eXtensible Access Control Markup Language (XACML) Flashcards

1
Q

What is XACML?

A

XACML is a standard developed by OASIS for access control. It is a language used to specify and enforce policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How are access decisions made in XACML?

A

XACML base decisions on attributes of the subjects, objects, and environment. Therefore, XACML is an ABAC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the policy set in XACML?

A

The policy set is the combinations of different rules and policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the main feature of XACML?

A

XACML can determine which policy applies for any one situation by examining the attributes of the subjects, objects, and the action to be taken on the object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the most important terms in XACML?

A

Policy Decision Point (PDP): The entity that evaluated the applicable policy and makes the final authorization decision.

Policy Enforcement Point (PEP): The system entity that performs access control by making queries to the PDP.

Policy Information Point (PIP): The system entity that acts as a source of attribute values.

Policy Administration Point (PAP): The system entity that creates and manages policies and policy sets.

Context handler: The system entity that converts decision requests and authorization decisions between the application format and the XACML form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are obligations in XACML?

A

Obligations are simple directives sent from the policy decision point along wit the decision to the policy enforcement point. An obligation tells the PEP what must occur before of after access is provided. An example of an obligation may be to provide an explanation if a request was denied, e.g., the prompt “Invalid password” on a failed login.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the policy combining algorithms used in XACML?

A

Deny-overrides: If any of the applicable policies says that access should be denied, then this overrides all other policies which will grant access. Access is only permitted if all applicable policies allows the action.

Permit-overrides: Allows access if only a single policy permits the action. The action will be denied if at least one policy denies access whilst the remaining policies are not applicable. If all policies are not applicable then the result is not applicable… (<_>)</_>

First one applicable: The decision will be based on the first applicable policy.

Only one applicable: If only one policy applies, then that policy decides the outcome. If there is more than one the request is undecidable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly