Click here to close now.

Welcome!

Security Authors: Adam Vincent, Liz McMillan, Elizabeth White, PagerDuty Blog, Peter Silva

Related Topics: Java, MICROSERVICES, .NET, Security

Java: Article

Externalizing Fine-Grained Authorization from Applications

An Entitlements Server allows enterprises to externalize fine-grained authorization from an application’s logic

The recent spike in insider threats, coupled with a rise in compliance considerations, has forced organizations to ensure only authorized users access sensitive application functionality and data. Historically, user entitlements or authorization logic has been embedded inside an application. For example, if the user of an application meets specific conditions, such as a specific role, access to that application function will be granted at runtime. But if the definition of specific authorization conditions changes over time, then the application developer needs to modify the application's source code, test, and re-deploy the application.

Suppose a homegrown portal application must present a sensitive piece of customer information such as a Social Security Number (SSN) when a service representative views a customer's profile. It is determined that in order to ensure compliance with various privacy regulations, only directors and senior managers may be able to view a customer's SSN. A decision has to be dynamically made whenever the application must show an SSN as to whether the current user may view the actual data or some default value (e.g., "XXX-XX-XXXX"). The decision must take into account the user's job title. A dozen parts of the application that can display a customer's SSN mean a dozen places for this business logic to be applied.

Now assume that the policy needs to be changed after the application has been in production for some time. The business has determined that senior managers in California may not view an SSN. This is an exceptional situation that requires another piece of information to be considered as part of the entitlement decision. But what if we take the example even further? Suppose that only directors above a certain salary grade can view SSNs. Now the entitlement logic has been split into multiple decisions based on runtime attributes. So the business logic must be adapted.

You can see that authorization or entitlement policies evolve very differently from application requirements. Having the entitlement logic "hard wired" into the business logic means changing code each time there is a policy change. A lot of organizations also outsource their application development, which means often times they don't own the code that handles the business logic directly. This can lead to further inefficiencies and delays in deploying changes in policies. If we keep the entitlement policies outside of the application, they can be changed without modifying the application.

In this article, we explore a new approach designed to externalize user entitlements from applications through the use of a dedicated access control solution for the application tier. Externalized entitlements mean separating fine-grained authorization logic from business logic. One benefit of this is transparency; the entitlements are now understandable and measurable beyond the context of the application. This is important so that a company may review their entitlement policies for completeness and accuracy against corporate standards.

Roles and Entitlements
Authentication is about validating a user's identity through the use of credentials such as a password, a security card, or a digital certificate. Authorization (or "access control") is the ability to provide an authenticated user access to specific operations of an application.

Authorization is based on the concept of a "role." A role defines what a user is entitled to do. For example, a user in a "broker" role is entitled to transact goods on behalf of others. A role can have qualifying attributes (e.g., seniority, ranking) and can support constraints (e.g., a broker may only start transactions under specific circumstances). Based on his/her role, a user is granted access to specific resources necessary to fill that role.

There are two main kinds of roles: Applications Roles and External Roles. An Applications Role is a collection of users, groups, and other Application Roles; it can be assigned to an enterprise user, group, or External Role in an identity store, or another Application Role in the policy store (see Figure 1). An External Role is the same as an Enterprise Role or Enterprise Group; it's typically implemented as an LDAP group in the identity store.

Application Roles can be many-to-many mapped to External Roles. For example, the external group "employee" (stored in an LDAP-based identity store) can be mapped to the Application Role "customer_support_member" defined in one application and to the Application Role "IT_member" defined in another application.

An Entitlement groups related resources, possibly of different types, needed to perform a business function. In effect, an Entitlement is a reusable collection of access rights that can be granted to multiple principals (users or applications such as web services).

Role-Based and Attribute-Based Access Control
Role-Based Access Control or RBAC, originally defined by NIST [1], formalizes a reference model for controlling access to resources where permissions are not directly associated to users but are defined in roles. The RBAC standard specifies a core set (administrative and system functions) and additional functionality including role hierarchies, constraints, and separation of duty (i.e., "defining a role" and "assigning a role" are separated).

Enterprise RBAC extends RBAC principles to enterprise roles. In addition, Attribute-Based Access Control (ABAC), a natural evolution of RBAC, uses attributes (e.g., social security number or IP address) to define access control rules and access requests (XACML [2] is an example of an ABAC framework). An ABAC policy specifies one or more claims that need to be satisfied before a user is granted access, for example, the user must be a certain age.

Fine-Grained Authorization Model
In a typical XACML-based authorization model, the administrator first defines policies at the Policy Administration Point (PAP), essentially a console allowing policy definition, selection, and attachment. Then attempted access to a protected resource (for example a web service request) is intercepted by a Policy Enforcement Point (PEP), which parses the request and leverages a Policy Decision Point (PDP) to determine whether the request should be granted or denied. The PEP / PDP combination relies on a Policy Information Point (PIP), generally a user directory, to fetch information relevant to the requester for the policy evaluation and policy decision process.

All the access control information required to make the application secure is separate from the application logic and is persisted as modifiable metadata (mostly XML files) packaged with the application.

Fine-Grained Authorization Solutions
A centralized access control solution offers the reuse of authentication and authorization services as well as easier reporting for compliance and regulatory requirements, allowing administrators to control multiple applications through a higher level of granularity.

Java Enterprise Edition (Java EE) application servers provide container security including authorization based on roles. Developers can isolate security code from their business logic and delegate security to the application server infrastructure. However, application server authorization doesn't scale well to the fine-grained access control needs of multiple enterprise applications. A dedicated fine-grained authorization engine is required to complement the functionality provided by the application server.

Introducing Entitlements Server Technology
As previously noted, entitlements are a corollary of roles: being in a specific role entitles you to specific resources. Entitlements are tied to the application as they drive runtime permissions.

Entitlements management enables organizations to define granular access controls for their users based on the attributes of the user, the resource, and the context of the request.

An Entitlements Server is a standalone fine-grained authorization application that allows an organization to protect its resources by defining and managing policies that control access to, and usage of, these resources. Access privileges are defined in a policy by specifying who can do what to which resource, when it can be done, and how. The policy can enforce controls on all types of resources including software components (e.g., URLs, servlets, JavaServer Pages [JSPs], or EJBs used to construct an application), and business objects (e.g., representations of user accounts, personal profiles and contracts such as bank accounts in a banking application, patient records in a health care application, or anything used to define a business relationship).

An Entitlements Server supports the creation of role policies and access control policies. Role policies are used to define constraints regarding which users are assigned roles. Access control policies define access to the software components and business objects mentioned earlier.

An Entitlements Server typically performs the following functionality:

  • Separates security decision making from application logic.
  • Distributes policies from the PAP to the PDPs.
  • Caches policies and authorization decisions for performance.
  • Updates security policies at runtime.
  • Offers a flexible architecture that supports both embedded and remote PDPs (for centralized or distributed policy decisions).
  • Audits all access decisions and management operations.
  • Supports the XACML request / response protocol for authorization inquiries by a client application.
  • Integrates with existing security and identity management systems by leveraging enterprise data in relational databases and LDAP directories.

An Entitlements Server comprises centralized policy management with centralized or distributed policy decision-making. The architecture of an Entitlements Server is based on the interaction model of entities presented in the XACML specifications.

Entitlements Server Components
A typical Entitlements Server implements the XACML-based authorization model described earlier, including a PAP, which makes rules and policies available to the PDP in order for that entity to reach a grant or deny decision for a request to access the protected resource. The PAP generally includes an administration console, management application programming interfaces (APIs) dealing with resource and role catalogs, authorization and role- mapping policies, as well as management command-line utilities.

When the Entitlements Server is deployed, a PDP receives a request for authorization, evaluates the request based on applicable policies, reaches a decision and returns the decision to the PEP, the entity thatfirst made the authorization call. The PDP can also retrieve additional subject, resource, action, and environment attributes from a Policy Information Point to add contextual information to the request.

The PEP is a software component that intercepts the request to the protected application, passes it to the PDP and enforces the security decision returned from the PDP (the PDP may also return information with the decision [referred to as an "obligation"] that allows that decision to be enforced within a particular context). The PEP component can be the protected application itself or a "security module."

The Entitlements Server may offer two types of security modules. One type acts purely as a PDP by receiving requests and reaching decisions. The other type combines the PDP and PEP functionality. Security modules can accommodate various operating environments such as Java and Microsoft .NET applications.

The Attribute Authorities component illustrated in Figure 1 is in effect the PIP. Attribute retrievers are available for LDAP and relational database data sources.

Advanced Entitlements Servers implement the PEP Decision API, a part of the OpenAZ framework [3]. The OpenAZ package provides access from a PEP to a remote or embedded PDP.

Entitlements Server Policies
An Entitlements Server may support the creation of authorization policies and mapping policies. An Authorization Policy is created to return a decision ("grant" or "deny") as a result of a request for access to a protected target resource. The decision is based on the profile of the requesting principal (e.g., a user). An Authorization Policy is applicable to a request for access if the parameters in the request match those specified in the policy.

Consider this policy syntax:

GRANT the Support_Manager_East role MODIFY access to the Incidents servlet if the request is made from an IP address of 100.100.20.20

This Authorization Policy grants any user that is a member of the Support_Manager_East role access to the Incidents servlet for the purpose of modifying it. The policy is also constrained by a condition: the request must be made from IP address 100.100.20.20. Thus, if the parameters in the request match the parameters in the policy, and the request is made from IP address 100.100.20.20, the request is granted, otherwise the policy is ignored.

A Role Mapping Policy allows you to dynamically assign (grant) role membership to a user or dynamically deny (revoke) role membership from a user. A Role Mapping Policy defines which users or External Roles are mapped to an Authorization Policy. Role Mapping Policies are written to define which subjects (user and external roles) are assigned to the applicable role. They may also include conditions, i.e., constraints that must be evaluated to true for the policy to be included in the authorization decision.

Consider the following policy syntax:

GRANT the Employee group Application Role Support_Manager_East if the request is made from an IP address of 100.100.20.20

This policy grants the Application Role Support_Manager_East to any user that is a member of the group Employee. The policy is constrained by a condition: the request must be made from IP address 100.100.20.20. Thus, if the parameters in the request match the parameters in the Role Mapping Policy, and the request is made from IP address 100.100.20.20, the Application Role is granted otherwise the Role Mapping Policy is ignored.

Conclusion
An Entitlements Server allows enterprises to externalize fine-grained authorization from an application's logic, thus allowing developers to focus on business logic and leave fine-grained authorization decisions to security administrators.

References

  1. NIST: The National Institute of Standards and Technology (NIST) Computer Security Division (CSD) provides standards to protect information systems against threats to the confidentiality and integrity of corporate information.
  2. XACML: The Access Control Markup Language (XACML) describes a policy language (general access control requirements) and an access control decision request / response language. The RBAC Profile of XACML specification defines a profile for the use of XACML in expressing policies that use role-based access control (RBAC). In this case, RBAC "roles" are expressed as XACML Subject Attributes. For example, a specific XACML Permission PolicySet contains the permissions associated with the RBAC Manager role.
  3. OpenAZ: The Open Authorization API (OpenAZ) provides a standard interface between an application and a general authorization service. It also provides an effective way to enable authorization providers to plug in client-side authorization functionality.
  4. Oracle Entitlements Server: Oracle Entitlements Server (OES) is a fine-grained authorization management solution that externalizes and centralizes administration of enterprise entitlements, simplifies authorization policies, and enforces security decisions in distributed, heterogeneous applications.

More Stories By Marc Chanliau

Marc Chanliau has been in the software industry for more than 20 years and is currently a director of product management at Oracle where he is responsible for Identity Management solutions and innovations. He is heavily involved in security and XML standards groups including serving as the first chair person of the OASIS Security Services Technical Committee (SSTC), which culminated in the adoption of SAML as an official OASIS standard, participating on the WS-Security Technical Committee, helping to define the Liberty Alliance 2.0 specifications, and participating in the Java Specification Request (JSR) committee.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The list of ‘new paradigm’ technologies that now surrounds us appears to be at an all time high. From cloud computing and Big Data analytics to Bring Your Own Device (BYOD) and the Internet of Things (IoT), today we have to deal with what the industry likes to call ‘paradigm shifts’ at every level of IT. This is disruption; of course, we understand that – change is almost always disruptive.
SYS-CON Media announced today that 9 out of 10 " most read" DevOps articles are published by @DevOpsSummit Blog. Launched in October 2014, @DevOpsSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce softw...
Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane. The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on Twitter at @MicroservicesE
SYS-CON Events announced today that Site24x7, the cloud infrastructure monitoring service, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Site24x7 is a cloud infrastructure monitoring service that helps monitor the uptime and performance of websites, online applications, servers, mobile websites and custom APIs. The monitoring is done from 50+ locations across the world and from various wireless carriers, thus providing a global perspective of the end-user experience. Site24x7 supports monitoring H...
After making a doctor’s appointment via your mobile device, you receive a calendar invite. The day of your appointment, you get a reminder with the doctor’s location and contact information. As you enter the doctor’s exam room, the medical team is equipped with the latest tablet containing your medical history – he or she makes real time updates to your medical file. At the end of your visit, you receive an electronic prescription to your preferred pharmacy and can schedule your next appointment.
The WebRTC Summit 2014 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.
SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud.
@ThingsExpo has been named the Top 5 Most Influential M2M Brand by Onalytica in the ‘Machine to Machine: Top 100 Influencers and Brands.' Onalytica analyzed the online debate on M2M by looking at over 85,000 tweets to provide the most influential individuals and brands that drive the discussion. According to Onalytica the "analysis showed a very engaged community with a lot of interactive tweets. The M2M discussion seems to be more fragmented and driven by some of the major brands present in the M2M space. This really allows some room for influential individuals to create more high value inter...
SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy. Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
SOA Software has changed its name to Akana. With roots in Web Services and SOA Governance, Akana has established itself as a leader in API Management and is expanding into cloud integration as an alternative to the traditional heavyweight enterprise service bus (ESB). The company recently announced that it achieved more than 90% year-over-year growth. As Akana, the company now addresses the evolution and diversification of SOA, unifying security, management, and DevOps across SOA, APIs, microservices, and more.
The Open Compute Project is a collective effort by Facebook and a number of players in the datacenter industry to bring lessons learned from the social media giant's giant IT deployment to the rest of the world. Datacenters account for 3% of global electricity consumption – about the same as all of Switzerland or the Czech Republic -- according to people I met at the recent Open Compute Summit in San Jose. With increasing mobility at the edge of the cloud and vast new dataflows being predicted with the growth of the Internet of Things (and The Coming Age of Many Zettabytes) in the near...
GENBAND has announced that SageNet is leveraging the Nuvia platform to deliver Unified Communications as a Service (UCaaS) to its large base of retail and enterprise customers. Nuvia’s cloud-based solution provides SageNet’s customers with a full suite of business communications and collaboration tools. Two large national SageNet retail customers have recently signed up to deploy the Nuvia platform and the company will continue to sell the service to new and existing customers. Nuvia’s capabilities include HD voice, video, multimedia messaging, mobility, conferencing, Web collaboration, deskt...
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...
15th Cloud Expo, which took place Nov. 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, expanded the conference content of @ThingsExpo, Big Data Expo, and DevOps Summit to include two developer events. IBM held a Bluemix Developer Playground on November 5 and ElasticBox held a Hackathon on November 6. Both events took place on the expo floor. The Bluemix Developer Playground, for developers of all levels, highlighted the ease of use of Bluemix, its services and functionality and provide short-term introductory projects that developers can complete between sessions.
SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.
Temasys has announced senior management additions to its team. Joining are David Holloway as Vice President of Commercial and Nadine Yap as Vice President of Product. Over the past 12 months Temasys has doubled in size as it adds new customers and expands the development of its Skylink platform. Skylink leads the charge to move WebRTC, traditionally seen as a desktop, browser based technology, to become a ubiquitous web communications technology on web and mobile, as well as Internet of Things compatible devices.
WebRTC is an up-and-coming standard that enables real-time voice and video to be directly embedded into browsers making the browser a primary user interface for communications and collaboration. WebRTC runs in a number of browsers today and is currently supported in over a billion installed browsers globally, across a range of platform OS and devices. Today, organizations that choose to deploy WebRTC applications and use a host machine that supports audio through USB or Bluetooth can use Plantronics products to connect and transit or receive the audio associated with the WebRTC session.
Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services. In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...