XACMLProfileforRoleBasedAccess资源-CSDN文库

需积分: 9 10 浏览量 2010-01-11 20:00:50 上传评论收藏 240KB PDF 举报

资源推荐

资源详情

资源评论

XACML Profile for Role Based Access

Control (RBAC)

Committee Draft 01, 13 February 2004

Document identifier:

cs-xacml-rbac-profile-01

Location:

http://docs.oasis-open.org/xacml/cd-xacml-rbac-profile-01.pdf

Editor:

Anne Anderson, Sun Microsystems (anne.anderson@sun.com)

Abstract:

This specification defines a profile for the use of XACML in expressing policies that use role

based access control (RBAC).

Status:

This version of the specification has been approved as an OASIS Committee Draft.

Committee members should send comments on this specification to the xacml@lists.oasis-

open.org list. Others should subscribe to and send comments to the xacml-

comment@lists.oasis-open.org list. To subscribe, send an email message to xacml-comment-

request@lists.oasis-open.org with the word "subscribe" as the body of the message.

For information on whether any patents have been disclosed that may be essential to

implementing this specification, and any offers of patent licensing terms, please refer to the

Intellectual Property Rights section of the XACML TC web page (http://www.oasis-

open.org/committees/xacml/).

For any errata page for this specification, please refer to the XACML RBAC Profile section of the

XACML TC web page (http://www.oasis-open.org/committees/xacml/).

cd-xacml-rbac-profile-01 13 February 2004

Table of Contents

1 Introduction (non-normative)................................... ................................................................................3

1.1 Notation............................................................................................................................................3

1.2 Terminology......................................................................................................................................3

1.3 Role..................................................................................................................................................4

1.4 Policies.............................................................................................................................................4

1.5 Multi-Role Permissions.....................................................................................................................5

2 Example (non-normative).................................................. ......................................................................6

2.1 Permission <PolicySet> for the manager role..................................................................................6

2.2 Permission <PolicySet> for employee role.......................................................................................7

2.3 Role <PolicySet> for the manager role............................................................................................8

2.4 Role <PolicySet> for employee role..................................................................................................8

3 Assigning and Enabling Role Attributes (non-normative)........................................................................ 9

4 Implementing the RBAC Model (non-normative)...................................................................................12

4.1 Core RBAC.....................................................................................................................................12

4.2 Hierarchical RBAC............................................................. ............................................................ 13

4.3 Separation of Duty..........................................................................................................................13

5 Profile (normative).................................................................................................................................16

5.1 Role Assignment or Enablement.....................................................................................................16

5.2 Access Control...............................................................................................................................16

6 References............................................................................................................................................17

6.1 Normative References....................................................................................................................17

6.2 Non-normative References........................... ...................................................... ........................... 17

cd-xacml-rbac-profile-01 13 February 2004

1 Introduction (non-normative)

This specification defines a profile for the use of the OASIS eXtensible Access Control Markup Language

(XACML) [XACML]to meet the requirements for role based access control (RBAC) as specified in

[RBAC]. Use of this Profile requires no changes or extensions to standard XACML Versions 1.0 or 1.1.

This specification begins with a non-normative explanation of the building blocks from which the RBAC

solution is constructed. A full example illustrates these building blocks. The specification then discusses

how these building blocks may be used to implement the various elements of the RBAC model

presented in [RBAC]. Finally, the normative section of the specification describes compliant uses of the

building blocks in implementing an RBAC solution.

This proposal assumes the reader is somewhat familiar with XACML. A brief overview sufficient to

understand these examples is available in [XACMLIntro]. An introduction to the RBAC model is available

in [RBACIntro].

1.1 Notation

In order to improve readability, the examples in this profile assume use of the following XML Internal

Entity declarations:

^lt;!ENTITY xacml "urn:oasis:names:tc:xacml:1.0:">

^lt;!ENTITY xml "http://www.w3.org/2001/XMLSchema#">

^lt;!ENTITY rule-combine

"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:">

^lt;!ENTITY policy-combine

"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:">

^lt;!ENTITY function "urn:oasis:names:tc:xacml:1.0:function:">

^lt;!ENTITY subject-category

"urn:oasis:names:tc:xacml:1.0:subject-category:">

^lt;!ENTITY subject "urn:oasis:names:tc:xacml:1.0:subject:">

^lt;!ENTITY resource "urn:oasis:names:tc:xacml:1.0:resource:">

^lt;!ENTITY action "urn:oasis:names:tc:xacml:1.0:action:">

^lt;!ENTITY environment "urn:oasis:names:tc:xacml:1.0:environment:">

For example, &xml;#string is equivalent to http://www.w3.org/2001/XMLSchema#string.

1.2 Terminology

The key words must, must not, required, shall, shall not, should, should not, recommended, may, and

optional in this document are to be interpreted as described in IETF RFC 2119 [RFC2119].

attribute - In this Profile, the term “attribute” refers to an XACML <Attribute>. An XACML

<Attribute> is an element in an XACML Request having among its components an attribute name

identifier, a data type identifier, and an attribute value. Each <Attribute> is associated either with

one of the subjects (Subject Attribute), the protected resource (Resource Attribute), the action to be

taken on the resource (Action Attribute), or the environment of the Request (Environment Attribute).

Attributes are referenced in a policy by using an <AttributeSelector> (an XPath expression) or one

of the following: <SubjectAttributeDesignator>, <ResourceAttributeDesignator>,

<ActionAttributeDesignator>, or <EnvironmentAttributeDesignator>.

junior role – In a role hierarchy, Role A is junior to Role B if Role B inherits all the permissions

associated with Role A.

multi-role permissions – a set of permissions for which a user must hold more than one role

simultaneously in order to gain access.

PDP - Policy Decision Point. An entity that evaluates an access request against one or more policies to

produce an access decision.

permission – the ability or right to perform some action on some resource, possibly only under certain

specified conditions.

cd-xacml-rbac-profile-01 13 February 2004

PPS – Permission <PolicySet>. See Section 1.4 Policies.

RBAC – Role based access control. A model for controlling access to resources where permitted

actions on resources are identified with roles rather than with individual subject identities.

RPS – Role <PolicySet>. See Section 1.4 Policies.

role – A job function within the context of an organization that has associated semantics regarding the

authority and responsibility conferred on the user assigned to the role [RBAC].

senior role – In a role hierarchy, Role A is senior to Role B if Role A inherits all the permissions

associated with Role B.

policy – A set of rules indicating which subjects are permitted to access which resources using which

actions under which conditions.

1.3 Role

In this specification, roles are expressed as XACML Subject Attributes. There is one exception: in a Role

Assignment <PolicySet> or <Policy>, the role appears as a Resource Attribute. See Section 3:

Assigning and Enabling Role Attributes for more information.

Role attributes may be expressed in either of two ways, depending on the preferences of the application

environment. In some environments there may be a small number of “role attributes”, where the name

of each such attribute is some name indicating “role”, and where the value of each such attribute

indicates the name of the role held. For example, in this first type of environment, there may be one “role

attribute” having the identifier urn:someapp:attributes:role. The possible roles are values for

this one attribute, and might be officer, manager, and employee. This way of expressing roles

works best with the XACML way of expressing policies.

Alternatively, in other application environments, there may be a number of different attribute identifiers,

each indicating a different role. For example, in this second type of environment, there might be three

attribute identifiers: urn:someapp:attributes:officer-role,

urn:someapp:attributes:manager-role, and urn:someapp:attributes:employee-role.

In this case the value of the attribute may be empty or it may contain various parameters associated with

the role. XACML policies can handle roles expressed in this way, but not as naturally as in the first way.

XACML supports multiple subjects per access request, indicating various entities that may be involved in

making the request. For example, there is usually a human user who initiates the request, at least

indirectly. There are usually one or more applications or code bases that generate the actual low-level

request on behalf of the user. There is some computing device on which the application or code base is

executing, and this device may have an identity such an IP address. XACML identifies each such

Subject with a SubjectCategory xml attribute that indicates the type of subject being described. For

example, the human user has a SubjectCategory of &subject-category;access-subject;

(this is the default category); the application that generates the access request has a

SubjectCategory of &subject-category;codebase; and so on. In this Profile, a role

attribute may be associated with any of the categories of subjects involved in making an access request.

1.4 Policies

In this Profile, there are four types of policies.

1. Role <PolicySet> or RPS : a <PolicySet> that associates holders of a given role attribute with a

Permission <PolicySet> that contains the actual permissions associated with the given role. The

<Target> element of a Role <PolicySet> limits the applicability of the <PolicySet> to subjects

holding the given role attribute. Each Role <PolicySet> references a single corresponding

Permission <PolicySet> but does not contain any other <Policy> or <PolicySet> elements.

2. Permission <PolicySet> or PPS: a <PolicySet> that contains the actual permissions associated

with a given role. It contains <Policy> elements and <Rules> that describe the resources and

actions that subjects are permitted to access, along with any further conditions on that access, such

as time of day. A given Permission <PolicySet> may also contain references to Permission

cd-xacml-rbac-profile-01 13 February 2004

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

<PolicySet>s associated with other roles that are junior to the given role, thereby allowing the

given Permission <PolicySet> to inherit all permissions associated with the role of the referenced

Permission <PolicySet>. The <Target> element of a Permission <PolicySet> must not limit

the subjects to which the <PolicySet> is applicable.

3. Separation of Duty <PolicySet>: a <PolicySet> that defines restrictions on the set of roles that

can be exercised by a given Subject. Such a <PolicySet> contains <Policy> and <Rule>

elements that specify the role set restrictions. The Separation of Duty <PolicySet> also contains

references to all the Role <PolicySet> instances that are subject to Separation of Duty restrictions.

Use of a Separation of Duty <PolicySet> is optional.

4. Role Assignment <Policy> or <PolicySet>: a <Policy> or <PolicySet> that defines which

roles can be enabled or assigned to which subjects. It may also specify restrictions on combinations

of roles or total number of roles assigned to or enabled for a given subject. This type of policy is used

by the entity that assigns role attributes to users or by the entity that enables role attributes during a

user's session. Use of a Role Assignment <Policy> or <PolicySet> is optional.

Permission <PolicySet> instances must be stored in the policy repository in such a way that they can

never be used as the initial policy for an XACML PDP; Permission <PolicySet> instances must be

reachable only through the corresponding Role <PolicySet>. This is because, in order to support

hierarchical roles, a Permission <PolicySet> must be applicable to every subject. The Permission

<PolicySet> depends on its corresponding Role <PolicySet> to ensure that only subjects holding

the corresponding role attribute will gain access to the permissions in the given Permission

<PolicySet>.

If a Separation of Duty <PolicySet> is used, then Role <PolicySet> instances also must be stored

in the policy repository in such a way that they can never be used as the initial policy for an XACML

PDP. In this case, Role <PolicySet> instances must be reachable only through the Separation of

Duty <PolicySet>.

Use of separate Role <PolicySet> and Permission <PolicySet> instances allows support for

Hierarchical RBAC, where a more senior role can acquire the permissions of a more junior role. A

Permission <PolicySet> that does not reference other Permission <PolicySet> elements could

actually be an XACML <Policy> rather than a <PolicySet>. Requiring it to be a <PolicySet>,

however, allows its associated role to become part of a role hierarchy at a later time without requiring

any change to other policies.

1.5 Multi-Role Permissions

In this Profile, it is possible to express policies where a user must hold several roles simultaneously in

order to gain access to certain permissions. For example, changing the care instructions for a hospital

patient may require that the Subject performing the action have both the physician role and the staff

role.

These policies may be expressed using a Role <PolicySet> where the <Target> element requires

the Subject to have all necessary role attributes. This is done by using a single <Subject> element

containing multiple <SubjectMatch> elements. The associated Permission <PolicySet> should

specify the permissions associated with Subjects who simultaneously have all the specified roles

enabled.

The Permission <PolicySet> associated with a multi-role policy may reference the Permission

<PolicySet> instances associated with other roles, and thus may inherit permissions from other roles.

The permissions associated with a given multi-role <PolicySet> may also be inherited by another role

if the other role includes a reference to the Permission <PolicySet> associated with the multi-role

policy in its own Permission <PolicySet>.

cd-xacml-rbac-profile-01 13 February 2004

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

剩余20页未读，继续阅读

评论收藏

内容反馈

etongtec

粉丝: 1
资源: 2

XACML Profile for Role Based Access

XACML策略语言规范

access_control-xacml-2.0-core-spec-os

XACML Learning Tool-开源

w3c系列教程

XACML实例和中文说明文档

wolf:Wolf is an authentication and authorization system based on Role-Based Access Control (RBAC) for http applications or http restful apis. Wolf是一个基于基于角色访问控制（RBAC）的认证和授权系统，适用于http应用或http restful api

权限管理、Role Based Access Control(RBAC)基于角色的权限控制-cnesa.zip

Role-Based-Access-Control:使用Spring MVC的RAC实施

Role-Based Access Controls.pdf

Artech House Role Based Access Control

Automatic XACML Requests Generation for Testing Access Control Policies

access_control-xacml-2.0-core-spec-os (XACML规范 英文) 及源码

xacml简介和优点

sun's xacml

Userspace Role Based Access Control-开源

一个基于角色的权限管理系统（RABC）Role Based Access Control.zip

A New Role-Based Access Control Model Using Attribute Certificate

A Temporal Role-Based Access Control Model

XACML3.0Java库

SAML v2 and XACML v2 Integration

xacml 3.0 源码

Xacml.rar_XACML_clearhistory.r_sunxacml_xacml ja

XACML V3.0

论文研究-基于XACML的RBAC授权机制 .pdf

XACML.rar_XACML

Task-activity based access control for process collaboration environments

xacml-3.0-core-spec-en翻译汇总.docx

论文研究-基于XACML的访问控制模型在CAS中的应用 .pdf

NIST SP800-178.pdf

最新资源

access_control-xacml-2.0-core-spec-os (XACML规范英文) 及源码