One issue that I have with XACML is that there is no obvious way to address the most common customer authorization problem - data security. Most of the customers that I've met with over the past three years who were in the market for a fine-grained entitlements solution, were looking to address this issue. Basically, they had a large number of resources - customers, accounts, deals, documents etc. and they wanted to externalize the authorization.
XACML answers "Can this user perform this action on this resource?". Customers want to know "What resources can a user perform this action on?".
Why externalize to something like XACML in the first place? Don't the systems of record of these objects have access control? Of course they do, but there are a number of reasons why customers aren't using the OOTB authorization.
- Granularity - RBAC models are not fine grained enough to meet the business requirements
- Heterogeneity - In many cases there isn't a single SOR for the data. The data is virtualized so externalization is essential to consistency.
- System Accounts - Many of the access control models are tied to the user accessing the data source. In many cases, an application uses a single system account, so the OOTB authorization would be tied to that user. This means you can define the behavior per application, not per user (I guess this is a variation of granularity)
Oracle VPD (Virtual Private Database) and the RLS (Row Level Security) package uses an approach which I think can be used as a model for solving these types of use cases. Essentially when configured, the RLS returns a WHERE clause which the database then applies to the query.
Generically, the model is as follows:
- Data Access Object (DAO) receives request (getCustomers for Josh)
- DAO PEP intercepts the request and calls the PDP (can Josh getCustomers?)
- PDP evaluates policies and returns response ( Yes, but only in dept 1234)
- DAO PEP enforces the decision by modify the search criteria (getCustomers WHERE dept=1234)
- Query is processed by SOR and result is returned
Conceptually, the authorization system is returning a list of filters (attribute-operator-value) and delegating the responsibility of applying those filters to the data source. The PEP can then translate the filters into an appropriate language specific (SQL, LDAP, XPath, XQuery) expression.
Do you think this approach can work with XACML as is or is there a need for XACML to do something different?