/> </Target> </TargetList> 7 November TrueTrust Ltd 19

20 An Example Condition Statement <IF> </IF> <EQ> <Environment Parameter="TimeOfAccess" Type="Time"/> <Constant Type="TimePeriod" Value= "DaysOfWeek= End= LocalOrUTC=local Start= TimeOfDay=T090000/T170000"/> </EQ> </TargetAccess> 7 November TrueTrust Ltd 20

21 Creating Your Own Policy If an XML expert, simply use your favourite text editor Or use an XML tool such as Xeena from IBM Alphaworks 7 November TrueTrust Ltd 21

22 The Privilege Allocator A tool for creating Attribute Certificates 7 November TrueTrust Ltd 22

23 The PERMIS API Four Simple Calls: Initialise, GetCreds, Decision and Shutdown Written in Java and based on the OpenGroup s AZN API Initialise Pass the name of the administrator, the OID of the policy and the URLs of the LDAP repositories Initialise reads in the Policy AC and verifies its signature and OID 7 November TrueTrust Ltd 23

24 API State Transition Diagram Decision Initialise Initialised GetCreds Subject Known Shutdown Un-initialised GetCreds 7 November TrueTrust Ltd 24

25 The PERMIS API (cont) GetCreds Pass the authenticated name (LDAP DN) of the subject Pull mode, GetCreds retrieves the subject s ACs Push mode, ACs are passed to GetCreds ACs are validated and roles extracted Decision Pass the target name, the action, and the parameters of the subject s request Decision checks the request against the policy and returns Granted or Denied Shutdown Terminates the use of this policy 7 November TrueTrust Ltd 25

26 Putting it altogether - Allocating Privileges SOA Privilege Allocator Attribute Certificates + ACRLs LDAP directory PK Certs+ PKCRLs PKI Certifies Privilege Policy LDAP directory Authorises INTRANET INTERNET Remote Application User 7 November TrueTrust Ltd 26

27 Privilege Creation Steps SOA defines Privilege Policy using Privilege Allocator Privilege Policy is stored in LDAP directory as self signed Attribute Certificate SOA allocates privileges to user, in accordance with the Privilege Policy SOA can revoke user privileges SOA can update Privilege Policy 7 November TrueTrust Ltd 27

28 Granting User Access E- Commerce Application Server Accesses using privileges granted the user LDAP directory Privilege Policy ACs + ACRLs + PK CRLs Privilege Verifier LDAP directory Digitally Signed Request (SSL or S/MIME) INTRANET INTERNET Application Gateway Remote Application User 7 November TrueTrust Ltd 28

29 Example Applications Salford City Council - Electronic Tendering Barcelona Municipality - Car Parking Fines Bologna Comune - architects submitting building plans Electronic Prescription Processing 7 November TrueTrust Ltd 29

RBAC POLICIES IN XML FOR X.509 BASED PRIVILEGE MANAGEMENT

3 RBAC POLICIES IN XML FOR X.509 BASED PRIVILEGE MANAGEMENT D.W.Chadwick, A. Otenko University of Salford Abstract: Key words: This paper describes a role based access control policy template for use by