没有合适的资源?快使用搜索试试~ 我知道了~
温馨提示
试读
21页
OASIS XACML TC, Committee Draft. Version 01. 13-February-2004. Document identifier: 'cs-xacml-rbac-profile-01'. Edited by Anne Anderson (Sun Microsystems). Produced by the OASIS Extensible Access Control Markup Language TC. See the Minutes of the 5 February 2004 XACML TC Meeting at which the TC voted to make the XACML RBAC Profile a Committee Draft.
资源推荐
资源详情
资源评论
XACML Profile for Role Based Access
Control (RBAC)
Committee Draft 01, 13 February 2004
Document identifier:
cs-xacml-rbac-profile-01
Location:
http://docs.oasis-open.org/xacml/cd-xacml-rbac-profile-01.pdf
Editor:
Anne Anderson, Sun Microsystems (anne.anderson@sun.com)
Abstract:
This specification defines a profile for the use of XACML in expressing policies that use role
based access control (RBAC).
Status:
This version of the specification has been approved as an OASIS Committee Draft.
Committee members should send comments on this specification to the xacml@lists.oasis-
open.org list. Others should subscribe to and send comments to the xacml-
comment@lists.oasis-open.org list. To subscribe, send an email message to xacml-comment-
request@lists.oasis-open.org with the word "subscribe" as the body of the message.
For information on whether any patents have been disclosed that may be essential to
implementing this specification, and any offers of patent licensing terms, please refer to the
Intellectual Property Rights section of the XACML TC web page (http://www.oasis-
open.org/committees/xacml/).
For any errata page for this specification, please refer to the XACML RBAC Profile section of the
XACML TC web page (http://www.oasis-open.org/committees/xacml/).
cd-xacml-rbac-profile-01 13 February 2004
Copyright © OASIS Open 2004. All Rights Reserved. Page 1 of 21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Table of Contents
1 Introduction (non-normative)................................... ................................................................................3
1.1 Notation............................................................................................................................................3
1.2 Terminology......................................................................................................................................3
1.3 Role..................................................................................................................................................4
1.4 Policies.............................................................................................................................................4
1.5 Multi-Role Permissions.....................................................................................................................5
2 Example (non-normative).................................................. ......................................................................6
2.1 Permission <PolicySet> for the manager role..................................................................................6
2.2 Permission <PolicySet> for employee role.......................................................................................7
2.3 Role <PolicySet> for the manager role............................................................................................8
2.4 Role <PolicySet> for employee role..................................................................................................8
3 Assigning and Enabling Role Attributes (non-normative)........................................................................ 9
4 Implementing the RBAC Model (non-normative)...................................................................................12
4.1 Core RBAC.....................................................................................................................................12
4.2 Hierarchical RBAC............................................................. ............................................................ 13
4.3 Separation of Duty..........................................................................................................................13
5 Profile (normative).................................................................................................................................16
5.1 Role Assignment or Enablement.....................................................................................................16
5.2 Access Control...............................................................................................................................16
6 References............................................................................................................................................17
6.1 Normative References....................................................................................................................17
6.2 Non-normative References........................... ...................................................... ........................... 17
cd-xacml-rbac-profile-01 13 February 2004
Copyright © OASIS Open 2004. All Rights Reserved. Page 2 of 21
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
1 Introduction (non-normative)
This specification defines a profile for the use of the OASIS eXtensible Access Control Markup Language
(XACML) [XACML]to meet the requirements for role based access control (RBAC) as specified in
[RBAC]. Use of this Profile requires no changes or extensions to standard XACML Versions 1.0 or 1.1.
This specification begins with a non-normative explanation of the building blocks from which the RBAC
solution is constructed. A full example illustrates these building blocks. The specification then discusses
how these building blocks may be used to implement the various elements of the RBAC model
presented in [RBAC]. Finally, the normative section of the specification describes compliant uses of the
building blocks in implementing an RBAC solution.
This proposal assumes the reader is somewhat familiar with XACML. A brief overview sufficient to
understand these examples is available in [XACMLIntro]. An introduction to the RBAC model is available
in [RBACIntro].
1.1 Notation
In order to improve readability, the examples in this profile assume use of the following XML Internal
Entity declarations:
^lt;!ENTITY xacml "urn:oasis:names:tc:xacml:1.0:">
^lt;!ENTITY xml "http://www.w3.org/2001/XMLSchema#">
^lt;!ENTITY rule-combine
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:">
^lt;!ENTITY policy-combine
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:">
^lt;!ENTITY function "urn:oasis:names:tc:xacml:1.0:function:">
^lt;!ENTITY subject-category
"urn:oasis:names:tc:xacml:1.0:subject-category:">
^lt;!ENTITY subject "urn:oasis:names:tc:xacml:1.0:subject:">
^lt;!ENTITY resource "urn:oasis:names:tc:xacml:1.0:resource:">
^lt;!ENTITY action "urn:oasis:names:tc:xacml:1.0:action:">
^lt;!ENTITY environment "urn:oasis:names:tc:xacml:1.0:environment:">
For example, &xml;#string is equivalent to http://www.w3.org/2001/XMLSchema#string.
1.2 Terminology
The key words must, must not, required, shall, shall not, should, should not, recommended, may, and
optional in this document are to be interpreted as described in IETF RFC 2119 [RFC2119].
attribute - In this Profile, the term “attribute” refers to an XACML <Attribute>. An XACML
<Attribute> is an element in an XACML Request having among its components an attribute name
identifier, a data type identifier, and an attribute value. Each <Attribute> is associated either with
one of the subjects (Subject Attribute), the protected resource (Resource Attribute), the action to be
taken on the resource (Action Attribute), or the environment of the Request (Environment Attribute).
Attributes are referenced in a policy by using an <AttributeSelector> (an XPath expression) or one
of the following: <SubjectAttributeDesignator>, <ResourceAttributeDesignator>,
<ActionAttributeDesignator>, or <EnvironmentAttributeDesignator>.
junior role – In a role hierarchy, Role A is junior to Role B if Role B inherits all the permissions
associated with Role A.
multi-role permissions – a set of permissions for which a user must hold more than one role
simultaneously in order to gain access.
PDP - Policy Decision Point. An entity that evaluates an access request against one or more policies to
produce an access decision.
permission – the ability or right to perform some action on some resource, possibly only under certain
specified conditions.
cd-xacml-rbac-profile-01 13 February 2004
Copyright © OASIS Open 2004. All Rights Reserved. Page 3 of 21
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
PPS – Permission <PolicySet>. See Section 1.4 Policies.
RBAC – Role based access control. A model for controlling access to resources where permitted
actions on resources are identified with roles rather than with individual subject identities.
RPS – Role <PolicySet>. See Section 1.4 Policies.
role – A job function within the context of an organization that has associated semantics regarding the
authority and responsibility conferred on the user assigned to the role [RBAC].
senior role – In a role hierarchy, Role A is senior to Role B if Role A inherits all the permissions
associated with Role B.
policy – A set of rules indicating which subjects are permitted to access which resources using which
actions under which conditions.
1.3 Role
In this specification, roles are expressed as XACML Subject Attributes. There is one exception: in a Role
Assignment <PolicySet> or <Policy>, the role appears as a Resource Attribute. See Section 3:
Assigning and Enabling Role Attributes for more information.
Role attributes may be expressed in either of two ways, depending on the preferences of the application
environment. In some environments there may be a small number of “role attributes”, where the name
of each such attribute is some name indicating “role”, and where the value of each such attribute
indicates the name of the role held. For example, in this first type of environment, there may be one “role
attribute” having the identifier urn:someapp:attributes:role. The possible roles are values for
this one attribute, and might be officer, manager, and employee. This way of expressing roles
works best with the XACML way of expressing policies.
Alternatively, in other application environments, there may be a number of different attribute identifiers,
each indicating a different role. For example, in this second type of environment, there might be three
attribute identifiers: urn:someapp:attributes:officer-role,
urn:someapp:attributes:manager-role, and urn:someapp:attributes:employee-role.
In this case the value of the attribute may be empty or it may contain various parameters associated with
the role. XACML policies can handle roles expressed in this way, but not as naturally as in the first way.
XACML supports multiple subjects per access request, indicating various entities that may be involved in
making the request. For example, there is usually a human user who initiates the request, at least
indirectly. There are usually one or more applications or code bases that generate the actual low-level
request on behalf of the user. There is some computing device on which the application or code base is
executing, and this device may have an identity such an IP address. XACML identifies each such
Subject with a SubjectCategory xml attribute that indicates the type of subject being described. For
example, the human user has a SubjectCategory of &subject-category;access-subject;
(this is the default category); the application that generates the access request has a
SubjectCategory of &subject-category;codebase; and so on. In this Profile, a role
attribute may be associated with any of the categories of subjects involved in making an access request.
1.4 Policies
In this Profile, there are four types of policies.
1. Role <PolicySet> or RPS : a <PolicySet> that associates holders of a given role attribute with a
Permission <PolicySet> that contains the actual permissions associated with the given role. The
<Target> element of a Role <PolicySet> limits the applicability of the <PolicySet> to subjects
holding the given role attribute. Each Role <PolicySet> references a single corresponding
Permission <PolicySet> but does not contain any other <Policy> or <PolicySet> elements.
2. Permission <PolicySet> or PPS: a <PolicySet> that contains the actual permissions associated
with a given role. It contains <Policy> elements and <Rules> that describe the resources and
actions that subjects are permitted to access, along with any further conditions on that access, such
as time of day. A given Permission <PolicySet> may also contain references to Permission
cd-xacml-rbac-profile-01 13 February 2004
Copyright © OASIS Open 2004. All Rights Reserved. Page 4 of 21
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
<PolicySet>s associated with other roles that are junior to the given role, thereby allowing the
given Permission <PolicySet> to inherit all permissions associated with the role of the referenced
Permission <PolicySet>. The <Target> element of a Permission <PolicySet> must not limit
the subjects to which the <PolicySet> is applicable.
3. Separation of Duty <PolicySet>: a <PolicySet> that defines restrictions on the set of roles that
can be exercised by a given Subject. Such a <PolicySet> contains <Policy> and <Rule>
elements that specify the role set restrictions. The Separation of Duty <PolicySet> also contains
references to all the Role <PolicySet> instances that are subject to Separation of Duty restrictions.
Use of a Separation of Duty <PolicySet> is optional.
4. Role Assignment <Policy> or <PolicySet>: a <Policy> or <PolicySet> that defines which
roles can be enabled or assigned to which subjects. It may also specify restrictions on combinations
of roles or total number of roles assigned to or enabled for a given subject. This type of policy is used
by the entity that assigns role attributes to users or by the entity that enables role attributes during a
user's session. Use of a Role Assignment <Policy> or <PolicySet> is optional.
Permission <PolicySet> instances must be stored in the policy repository in such a way that they can
never be used as the initial policy for an XACML PDP; Permission <PolicySet> instances must be
reachable only through the corresponding Role <PolicySet>. This is because, in order to support
hierarchical roles, a Permission <PolicySet> must be applicable to every subject. The Permission
<PolicySet> depends on its corresponding Role <PolicySet> to ensure that only subjects holding
the corresponding role attribute will gain access to the permissions in the given Permission
<PolicySet>.
If a Separation of Duty <PolicySet> is used, then Role <PolicySet> instances also must be stored
in the policy repository in such a way that they can never be used as the initial policy for an XACML
PDP. In this case, Role <PolicySet> instances must be reachable only through the Separation of
Duty <PolicySet>.
Use of separate Role <PolicySet> and Permission <PolicySet> instances allows support for
Hierarchical RBAC, where a more senior role can acquire the permissions of a more junior role. A
Permission <PolicySet> that does not reference other Permission <PolicySet> elements could
actually be an XACML <Policy> rather than a <PolicySet>. Requiring it to be a <PolicySet>,
however, allows its associated role to become part of a role hierarchy at a later time without requiring
any change to other policies.
1.5 Multi-Role Permissions
In this Profile, it is possible to express policies where a user must hold several roles simultaneously in
order to gain access to certain permissions. For example, changing the care instructions for a hospital
patient may require that the Subject performing the action have both the physician role and the staff
role.
These policies may be expressed using a Role <PolicySet> where the <Target> element requires
the Subject to have all necessary role attributes. This is done by using a single <Subject> element
containing multiple <SubjectMatch> elements. The associated Permission <PolicySet> should
specify the permissions associated with Subjects who simultaneously have all the specified roles
enabled.
The Permission <PolicySet> associated with a multi-role policy may reference the Permission
<PolicySet> instances associated with other roles, and thus may inherit permissions from other roles.
The permissions associated with a given multi-role <PolicySet> may also be inherited by another role
if the other role includes a reference to the Permission <PolicySet> associated with the multi-role
policy in its own Permission <PolicySet>.
cd-xacml-rbac-profile-01 13 February 2004
Copyright © OASIS Open 2004. All Rights Reserved. Page 5 of 21
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
剩余20页未读,继续阅读
资源评论
etongtec
- 粉丝: 1
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功