Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Current »

Configuration Notes

After unzipping the DDF distribution, place the desired XACML pollicy in the <distribution root>/etc/pdp/policies directory.  This is the directory in which the PDP will look for XACML policies every 60 seconds. A sample XACML policy is located at the end of this page.

Information on specific bundle configurations and names can be found on the Security PDP application page.

Creating a Policy

This document assumes familiarity with the XACML schema and will not go into detail on the XACML language. There are some DDF-specific items that need to be considered when creating a policy so that it works with the XACMLRealm. When creating a policy, a target is used to specify that a certain action should be run only for a type of request. Targets can be used on both the main Policy element and also any individual rules. Generally targets are geared towards the actions that are set in the request.

Actions

For DDF these actions are populated by various components in the security API. The actions and where they are populated is described in the table below:

OperationAction-id ValueComponent Setting the actionDescription
Filtering / Redactionfilersecurity-pdp-xacmlrealmWhen performing any redaction or filtering the XACMLRealm will set the action-id to be "filter".
Service<SOAPAction>security-pep-interceptorIf the PEP Interceptor is added to any SOAP-based web services for service authorization the action-id will be the SOAPAction of the incoming request. This allows the XACML policy to have specific rules for individual services within the system.

These are only the action-id values that are currently created by the components that come with DDF. Additional components can be made and added to DDF that can specify specific action-ids.

In the Examples section below, the policy has specified targets for the above type of calls. For the Filtering / Redaction code, the target was set for "filter' while for the Service validation code the targets were geared toward two services: query, and LocalSiteName. In production environment these actions for service authorization will generally be full URNs that are describe within the SOAP WSDL.

Attributes

Attributes for the XACML request are populated from information in the calling subject as well as the resource being checked against.

Subject

The attributes for the subject are obtained from the SAML claims and populated within the XACMLRealm as individual attributes under the urn:oasis:names:tc:xacml:1.0:subject-category:access-subject category. The name of the claim is used for the AttributeId  value. Examples of these items being populated are available the end of this section. 

Resource

The attributes for resources are obtained through the permissions process. When checking permissions, the XACMLRealm retrieves a list of permissions that should be checked against the subject. These permissions are populated outside of realm and should be populated with the security attributes located in the metacard security property. When the permissions are of a key-value type, the key being used is populated as the AttributeId value under the urn:oasis:names:tc:xacml:3.0:attribute-category:resource category. 

Example Requests and Responses

The following items are a sample request, response, and the corresponding policy. For the XACML PDP the request is made by the XACML Realm (security-pdp-xacmlrealm), passed to the XACML Processing Engine (security-pdp-xacmlprocessor) that reads the policy and outputs a response.

Policy

This is the sample policy that was used for the following sample request and responses. The policy was made to handle the following actions: filter, query, and LocalSiteName. The filter action is used to compare subject's SUBJECT_ACCESS attributes to metacard's RESOURCE_ACCESS attributes. The query and LocalSiteName actions differ as they are used to perform service authorization. For a query, the user must be associated with the country of code ATA (Antarctica) and a LocalSiteName action can be performed by anyone.

 

Policy 
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="xpath-target-single-req" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
	<PolicyDefaults>
		<XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</XPathVersion>
	</PolicyDefaults>
	<Target>
		<AnyOf>
			<AllOf>
				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">filter</AttributeValue>
					<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
				</Match>
			</AllOf>
			<AllOf>
				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">query</AttributeValue>
					<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
				</Match>
			</AllOf>
			<AllOf>
				<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LocalSiteName</AttributeValue>
					<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
				</Match>
			</AllOf>
		</AnyOf>
	</Target>
	<Rule Effect="Permit" RuleId="permit-filter">
		<Target>
			<AnyOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">filter</AttributeValue>
						<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
					</Match>
				</AllOf>
			</AnyOf>
		</Target>
		<Condition>
			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
				<AttributeDesignator AttributeId="RESOURCE_ACCESS" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
				<AttributeDesignator AttributeId="SUBJECT_ACCESS" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
			</Apply>
		</Condition>
	</Rule>
	<Rule Effect="Permit" RuleId="permit-action">
		<Target>
			<AnyOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ATA</AttributeValue>
						<AttributeDesignator AttributeId="http://www.opm.gov/feddata/CountryOfCitizenship" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
					</Match>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">query</AttributeValue>
						<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
					</Match>
				</AllOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">LocalSiteName</AttributeValue>
						<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
					</Match>
				</AllOf>
			</AnyOf>
		</Target>
	</Rule>
	<Rule Effect="Deny" RuleId="deny-read"/>
</Policy>

 

Service Authorization

 

Allowed Query

Request 
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
	<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
		<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">query</AttributeValue>
		</Attribute>
	</Attributes>
	<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
		<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Test User</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">users</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
		</Attribute>
		<Attribute AttributeId="SUBJECT_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">A</AttributeValue>
		</Attribute>
		<Attribute AttributeId="SUBJECT_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">B</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testuser1</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Test User</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://www.opm.gov/feddata/CountryOfCitizenship" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ATA</AttributeValue>
		</Attribute>
	</Attributes>
</Request>
Response 
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
	<Result>
		<Decision>Permit</Decision>
		<Status>
			<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    	</Status>
	</Result>
</Response>

Denied Query

Request 
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
	<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
		<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">query</AttributeValue>
		</Attribute>
	</Attributes>
	<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
		<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Test User USA</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">users</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
		</Attribute>
		<Attribute AttributeId="SUBJECT_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">A</AttributeValue>
		</Attribute>
		<Attribute AttributeId="SUBJECT_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">B</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testuser1</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Test User</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://www.opm.gov/feddata/CountryOfCitizenship" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">USA</AttributeValue>
		</Attribute>
	</Attributes>
</Request>
Response 
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
	<Result>
		<Decision>Deny</Decision>
		<Status>
			<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    	</Status>
	</Result>
</Response>

Metacard Authorization

Subject Permitted

All of the resource's RESOURCE_ACCESS attributes were matched with the Subject's SUBJECT_ACCESS attributes. 

Request 
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
	<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
		<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">filter</AttributeValue>
		</Attribute>
	</Attributes>
	<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
		<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Test User</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">users</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testuser1</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Test User</AttributeValue>
		</Attribute>
		<Attribute AttributeId="SUBJECT_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">A</AttributeValue>
		</Attribute>
		<Attribute AttributeId="SUBJECT_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">B</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://www.opm.gov/feddata/CountryOfCitizenship" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ATA</AttributeValue>
		</Attribute>
	</Attributes>
	<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
		<Attribute AttributeId="RESOURCE_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">A</AttributeValue>
		</Attribute>
	</Attributes>
</Request>
Response 
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
	<Result>
		<Decision>Deny</Decision>
		<Status>
			<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    	</Status>
	</Result>
</Response>

Subject Denied

The resource had an additional RESOURCE_ACCESS attribute 'C' that the subject did not have.

Request 
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
	<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
		<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">filter</AttributeValue>
		</Attribute>
	</Attributes>
	<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
		<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Test User</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">users</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Test User</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testuser1</AttributeValue>
		</Attribute>
		<Attribute AttributeId="SUBJECT_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">A</AttributeValue>
		</Attribute>
		<Attribute AttributeId="SUBJECT_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">B</AttributeValue>
		</Attribute>
		<Attribute AttributeId="http://www.opm.gov/feddata/CountryOfCitizenship" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ATA</AttributeValue>
		</Attribute>
	</Attributes>
	<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
		<Attribute AttributeId="RESOURCE_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">A</AttributeValue>
		</Attribute>
		<Attribute AttributeId="RESOURCE_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">B</AttributeValue>
		</Attribute>
		<Attribute AttributeId="RESOURCE_ACCESS" IncludeInResult="false">
			<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">C</AttributeValue>
		</Attribute>
	</Attributes>
</Request>
Response 
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
	<Result>
		<Decision>Deny</Decision>
		<Status>
			<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    	</Status>
	</Result>
</Response>
  • No labels