herokuxacmlauthzforce

Implement geo XACML using Authzforce and host it on heroku


I'm completely new to both the topics. Can someone help me with step by step tutorials to implement them? An alternative to both of them can also be suggested.


Solution

  • I've reviewed your question and your comments throughout this thread. I understand you are new to XACML altogether. With that in mind, I will seek to elevate your understanding of XACML and how to integrate GeoXACML or generally implement geographical constraints in your policy in my answer.

    Understanding XACML

    The XACML policy language is as expressive as a natural language. For example, consider the following sentence:

    Jane Doe wants to view a confidential document at work during regular business hours.

    A sentence like this includes four grammatical building blocks:

    – a subject

    – an action

    – a resource

    – the environment in which the request is made

    Each of these “building blocks” can be described using attributes.

    To create the authorization policies for an organization, you will want to collect the requirements from the individuals responsible for defining information security policies.

    Next you would take the policies provided by the personnel responsible for authorization policies and identify the attributes.

    We typically look at defining:

    For more information on implementing ABAC in an organization, please check out the blog post I wrote on my employer's website here: https://www.axiomatics.com/blog/intro-to-attribute-based-access-control-abac/

    I also have an article on my personal blog based on a StackOverflow question, "How to authorize specific resources based on users who created those in REST, using annotations?". The answer provides another good overview of XACML and ABAC in general.

    Regarding GeoXACML and geographical constraints in general

    I'm not sure of your exact use case, but I want to mention that ipAddress is a data type in XACML, in case it is suitable for your use case (i.e. your systems encounter ip addresses that are not routed through VPNs or other ip obfuscating methods, etc.). The list of data types can be found here: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html.

    I'm not aware of any software that offers GeoXACML out of the box with an enterprise grade XACML implementation. What we can offer here at Axiomatics - my employer - is to extend our software, Axiomatics Policy Server, for you to include GeoXACML or even other geographical features to your taste. (Note: When my colleague David Brossard was suggesting in an above comment that you "try Axiomatics PS," it stood for Axiomatics Policy Server.)

    The "X" in XACML stands for extensible. And, indeed, the model is extensible enough to offer the flexibility that is required to perform such actions.

    The XACML Core Specification version 3.0 actually has a section named XACML extension points, which list all the points where the XACML model and schema can be extended with new semantic. The extension points are:

    You can follow up with any questions here on StackOverflow or through the contact pages on the provided websites.

    Best, Michael