SlideShare a Scribd company logo

OpenID AuthZEN ALFA PEP-PDP Prior Art

Download as PPTX, PDF
David Brossard
David Brossard

An overview of the ALFA Abbreviated Language for Authorization and how it accepts authorization requests and produces authorization decisions that are returned to a client.

Technology
1 of 19
1 axiomatics.com OpenID AuthZEN Prior Art ALFA - Abbreviated Language for Authorization David Brossard, January 2024 | https://www.linkedin.com/company/axiomatics/ | https://www.linkedin.com/in/davidbrossard/
2 axiomatics.com axiomatics.com TL;DR; There’s an OpenAPI specification for the interfaces I am about to cover. 👉GitHub - axiomatics/xacml-3.0-authz-service-openapi-spec
3 axiomatics.com axiomatics.com Background • ALFA is first and foremost a policy language • ALFA follows NIST’s ABAC special publication o SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations | CSRC • ALFA is based on XACML o It uses a lightweight syntax similar to Java • ALFA leverages the JSON Profile of XACML to send/receive authorization requests o JSON Profile of XACML 3.0 Version 1.1 • The JSON Profile of XACML references the REST Profile of XACML for the actual transport o REST Profile of XACML v3.0 Version 1.0 • The transport part (HTTP…) is entirely decoupled from the request/response format. o They’re 2 different specs (see above)
4 axiomatics.com axiomatics.com Use Cases ALFA supports the same authorization use cases as XACML: • Binary authorization request o Can Alice view Document #1? o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ • Batch authorization requests o Can Alice, Bob, and Carol view, edit, or delete documents #1, 2, 3? o 3x3x3 decisions are returned o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0 • ⚠️Notably, ALFA (and XACML) does not support partial evaluation/search o This is something vendors have had to build themselves o Axiomatics has a proprietary API called Reverse Query that implements partial evaluation
5 axiomatics.com axiomatics.com Attributes are the core elements of an authorization request • ALFA is entirely attribute-based o Therefore, an authorization request is (nearly exclusively) made up of attributes • An attribute is made up of o A category e.g. subject o A datatype e.g. string o An identifier (a urn) e.g. com.acme.user.name • Attributes can be multi-valued o citizenship can contain multiple values e.g. Swiss and Swedish • ALFA supports o 4 default categories: subject, action, resource, and environment – ✅This corresponds to Cedar’s PARC model and AuthZEN’s current subject/resource/action proposal o A dozen standard datatypes (see https://alfa.guide/alfa-datatypes/) • ALFA is extensible o You can add categories and datatypes if you so desire o In practice, users stick to subject/action/resource/environment and basic datatypes (string, boolean, numbers, dates)
6 axiomatics.com axiomatics.com Authorization Request UML Diagram 💗
7 axiomatics.com {"Request": { "AccessSubject": [{"Attribute": [ {"AttributeId":"axiomatics.demo.user.userId","Value":["Alice Anderson"]} ] }], "Resource": [{"Attribute": [ {"AttributeId":"axiomatics.demo.resourceType","Value":"record"}, {"AttributeId":"axiomatics.demo.record.recordId","Value":"123"} ] }], "Action": [{"Attribute": [ {"AttributeId":"axiomatics.demo.actionId","Value":"view"} ] }] } Can Alice Anderson view record 123? Sample Authorization Request Each category is an array of attributes An attribute in its simplest form is a key-value pair A request is an array of categories.
8 axiomatics.com Generic Form: Can Dave view record 125? Sample Authorization Request {"Request": { "Category": [ {"CategoryId":"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "Attribute": [{"AttributeId": "user.employeeId","Value": "Dave"}]}, {"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:action", "Attribute": [{"AttributeId": "action.actionId","Value": "view"}]}, {"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:resource", "Attribute": [ {"AttributeId": "object.objectType","Value": "record"}, {"AttributeId": "record.recordId","Value": "125"}]} ] } }
9 axiomatics.com axiomatics.com Authorization Response UML Diagram 💗
10 axiomatics.com axiomatics.com Features of the Authorization Response • The response contains an array of results (to be able to support the Multiple Decision Profile) • Each result contains o One of 4 possible decisions: Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ o An optional status that can be used to convey errors e.g. missing attributes or division by zero o An optional array of obligations and advice o An optional array of attributes and their values used in the decision making process o An optional array of identifiers pointing to the policies used in the evaluation process
11 axiomatics.com axiomatics.com Additional Features • An Authorization Request can ask the PDP to return the identifiers of the policies evaluated o ReturnPolicyIdList – type boolean; default value is false – This is useful to trace an evaluation or understand which policy triggered the eventual decision o CombinedDecision – type boolean; default value is false – In the event of a Multiple Decision Request e.g. “Can Alice view and/or edit document #123”, rather than the PDP returning 2 decisions (Permit, Deny), those decisions can be combined into a single one. • Policies can contain obligations & advice which are additional statements that may be returned alongside a decision e.g. o Permit + obligation to use MFA o It’s on the PEP to comply with the obligation
12 axiomatics.com axiomatics.com Sample Authorization Responses {"Response": [ { "Decision": "Permit" } ]} {"Response": [ { "Decision": "Deny", "PolicyIdentifierList": { "PolicyIdReference": [ {"Id": "viewRecords.employeesViewRecords","Version": "1.0"} ], "PolicySetIdReference": [ {"Id": "mainRecords.viewRecords","Version": "1.0"}, {"Id": "tutorial.main","Version": "1.0"} ] } } ]} The simplest kind of response. Note it’s an array A sample response with policy identifiers
13 axiomatics.com axiomatics.com Sample Authorization Response with Obligations {"Response": [{ "Decision": "Deny", "AssociatedAdvice": [ { "Id": "tutorial.denyMessage", "AttributeAssignment": [ { "AttributeId": "message.denyReason", "Value": "Sorry, Dave, you can't do that because you do not have a role", "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", } ] } ] }]} This response contains additional statements called obligations
14 axiomatics.com axiomatics.com Simplifications • Datatypes that can be inferred from JSON e.g. String, integer, double, boolean do not need to be specified • Some fields that are mandatory in XACML are optional in the JSON representation and have a default value o E.g. XPathVersion (not very useful in a JSON world)
15 axiomatics.com axiomatics.com Features ALFA does not have by design • You cannot ask the PDP to only consider a subset of policies o It is not up to the requester to decide what applies to them • You cannot send the PDP a policy to execute o It is configured beforehand through different means (see PAP-PDP) • As previously mentioned, no ‘search’ or partial evaluation o Vendors e.g. Axiomatics have implemented their own approach No, you don’t get to tell me what the law is. You cannot ride a wooden horse on I-401
16 axiomatics.com axiomatics.com Things that could be simplified (and that AuthZEN should do) • Let’s fully drop features and parameters that are really only meaningful in XACML but not in ALFA or in modern-day XMLless worlds • Let’s support 2 decisions only: Permit and Deny
17 axiomatics.com axiomatics.com Extending the JSON Profile to support Search • Essentially, the same request structure could be used. • One would have to add the desired decision, typically Permit o What can Alice do? o Give me the list of items Alice can delete • Standardizing the request is straightforward o Standardizing the response is harder o Is it a filter? o Is it the list of items?
18 axiomatics.com axiomatics.com References • JSON Profile of XACML 3.0 Version 1.1 • REST Profile of XACML v3.0 Version 1.0 • XACML v3.0 Multiple Decision Profile Version 1.0 • ALFA - the Abbreviated Language for Authorization • Sample Requests - Postman Collection
19 axiomatics.com Thank you

Recommended

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
David Brossard
 
Open Source Compliance Automation Capability Map
Open Source Compliance Automation Capability MapOpen Source Compliance Automation Capability Map
Open Source Compliance Automation Capability Map
Shane Coughlan
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
Maksym Bruner
 
HDP Next: Governance
HDP Next: GovernanceHDP Next: Governance
HDP Next: Governance
DataWorks Summit
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
BIOVIA
 
Data Governance Initiative
Data Governance InitiativeData Governance Initiative
Data Governance Initiative
DataWorks Summit
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
android-vish
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 

Recommended

Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
Internet Identity Workshop IIW 2023 - Introduction to ALFA Authorization Lang...
David Brossard
 
Open Source Compliance Automation Capability Map
Open Source Compliance Automation Capability MapOpen Source Compliance Automation Capability Map
Open Source Compliance Automation Capability Map
Shane Coughlan
 
REST Api Tips and Tricks
REST Api Tips and TricksREST Api Tips and Tricks
REST Api Tips and Tricks
Maksym Bruner
 
HDP Next: Governance
HDP Next: GovernanceHDP Next: Governance
HDP Next: Governance
DataWorks Summit
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
BIOVIA
 
Data Governance Initiative
Data Governance InitiativeData Governance Initiative
Data Governance Initiative
DataWorks Summit
 
Amazon s3
Amazon s3Amazon s3
Amazon s3
android-vish
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
gemziebeth
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
Restlet
 
Restful webservice
Restful webserviceRestful webservice
Restful webservice
Dong Ngoc
 
Solr/Elasticsearch for CF Developers (and others)
Solr/Elasticsearch for CF Developers (and others)Solr/Elasticsearch for CF Developers (and others)
Solr/Elasticsearch for CF Developers (and others)
Mary Jo Sminkey
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
Pega overview
Pega overviewPega overview
Pega overview
Ashock Roy
 
Pega | pega Bpm Training
Pega | pega Bpm TrainingPega | pega Bpm Training
Pega | pega Bpm Training
Pega Bpm Training Tutorials
 
What is rules in pega
What is rules in pegaWhat is rules in pega
What is rules in pega
Pega Bpm Training Tutorials
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
Red Hat
 
REST - Why, When and How? at AMIS25
REST - Why, When and How? at AMIS25REST - Why, When and How? at AMIS25
REST - Why, When and How? at AMIS25
Jon Petter Hjulstad
 
Design API using RAML - basics
Design API using RAML - basicsDesign API using RAML - basics
Design API using RAML - basics
kunal vishe
 
Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
Erik Hatcher
 
E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
Predix
 
Mule soft RAML API Designing
Mule soft RAML API DesigningMule soft RAML API Designing
Mule soft RAML API Designing
Raja Reddy
 
Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
Erik Hatcher
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
aspyker
 
Open Badge Directory [Cycle 1]
Open Badge Directory [Cycle 1]Open Badge Directory [Cycle 1]
Open Badge Directory [Cycle 1]
Open Badges
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
Narendra Kumar
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorial
Matthew Vaughn
 
Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...
Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...
Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...
David Brossard
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
David Brossard
 

More Related Content

Similar to OpenID AuthZEN ALFA PEP-PDP Prior Art

Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
Erik Hatcher
 
E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
Predix
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
aspyker
 

Similar to OpenID AuthZEN ALFA PEP-PDP Prior Art (20)

Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & RestoreLadies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
Ladies Be Architects - Integration - Multi-Org, Security, JSON, Backup & Restore
 
The never-ending REST API design debate
The never-ending REST API design debateThe never-ending REST API design debate
The never-ending REST API design debate
 
Restful webservice
Restful webserviceRestful webservice
Restful webservice
 
Solr/Elasticsearch for CF Developers (and others)
Solr/Elasticsearch for CF Developers (and others)Solr/Elasticsearch for CF Developers (and others)
Solr/Elasticsearch for CF Developers (and others)
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
Pega overview
Pega overviewPega overview
Pega overview
 
Pega | pega Bpm Training
Pega | pega Bpm TrainingPega | pega Bpm Training
Pega | pega Bpm Training
 
What is rules in pega
What is rules in pegaWhat is rules in pega
What is rules in pega
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
 
REST - Why, When and How? at AMIS25
REST - Why, When and How? at AMIS25REST - Why, When and How? at AMIS25
REST - Why, When and How? at AMIS25
 
Design API using RAML - basics
Design API using RAML - basicsDesign API using RAML - basics
Design API using RAML - basics
 
Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
 
E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)E5: Predix Security with ACS & UAA (Predix Transform 2016)
E5: Predix Security with ACS & UAA (Predix Transform 2016)
 
Mule soft RAML API Designing
Mule soft RAML API DesigningMule soft RAML API Designing
Mule soft RAML API Designing
 
Introduction to Solr
Introduction to SolrIntroduction to Solr
Introduction to Solr
 
Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1Netflix OSS Meetup Season 5 Episode 1
Netflix OSS Meetup Season 5 Episode 1
 
Open Badge Directory [Cycle 1]
Open Badge Directory [Cycle 1]Open Badge Directory [Cycle 1]
Open Badge Directory [Cycle 1]
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorial
 

More from David Brossard

Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
David Brossard
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
David Brossard
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
David Brossard
 

More from David Brossard (16)

Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...
Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...
Policies, Graphs or Relationships - A Modern Approach to Fine-Grained Authori...
 
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
ABAC, ReBAC, Zanzibar, ALFA… How Should I Implement AuthZ in My APIs - Nordi...
 
The Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with AuthorizationThe Holy Grail of IAM: Getting to Grips with Authorization
The Holy Grail of IAM: Getting to Grips with Authorization
 
OpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG UpdateOpenID Foundation AuthZEN WG Update
OpenID Foundation AuthZEN WG Update
 
Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...Policy enabling your services - using elastic dynamic authorization to contro...
Policy enabling your services - using elastic dynamic authorization to contro...
 
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
Updates from the OASIS XACML Technical Committee - Making Authorization Devel...
 
To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...To the cloud and beyond: delivering policy-driven authorization for cloud app...
To the cloud and beyond: delivering policy-driven authorization for cloud app...
 
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
OWASP Chicago 2016 - What is Attribute Based Access Control (ABAC)?
 
Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...Why lasagna is better than spaghetti: baking authorization into your applicat...
Why lasagna is better than spaghetti: baking authorization into your applicat...
 
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by DesignEIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
EIC 2014 Oasis Workshop: Using XACML to implement Privacy by Design
 
Fine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACMLFine grained access control for cloud-based services using ABAC and XACML
Fine grained access control for cloud-based services using ABAC and XACML
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
 
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
XACML in five minutes: excerpt from Catalyst 2013 panel "New school identity ...
 
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
XACML for Developers - Updates, New Tools, & Patterns for the Eager #IAM Deve...
 
XACML - Fight For Your Love
XACML - Fight For Your LoveXACML - Fight For Your Love
XACML - Fight For Your Love
 

Recently uploaded

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 

Recently uploaded (20)

Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

OpenID AuthZEN ALFA PEP-PDP Prior Art

  • 1. 1 axiomatics.com OpenID AuthZEN Prior Art ALFA - Abbreviated Language for Authorization David Brossard, January 2024 | https://www.linkedin.com/company/axiomatics/ | https://www.linkedin.com/in/davidbrossard/
  • 2. 2 axiomatics.com axiomatics.com TL;DR; There’s an OpenAPI specification for the interfaces I am about to cover. 👉GitHub - axiomatics/xacml-3.0-authz-service-openapi-spec
  • 3. 3 axiomatics.com axiomatics.com Background • ALFA is first and foremost a policy language • ALFA follows NIST’s ABAC special publication o SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations | CSRC • ALFA is based on XACML o It uses a lightweight syntax similar to Java • ALFA leverages the JSON Profile of XACML to send/receive authorization requests o JSON Profile of XACML 3.0 Version 1.1 • The JSON Profile of XACML references the REST Profile of XACML for the actual transport o REST Profile of XACML v3.0 Version 1.0 • The transport part (HTTP…) is entirely decoupled from the request/response format. o They’re 2 different specs (see above)
  • 4. 4 axiomatics.com axiomatics.com Use Cases ALFA supports the same authorization use cases as XACML: • Binary authorization request o Can Alice view Document #1? o Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ • Batch authorization requests o Can Alice, Bob, and Carol view, edit, or delete documents #1, 2, 3? o 3x3x3 decisions are returned o Batch requests are specified in another profile called the Multiple Decision Profile Version 1.0 • ⚠️Notably, ALFA (and XACML) does not support partial evaluation/search o This is something vendors have had to build themselves o Axiomatics has a proprietary API called Reverse Query that implements partial evaluation
  • 5. 5 axiomatics.com axiomatics.com Attributes are the core elements of an authorization request • ALFA is entirely attribute-based o Therefore, an authorization request is (nearly exclusively) made up of attributes • An attribute is made up of o A category e.g. subject o A datatype e.g. string o An identifier (a urn) e.g. com.acme.user.name • Attributes can be multi-valued o citizenship can contain multiple values e.g. Swiss and Swedish • ALFA supports o 4 default categories: subject, action, resource, and environment – ✅This corresponds to Cedar’s PARC model and AuthZEN’s current subject/resource/action proposal o A dozen standard datatypes (see https://alfa.guide/alfa-datatypes/) • ALFA is extensible o You can add categories and datatypes if you so desire o In practice, users stick to subject/action/resource/environment and basic datatypes (string, boolean, numbers, dates)
  • 8. 8 axiomatics.com Generic Form: Can Dave view record 125? Sample Authorization Request {"Request": { "Category": [ {"CategoryId":"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject", "Attribute": [{"AttributeId": "user.employeeId","Value": "Dave"}]}, {"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:action", "Attribute": [{"AttributeId": "action.actionId","Value": "view"}]}, {"CategoryId":"urn:oasis:names:tc:xacml:3.0:attribute-category:resource", "Attribute": [ {"AttributeId": "object.objectType","Value": "record"}, {"AttributeId": "record.recordId","Value": "125"}]} ] } }
  • 10. 10 axiomatics.com axiomatics.com Features of the Authorization Response • The response contains an array of results (to be able to support the Multiple Decision Profile) • Each result contains o One of 4 possible decisions: Permit ✅/Deny❌/NotApplicable❔/Indeterminate ⚠️ o An optional status that can be used to convey errors e.g. missing attributes or division by zero o An optional array of obligations and advice o An optional array of attributes and their values used in the decision making process o An optional array of identifiers pointing to the policies used in the evaluation process
  • 11. 11 axiomatics.com axiomatics.com Additional Features • An Authorization Request can ask the PDP to return the identifiers of the policies evaluated o ReturnPolicyIdList – type boolean; default value is false – This is useful to trace an evaluation or understand which policy triggered the eventual decision o CombinedDecision – type boolean; default value is false – In the event of a Multiple Decision Request e.g. “Can Alice view and/or edit document #123”, rather than the PDP returning 2 decisions (Permit, Deny), those decisions can be combined into a single one. • Policies can contain obligations & advice which are additional statements that may be returned alongside a decision e.g. o Permit + obligation to use MFA o It’s on the PEP to comply with the obligation
  • 12. 12 axiomatics.com axiomatics.com Sample Authorization Responses {"Response": [ { "Decision": "Permit" } ]} {"Response": [ { "Decision": "Deny", "PolicyIdentifierList": { "PolicyIdReference": [ {"Id": "viewRecords.employeesViewRecords","Version": "1.0"} ], "PolicySetIdReference": [ {"Id": "mainRecords.viewRecords","Version": "1.0"}, {"Id": "tutorial.main","Version": "1.0"} ] } } ]} The simplest kind of response. Note it’s an array A sample response with policy identifiers
  • 13. 13 axiomatics.com axiomatics.com Sample Authorization Response with Obligations {"Response": [{ "Decision": "Deny", "AssociatedAdvice": [ { "Id": "tutorial.denyMessage", "AttributeAssignment": [ { "AttributeId": "message.denyReason", "Value": "Sorry, Dave, you can't do that because you do not have a role", "Category": "urn:oasis:names:tc:xacml:3.0:attribute-category:environment", } ] } ] }]} This response contains additional statements called obligations
  • 14. 14 axiomatics.com axiomatics.com Simplifications • Datatypes that can be inferred from JSON e.g. String, integer, double, boolean do not need to be specified • Some fields that are mandatory in XACML are optional in the JSON representation and have a default value o E.g. XPathVersion (not very useful in a JSON world)
  • 15. 15 axiomatics.com axiomatics.com Features ALFA does not have by design • You cannot ask the PDP to only consider a subset of policies o It is not up to the requester to decide what applies to them • You cannot send the PDP a policy to execute o It is configured beforehand through different means (see PAP-PDP) • As previously mentioned, no ‘search’ or partial evaluation o Vendors e.g. Axiomatics have implemented their own approach No, you don’t get to tell me what the law is. You cannot ride a wooden horse on I-401
  • 16. 16 axiomatics.com axiomatics.com Things that could be simplified (and that AuthZEN should do) • Let’s fully drop features and parameters that are really only meaningful in XACML but not in ALFA or in modern-day XMLless worlds • Let’s support 2 decisions only: Permit and Deny
  • 17. 17 axiomatics.com axiomatics.com Extending the JSON Profile to support Search • Essentially, the same request structure could be used. • One would have to add the desired decision, typically Permit o What can Alice do? o Give me the list of items Alice can delete • Standardizing the request is straightforward o Standardizing the response is harder o Is it a filter? o Is it the list of items?
  • 18. 18 axiomatics.com axiomatics.com References • JSON Profile of XACML 3.0 Version 1.1 • REST Profile of XACML v3.0 Version 1.0 • XACML v3.0 Multiple Decision Profile Version 1.0 • ALFA - the Abbreviated Language for Authorization • Sample Requests - Postman Collection