XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0
Committee Specification 01
16 February 2015
Specification URIs
This version:
http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/cs01/xacml-3.0-dlp-nac-v1.0-cs01.doc (Authoritative)
http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/cs01/xacml-3.0-dlp-nac-v1.0-cs01.html
http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/cs01/xacml-3.0-dlp-nac-v1.0-cs01.pdf
Previous version:
N/A
Latest version:
http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.doc (Authoritative)
http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.html
http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.pdf
Technical Committee:
OASIS eXtensible Access Control Markup Language (XACML) TC
Chairs:
Bill Parducci (bill@parducci.net), Individual
Hal Lockhart (hal.lockhart@oracle.com), Oracle
Editors:
John Tolbert (john.tolbert@queraltinc.com), Queralt, Inc.
Richard Hill (richard.c.hill@boeing.com), The Boeing Company
Crystal Hayes (crystal.l.hayes@boeing.com), The Boeing Company
David Brossard (david.brossard@axiomatics.com), Axiomatics AB
Hal Lockhart (hal.lockhart@oracle.com), Oracle
Steven Legg (steven.legg@viewds.com), ViewDS
Related work:
This specification is related to:
Abstract:
This specification defines a profile for the use of XACML in expressing policies for data loss prevention and network access control tools and technologies. It defines standard attribute identifiers useful in such policies, and recommends attribute value ranges for certain attributes. It also defines several new functions for comparing IP addresses and DNS names, not provided in the XACML 3.0 core specification.
Status:
This document was last revised or approved by the OASIS eXtensible Access Control Markup Language (XACML) TC on the above date. The level of approval is also listed above. Check the “Latest version” location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#technical.
TC members should send comments on this specification to the TC’s email list. Others should send comments to the TC’s public comment list, after subscribing to it by following the instructions at the “Send A Comment” button on the TC’s web page at https://www.oasis-open.org/committees/xacml/.
For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page (https://www.oasis-open.org/committees/xacml/ipr.php).
Citation format:
When referencing this specification the following citation format should be used:
[xacml-dlp-nac-v1.0]
XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0. Edited by John Tolbert, Richard Hill, Crystal Hayes, David Brossard, Hal Lockhart, and Steven Legg. 16 February 2015. OASIS Committee Specification 01. http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/cs01/xacml-3.0-dlp-nac-v1.0-cs01.html. Latest version: http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.html.
Notices
Copyright © OASIS Open 2015. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.
OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.
The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above guidance.
Table of Contents
2.4 Recipient Subject Attributes
2.5 Requesting Machine Attributes
2.6 Recipient Machine Attributes
4.1.1 Prevent sensitive data from being read/modified by unauthorized users
4.1.2 Prevent sensitive data from being emailed to unauthorized users
4.1.3 Prevent sensitive data from being transferred via web-mail
4.1.4 Prevent sensitive data from being copied/printed from one computer to another
4.1.5 Prevent sensitive data from being transferred to removable media
4.1.6 Prevent sensitive data from being transferred to disallowed URLs
4.1.7 Prevent sensitive data from being copied from one resource to another
4.1.8 Prevent sensitive data from being read/modified by unauthorized applications
4.2.1 Prevent traffic flow between network resources, based on protocol
4.2.2 Restrict users to certain network resources, based on subject-id
5.1 IP Address and DNS Name Datatypes and Functions
{Non-normative}
This specification defines a profile for the use of the OASIS eXtensible Access Control Markup Language (XACML) [XACML3] to write and enforce policies to govern data loss prevention (DLP) tools and to provide access control for network resources. Use of this profile requires no changes or extensions to the [XACML3] standard.
This specification begins with a non-normative discussion of the topics and terms of interest in this profile. The normative section of the specification describes the attributes defined by this profile and provides recommended usage patterns for attribute values.
This specification assumes the reader is somewhat familiar with XACML. A brief overview sufficient to understand these examples is available in [XACMLIntro].
Enterprises have legal, regulatory, and business reasons to protect their information, as exemplified by, contracts, privacy, financial, and export regulations. Organizations interpret those legal agreements, regulations, and business rules to form security and information protection policies, expressed in natural languages. Business policies and regulations are then instantiated as machine-enforceable access control policies. Most organizations employ a variety of security software tools to enforce access control policies and monitor compliance. In many cases, each tool must be configured independently of the others, leading to duplicative efforts and increased risk of inconsistent implementations.
XACML-conformant access control systems provide scalable and consistent access control policy management, enforcement, and compliance for web services, web applications, and data objects in a variety of repositories. The XACML policy format and reference architecture can be extended to promote policy consistency and efficient administration in the following areas.
DLP tools monitor “data-in-use” at endpoints (e.g., desktops, laptops, and mobile devices), “data-in-motion” on networks, and “data-at-rest” in storage systems. DLP tools enforce access control policies at these locations to prevent unauthorized access to and unintended disclosure of sensitive data. If DLP systems standardized on the XACML policy format, enterprise policy authorities could use the same language to define access control policies for endpoints, networks, servers, applications, web services, and file repositories. The cost savings and improvements to security posture will be substantial.
Network Access Control (NAC) technologies enforce access control policies to restrict and regulate network traffic between routers, switches, firewalls, Virtual Private Network (VPN) devices, servers, and endpoint devices. Resources are commonly identified by Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, and Domain Name Service (DNS) names. Traffic flows between devices according to defined ports and protocols, which can be described, grouped, and used as attributes in access control policies.
XACML policy format is suitable for and should be used to create, enforce, and exchange policies between different DLP and NAC systems. Subject information, including a rich set of metadata about subjects, will be expressed as subject attributes. Data objects and network resources will be expressed as resource attributes. Requests made by subjects and traffic operations will be expressed as action attributes.
This profile serves as a framework of common data loss prevention and network resource attributes upon which access control policies can be written, and to promote federated authorization for access to data objects and network resources. This profile will also provide XACML software developers and access control policy authors guidance on supporting DLP and NAC use cases.
Attribute Based Access Control (ABAC)
ABAC is an access control methodology wherein subjects are granted access to resources based primarily upon attributes of the subjects, resources, actions, and environments identified in a particular request context. Attributes are characteristics of the elements above, which may be assigned by administrators and stored in Policy Information Points [XACML 3], or may be ascertained by Policy Decision Points [XACML 3] at runtime.
Data Loss Prevention (DLP)
DLP tools monitor “data-in-use” at endpoints (e.g., desktops, laptops, and mobile devices), “data-in-motion” on networks, and “data-at-rest” in storage systems. DLP tools enforce access control policies at these locations to prevent unauthorized access to and unintended disclosure of sensitive data.
Discretionary Access Control (DAC)
DAC is an access control methodology wherein subjects are granted access to resources based primarily upon attributes of the subjects. Administrators can assign access permissions, sometimes called entitlements, to groups, roles, and other attributes, which are then associated with specific subjects.
Mandatory Access Control (MAC)
MAC is an access control methodology wherein subjects obtain access to resources based on the evaluation of subject, resource, action, and environment attributes. Access requests typically include resource attributes such as visible labels and metadata tags, which convey information about the sensitivity of the associated resource.
Network Access Control (NAC)
NAC is an access control methodology wherein subjects obtain access to network-layer resources (routers, switches, and endpoints) based on the evaluation of subject, resource, action, and environment attributes. Subjects may include users and devices. Actions may include commonly defined services and protocols as well as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].
[RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997.
[RFC 3986] T. Berners-Lee, Uniform Resource Identifier (URI): Generic Syntax, http://www.rfc-editor.org/rfc/rfc3986.txt, IETF RFC 3986, January 2005
[XACML2] OASIS Standard, "eXtensible Access Control Markup Language (XACML) Version 2.0", February 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
[XACML1] OASIS Standard, "eXtensible Access Control Markup Language (XACML) Version 1.0", February 2003. http://www.oasis-open.org/committees/download.php/2406/oasis-xacml-1.0.pdf
[JSON] JSON Profile of XACML 3.0 Version 1.0. Edited by David Brossard. 15 May 2014. OASIS Committee Specification Draft 03 / Public Review Draft 03. http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/csprd03/xacml-json-http-v1.0-csprd03.html. Latest version: http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/xacml-json-http-v1.0.html.
[XACMLIntro] OASIS XACML TC, A Brief Introduction to XACML, 14 March 2003, http://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html
[ISO3166] ISO 3166 Maintenance agency (ISO 3166/MA), http://www.iso.org/iso/country_codes.htm
[DublinCore] Dublin Core Metadata Element Set, version 1.1.
http://dublincore.org/documents/dces/
DLP and NAC tools are policy-driven enforcement systems. This profile defines standard XACML attributes for these DLP and NAC use cases, and recommends the adoption of standardized attribute values.
This generic use case encompasses many permutations of these attributes. Consider the nearly ubiquitous case where an administrator needs to limit the actions of users to certain groups for each action type. For example, Group 1 should be able to create data objects in the target location; group 2 should be able to edit data objects in the target location; groups 1, 2, and 3 should be able to read the contents without being able to edit them; and groups 1 and 4 should be able to delete the data objects. These policies must be enforceable on a plethora of computing and network devices with diverse operating systems.
Email systems are often the vector through which sensitive data escapes, both intentionally and unintentionally, without authorization. To prevent data loss, security administrators must be able to define and enforce policies that limit which subjects may email certain types of resources to specific recipient subjects. For example, a policy may prohibit sending proprietary information to recipients who are not licensed to have it [XACML-IPC]. These policies may be enforced on the email client and/or the email gateway servers.
Security administrators need to be able to prohibit subjects from transferring sensitive data resources via web-mail systems. These policies may be enforced on endpoint devices such as desktops, laptops, and mobile devices, and on web proxy computers and appliances.
Security administrators need to be able to ensure data containment, i.e., certain data objects must not be copied or transferred outside of special or high-security computing and network environments. These policies may be enforced on endpoint devices (such as desktops, laptops, and mobile devices), servers, printers, network devices, and firewalls.
Removable media is another common vector for data loss. Security administrators must be able to enforce policies to prohibit subjects from transferring specific resources to removable media devices. These policies will be enforced on endpoint devices and servers.
Data exfiltration may occur via standard web protocols such as HTTP and HTTPS. Security administrators need to be able to prohibit subjects from transferring specific resources via HTTP(S) outside the local domain or to certain disallowed URLs. These policies may be enforced at endpoint devices as well as firewalls, network devices, web proxies, and web portals.
Sensitive data may not be copied from a specific resource or location to another. This prevents malicious actors from copying data into new files or databases to evade security controls.
Policies may stipulate which applications can read or modify resources to prevent insecure applications or malware-compromised applications from contaminating or exfiltrating sensitive data. This use case assumes that the Policy Decision Point (PDP) can call an external configuration management database to determine if the application is on the approved list.
Network devices that control the flow of network traffic (e.g. firewall) may need to restrict network traffic based on policy regarding the type of protocols allowed. For example, a policy may disallow transfer of resources using unsecured protocols such as ftp, but will allow the more secure SFTP protocol.
Network devices that control access to network resources (e.g. VPN) may restrict an authenticated user’s access to certain subnets, such as secure access zones or enclaves, based on policy regarding the type of subject attributes.
This section defines several datatypes and functions related to determining network location using either IP Address or DNS name. Network locations are used as both Resource and Subject Attributes as described in the sections below.
Both IP Address types and DNS Name types MAY include a port range list. An IP port is a 16 bit number expressed in decimal. Port 0 is not used. Thus valid values for a portnumber range from 1 to 65536. The syntax SHALL be:
portrange = portnumber | "-"portnumber | portnumber"-"[portnumber]
portrangelist = portrange [“,” portrange]
where "portnumber" is a decimal port number. When two port numbers are given in a range, the first must be lower than the second. The port range includes the given ports. If the port range is of the form "-x", where "x" is a port number, then the range is all ports numbered "x" and below. If the port range is of the form "x-", then the range is all ports numbered "x" and above.
Port range is the same as defined in A.2 of [XACML3]. Port range list allows multiple non contiguous ranges to be specified. The port ranges in a given port range list MAY appear in any order and MAY overlap. The port range list indicates all the ports in any of the ranges.
The “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value” primitive type represents an IPv4 or IPv6 network address value, with optional port. The syntax SHALL be:
ipAddress-value = ipAddress [ ":" port ]
For an IPv4 address or IPv6 address, the address is formatted in accordance with the syntax for a "host" in [RFC 3986], section 3.2.2. (Note that an IPv6 address, in this syntax, is enclosed in literal "[" "]" brackets.) The subnet mask SHALL be omitted.
The “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern” primitive type represents an IPv4 or IPv6 network address pattern, with optional portrange list.
The syntax SHALL be:
ipAddressrange = ipAddress | "-" ipAddress | ipAddress "-"[ ipAddress ]
ipAddressrangelist = ipAddressrange [“,”ipAddressrange ]
ipAddress-pattern = ipAddressrangelist [ ":" portrangelist ]
The subnet mask SHALL be omitted. When two IP addresses are given in a range, the first must be lower than the second. The IP address range includes the given IP addresses. If the IP address range is of the form "-x", where "x" is an IP address, then the range is all IP addresses numbered "x" and below. If the IP address range is of the form "x-", then the range is all IP addresses numbered "x" and above. IP address range list allows multiple non contiguous ranges to be specified. The IP address ranges in a given IP address range list MAY appear in any order and MAY overlap. The IP address range list indicates all the IP addresses in any of the ranges.
Note that any string which is a valid IP Address value is by definition a valid IP Address pattern.
Examples
Valid ipAddress-values
192.168.1.2
101.86.23.0:443
[602:ea8:85a3:8d3:223:8a2e:370:ff04]
[602:ea8:85a3::370:ff04]
[2001:db8:85a3:8d3:1319:8a2e:370:7348]:80
Invalid ipAddress-values
192.168.1.556 // value too large
101.12.2.1-101.12.2.127 // ip address range not allowed
192.168.54.3/16 // mask not allowed
101.86.23.0:443-1024 // port range not allowed
[602:ea8:85a3:8d3:223:8a2e:cex:ff04] // value not hexadecimal
[602:ea8::85a3::370:ff04] // multiple ::
[2001:db8:85a3:8d3:1319:8a2e:370:7348]:80-200 // port range not allowed
Valid ipAddress-patterns
192.168.1.2-192.168.1.125
101.86.23.0-101.86.100.255, 101.20.1.1-101.86.50.255:443
[602:ea8:85a3:8d3:223:8a2e:370:ff04]:1-1023
[602:ea8:85a3::370:1]-[602:ea8:85a3::370:ff04]:80
Invalid ipAddress-patterns
192.168.5.2-192.168.1.125 // range not low to high
[602:ea8:85a3:8d3:223:8a2e:370:ff04]:1-90000 // port out of range
The following functions are matching functions for the IP Address datatypes.
· urn:oasis:names:tc:xacml:3.0:function:ipAddress-match
This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The function SHALL return "True" if and only if the following conditions are met.
· The first and second arguments SHALL both be of the same IP version (4 or 6).
· The value of the second argument SHALL be identical to one of the values in the IP address range list of the first argument.
· Any port or port range values in either argument SHALL be ignored.
Otherwise, it SHALL return “False”.
· urn:oasis:names:tc:xacml:3.0:function:ipAddress-endpoint-match
· This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The function SHALL return "True" if and only if the following conditions are met.
· The first and second arguments SHALL both be of the same IP version (4 or 6).
· The value of the second argument SHALL be identical to one of the values in the IP address range list of the first argument.
· The first argument SHALL contain a port range list and the second SHALL contain a port value which is included in the port range list of the first.
Otherwise, it SHALL return “False”.
· urn:oasis:names:tc:xacml:3.0:function:ipAddress-value-equal
This function SHALL take two arguments of data-type “urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The function SHALL return "True" if and only if the following conditions are met.
· The first and second arguments SHALL both be of the same IP version (4 or 6).
· The value of the first argument SHALL have a value identical to the second argument.
· Any port value in either argument SHALL be ignored.
Otherwise, it SHALL return “False”.
The “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value” primitive type represents a Domain Name Service (DNS) host name, with optional port. The syntax SHALL be:
dnsName-value = hostname [ ":" port ]
The hostname is formatted in accordance with [RFC 3986], section 3.2.2.
The “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern” primitive type represents a Domain Name Service (DNS) host name, with optional portrange list. The syntax SHALL be:
dnsName-pattern = hostname [ ":" portrangelist ]
The hostname is formatted in accordance with [RFC 3986], section 3.2.2, except that a wildcard "*" may be used in the left-most component of the hostname to indicate "any subdomain" under the domain specified to its right.
The following functions are matching functions for the DNS Name datatypes.
· urn:oasis:names:tc:xacml:3.0:function:dnsName-match
This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The function SHALL return "True" if and only if the following conditions are met.
· The number of name components in the second argument SHALL be the same as the number in the first argument and each component in the second argument SHALL be identical to the corresponding component in the first argument, except that if the leftmost component in the first argument has the value “*” it SHALL be deemed to match any value in the corresponding component of the second argument. (Any port or port range values in either argument SHALL be ignored.)
Otherwise, it SHALL return “False”.
· urn:oasis:names:tc:xacml:3.0:function:dnsName-endpoint-match
· This function SHALL take one argument of data-type “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern” and a second argument of type “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The function SHALL return "True" if and only if the following conditions are met.
· The number of name components in the second argument SHALL be the same as the number in the first argument and each component in the second argument SHALL be identical to the corresponding component in the first argument, except that if the leftmost component in the first argument has the value “*” it SHALL be deemed to match any value in the corresponding component of the second argument.
· The first argument SHALL contain a port range list and the second SHALL contain a port value which is included in the port range list of the first.
Otherwise, it SHALL return “False”.
· urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal
This function SHALL take two arguments of data-type “urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value” and SHALL return an “http://www.w3.org/2001/XMLSchema#boolean”. The function SHALL return "True" if and only if the following conditions are met.
· The number of name components in the second argument SHALL be the same as the number in the first argument and each component in the second argument SHALL be identical to the corresponding component in the first argument. (Any port values in either argument SHALL be ignored.)
Otherwise, it SHALL return “False”.
The following Resource Attributes defined in section 10.2.6 of [XACML3] facilitate the description of DLP and NAC objects for the purpose of creating access control policies.
The Resource-id value shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:1.0:resource:resource-id
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#anyURI. This attribute denotes the uniform resource identifier of the requested resource.
The Resource-location value shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:1.0:resource:resource-location
Allowable DataTypes for this attribute are: http://www.w3.org/2001/XMLSchema#anyURI, urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value, urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value, and urn:ogc:def:dataType:geoxacml:1.0:geometry. This attribute denotes the logical and/or physical location of the requested resource.
The attributes in this section appear in conjunction with the access subject category [XACML3].
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
This is the identifier for the subject issuing the request, which may include user identifiers, machine identifiers, and/or application identifiers.
Subject-ID classification values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:1.0:subject:subject-id
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
This identifier indicates the security domain of the access subject. It identifies the administrator and policy that manages the name-space in which the subject id is administered.
Subject-Security-Domain classification values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
This identifier indicates the time at which the subject was authenticated. Authentication-Time classification values shall be designated with the following attribute identifier.
urn:oasis:names:tc:xacml:1.0:subject:authentication-time
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#dateTime.
This identifier indicates the method used to authenticate the subject. Authentication-Method classification values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:1.0:subject:authentication-method
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
This identifier indicates the time at which the subject initiated the access request, according to the PEP. Request-Time classification values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:1.0:subject:request-time
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#dateTime.
This identifier indicates the location where authentication credentials were activated, expressed as an IP Address:
urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address
The DataType of this attribute is urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value.
This identifier indicates that the subject location is expressed as a DNS name.
urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name
The DataType of this attribute is urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value.
The attributes in this section appear in conjunction with the recipient subject category [XACML3]:
urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject
This identifier indicates the entity that will receive the results of the request, which may include user identifiers, machine identifiers, and/or application identifiers.
Subject-ID classification values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:1.0:subject:subject-id
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
This identifier indicates the security domain of the recipient subject. It identifies the administrator and policy that manages the name-space in which the recipient-subject id is administered.
Subject-Security-Domain classification values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
The attributes in this section appear in conjunction with the requesting machine category [XACML3].
urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine
This identifier indicates the address of the machine from which the access request originated. Requesting-machine classification values shall be designated with the following attribute identifier.
urn:oasis:names:tc:xacml:1.0:subject:subject-id
The following DataTypes can be used with this attribute: urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value. For Media Access Control (MAC) addresses, use http://www.w3.org/2001/XMLSchema#string.
The following identifier is defined to indicate the machine to which access is intended to be granted.
urn:oasis:names:tc:xacml:3.0:subject-category:recipient-machine
The shorthand notation for this category in the JSON representation [XACML3] is RecipientMachine.
This identifier indicates the address of the machine(s) to which the access will be granted. Recipient machine classification values shall be designated with the following attribute identifier.
urn:oasis:names:tc:xacml:1.0:subject:subject-id
The following DataTypes can be used with this attribute: urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value and urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value. The attribute value may include full paths including volume names, where applicable. For Media Access Control (MAC) addresses, use http://www.w3.org/2001/XMLSchema#string. The attribute may take multiple values.
This identifier indicates whether or not the destination of the action is a removable media device. Removable media classification values shall be designated with the following attribute identifier.
urn:oasis:names:tc:xacml:3.0:subject:removable-media
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean.
This identifier indicates whether or not the requesting application is approved for the actions requested.
urn:oasis:names:tc:xacml:3.0:codebase:authorized-application
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean.
In order to create fine-grained access control rules and policies, specific action attributes must be defined. Action attributes will be grouped according to type of action.
The following action attribute values correspond to the action-id identifier:
urn:oasis:names:tc:xacml:1.0:action:action-id
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean.
The following action-id attributes are defined.
urn:oasis:names:tc:xacml:1.0:action:action-id:create
urn:oasis:names:tc:xacml:1.0:action:action-id:read
urn:oasis:names:tc:xacml:1.0:action:action-id:update
urn:oasis:names:tc:xacml:1.0:action:action-id:delete
urn:oasis:names:tc:xacml:1.0:action:action-id:copy
urn:oasis:names:tc:xacml:1.0:action:action-id:print
urn:oasis:names:tc:xacml:1.0:action:action-id:email-send
Additional action-IDs can be defined as needed.
For both DLP and NAC purposes, standard protocols must be available for policy authors to use.
The following action attribute values correspond to the action-protocol identifier:
urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
The list below contains a number of common protocols which can be used to construct DLP and NAC policies. The list is not comprehensive, and may be extended as need by implementers.
SMTP |
FTP |
SFTP |
IMAP |
POP |
RPC |
HTTP |
HTTPS |
LDAP |
TCP (ports can be specified as TCP:81, TCP:100-120, etc.) |
UDP (ports can be specified as UDP:54, UDP:100-120) |
The following action attribute values correspond to the action-protocol identifier:
urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-method
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
The list below contains a number of action-methods which can be used to construct DLP and NAC policies. The list is based on HTTP as an example, and is not comprehensive. Additional methods may be created as needed by implementers.
GET |
PUT |
POST |
HEAD |
DELETE |
OPTIONS |
The <Obligation> element will be used in the XACML response to notify requestor that additional processing requirements are needed. This profile focuses on the use of obligations to encryption and visual marking. The XACML response may contains one or more obligations. Processing of an obligation is application specific. An <Obligation> may contain the object (resource) action pairing information. If multiple vocabularies are used for resource definitions the origin of the vocabulary MUST be identified.
The obligation should conform to following structure:
urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation
The Encrypt obligation shall be designated with the following identifier:
urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt
The encrypt obligation can be used to command PEPs (Policy Enforcement Points) to encrypt the resource. This profile does not specify the type of encryption or other parameters to be used; rather, the details of implementation are left to the discretion of policy authors and software developers as to how to best meet their individual requirements.
The following is an example of the Encrypt obligation:
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt"
FulfillOn="Permit"/>
</ObligationExpression>
</ObligationExpressions>
The Log obligation shall be designated with the following identifier:
urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log
The log obligation can be used to command PEPs to make an electronic record of the access request and result. Examples of log types are syslog, application logs, operating system logs, etc. Policy authors can use this obligation to meet legal, contractual, or organizational policy requirements by forcing PEPs to record the request and response. Policy authors may find that logging both <Permit> and <Deny> decisions may be advantageous depending on the business or legal requirements. This profile does not specify the content that should be written to the log.
The following is an example of the Log obligation:
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log"
FulfillOn="Permit"/>
</ObligationExpression>
</ObligationExpressions>
Marking classification values shall be designated with the following identifier:
urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking
The marking obligation can be used to command PEPs to embed visual marks, sometimes called watermarks, on data viewed both on-screen and in printed form. Policy authors may use this obligation to meet legal or contractual requirements by forcing PEPs to display text or graphics in accordance with <Permit> decisions. This profile does not specify the text or graphics which can be rendered; rather, the details of implementation are left to the discretion of policy authors as to how to best meet their individual requirements.
The following is an example of the marking obligation:
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>Copyright 2011 Acme</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
This profile defines the following URN identifiers.
The following identifier SHALL be used as the identifier for this profile when an identifier in the form of a URI is required.
urn:oasis:names:tc:xacml:3.0:dlp-nac
This section contains examples of how the profile attributes can be used.
This example illustrates the above use case with the following scenario:
Acme security policy restricts the ability to read and modify certain documents on a “need-to-know” basis, according to the mandatory access control model. Subjects with appropriate attributes, which may include roles, group memberships, etc., will succeed in accessing these documents, while those without the requisite attribute values will fail.
Resource Attributes |
Values |
Resource-ID |
|
Resource-location |
webserver1.acme.com |
Access Subject Attributes |
Values |
Subject-ID |
Alice |
Subject-Security-Domain |
acme.com |
Requesting Machine Attributes |
Values |
Subject-ID |
alice-laptop.acme.com |
Action Attributes |
Values |
Action-ID |
Read, Update |
This sample policy can be summarized as follows:
Target: This policy is only applicable to Resource-location = “webserver1.acme.com”
Rule: This rule is only applicable if Resource-ID contains “confidential.acme.com”
Then if
Access-Subject.Subject-Security-Domain = “acme.com”
Requesting-machine.Subject-ID matches “*.acme.com” AND
Action-ID = “Read” OR “Update” THEN
PERMIT
Obligation:
On PERMIT mark AND encrypt the resource
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase411"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.1.1 Prevent sensitive data from being read/modified by unauthorized users</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
>webserver1.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Permit"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase411.confidentialAcme">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains">
<AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string
>confidential.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string
>acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-match">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:dnsName-pattern"
>*.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
</Policy>
Acme security policy prohibits sending confidential information to users outside the acme.com domain. Alice attempts to send a document to Bob at Wileycorp.com. The request fails. Sample attributes and values are listed below.
Resource Attributes |
Values |
Resource-ID |
|
Resource-location |
webserver1.acme.com |
Access Subject Attributes |
Values |
Subject-ID |
Alice |
Subject-Security-Domain |
acme.com |
Recipient Subject Attributes |
Values |
Subject-ID |
|
Subject-Security-Domain |
Wileycorp.com |
Requesting Machine Attributes |
Values |
Subject-ID |
alice-repository.acme.com |
Action Attributes |
Values |
Action-ID |
Email-send |
This sample policy can be summarized as follows:
Target: This policy is only applicable to Resource-location = “webserver1.acme.com”
AND Resource-ID contains “confidential.acme.com”
Rule: This rule is only applicable if Action-ID = “Email-send”
Then if
Access-Subject.Subject-Security-Domain = “acme.com” AND
Recipient-Subject.Subject-ID contains “@[Aa][Cc][Mm][Ee]\.[Cc][Oo][Mm]” AND
Recipient-Subject.Subject-Security-Domain = “acme.com” AND
Requesting-machine.Subject-ID matches “*.acme.com” THEN
PERMIT
Obligation:
On PERMIT mark AND encrypt the resource
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase412"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.1.2 Prevent sensitive data from being emailed to unauthorized users</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
>webserver1.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains">
<AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string
>confidential.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Permit"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase412.sendEmail">
<Description>This rule is only applicable if Action-ID = "Email-send"</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Email-send</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:rfc822Name"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-match">
<AttributeValue
DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern"
>*.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
</Policy>
Acme security policy prohibits sending proprietary information to personal web-mail accounts. Alice attempts to send a document to her account at big-email-service.com so that she can work on it after-hours. The request fails. Sample attributes and values are listed below.
Resource Attributes |
Values |
Resource-ID |
|
Resource-location |
webserver1.acme.com |
Access Subject Attributes |
Values |
Subject-ID |
Alice |
Subject-Security-Domain |
acme.com |
Recipient Subject Attributes |
Values |
Subject-ID |
|
Subject-Security-Domain |
big-email.service.com |
Requesting Machine Attributes |
Values |
Subject-ID |
alice-repository.acme.com |
Action Attributes |
Values |
Action-Protocol |
HTTP(S) |
This sample policy can be summarized as follows:
Target: This policy is only applicable to Resource-location = “webserver1.acme.com”
AND Resource-ID contains “confidential.acme.com”
Rule: This rule is only applicable if Action-Protocol contains “HTTP”
Then if
Access-Subject.Subject-Security-Domain = “acme.com” AND
Recipient-Subject.Subject-ID contains @[Aa][Cc][Mm][Ee]\.[Cc][Oo][Mm]” AND
Recipient-Subject.Subject-Security-Domain = “acme.com” AND
Requesting-Machine.Subject-ID matches “*.acme.com” THEN
PERMIT
Obligation:
On PERMIT mark AND encrypt the resource.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase413"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.1.3 Prevent sensitive data from being transferred via web-mail</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
>webserver1.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains">
<AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string
>confidential.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Permit"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase413.allowHTTP">
<Description>This rule is only applicable if Action-Protocol contains "HTTP"</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-contains">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">HTTP</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:rfc822Name"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-match">
<AttributeValue
DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern"
>*.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
</Policy>
Acme security policy disallows copying highly sensitive data from a hardened computer to other computers. Any attempt to copy must fail. Sample attributes and values are listed below.
Resource Attributes |
Values |
Resource-ID |
|
Resource-location |
fortress.acme.com |
Access Subject Attributes |
Values |
Subject-ID |
Alice |
Subject-Security-Domain |
acme.com |
Requesting Machine Attributes |
Values |
Subject-ID |
alice-desktop.acme.com |
Recipient Machine Attributes |
Values |
Subject-ID |
public-facing.acme.com |
Action Attributes |
Values |
Action-ID |
Copy or Print |
This sample policy can be summarized as follows:
Target: This policy is only applicable to Resource-location = “fortress.acme.com”
AND Resource-ID contains “confidential.acme.com”
Rule: This rule is only applicable if Action-ID = “Copy” or “Print”
Then if
Requesting-Machine.Subject-ID = Recipient-Machine.Subject-ID
PERMIT
Obligation:
On PERMIT mark AND encrypt the resource.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase414"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.1.4 Prevent sensitive data from being copied/printed from one computer to another</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
>fortress.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains">
<AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string
>confidential.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Permit"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase414.copyOrPrint">
<Description>This rule is only applicable if Action-ID = "Copy" or "Print"</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Copy</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Print</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:ipAddress-value-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-one-and-only" >
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress-value"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine"
MustBePresent="false"
/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:ipAddress-one-and-only" >
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:ipAddress-value"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-machine"
MustBePresent="false"
/>
</Apply>
</Apply>
</Condition>
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
</ObligationExpression>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt"
FulfillOn="Permit">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
</Policy>
Acme security policy prohibits the transfer of sensitive data to removable media, such as CDs, DVDs, and USB drives. Any attempt to copy data to removable media must fail. Sample attributes and values are provided below:
Resource Attributes |
Values |
Resource-ID |
|
Resource-location |
webserver1.acme.com |
Access Subject Attributes |
Values |
Subject-ID |
Alice |
Subject-Security-Domain |
acme.com |
Requesting Machine Attributes |
Values |
Subject-ID |
alice-laptop.acme.com |
Recipient Machine Attributes |
Values |
Removable-media |
true |
Action Attributes |
Values |
Action-ID |
Copy or Print |
This sample policy can be summarized as follows:
Target: This policy is only applicable to Resource-location = “webserver1.acme.com”
AND Resource-ID contains “confidential.acme.com”
Rule: This rule is only applicable if Action-ID = “Copy”
Then if
Access-Subject.Subject-Security-Domain = “acme.com” AND
Requesting-Machine.Subject-ID matches “*.acme.com” AND
Recipient-Machine.Removable-Media = “TRUE” THEN
DENY
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase415"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.1.5 Prevent sensitive data from being transferred to removable media</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
>webserver1.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains">
<AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string
>confidential.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Deny"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase415.copy">
<Description>Rule: This rule is only applicable if Action-ID = Copy</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Copy</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-match">
<AttributeValue
DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern"
>*.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:2.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:removable-media"
DataType="http://www.w3.org/2001/XMLSchema#boolean"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-machine"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
Acme security policy prohibits sensitive data from being transferred outside the organization to specific sites. Alice attempts to upload a sensitive document, but the attempt fails. Sample attributes and values follow:
Resource Attributes |
Values |
Resource-ID |
|
Resource-location |
webserver1.acme.com |
Access Subject Attributes |
Values |
Subject-ID |
Alice |
Subject-Security-Domain |
acme.com |
Requesting Machine Attributes |
Values |
Subject-ID |
alice-laptop.acme.com |
Recipient Machine Attributes |
Values |
Subject-ID |
cloudstoragesite.com |
Action Attributes |
Values |
Action-Protocol |
HTTP |
This sample policy can be summarized as follows:
Target: This policy is only applicable to Resource-location = “webserver1.acme.com”
Rule: This rule is only applicable if Resource-ID contains “confidential.acme.com”
Then if
Action-Protocol contains “HTTP” OR
Action-Protocol contains “FTP” THEN
DENY
Obligation:
On DENY log transfer attempt.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase416"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.1.6 Prevent sensitive data from being transferred to disallowed URLs</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
>webserver1.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Deny"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase416.confidentialDomain">
<Description>This rule is only applicable if Resource-ID contains "confidential.acme.com"</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains">
<AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string
>confidential.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">HTTP</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">FTP</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log-transfer-attempt"
FulfillOn="Deny">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Transfer</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
</Policy>
Acme security policy prohibits copying proprietary information from one resource to another. Alice attempts to copy sensitive data from one resource to a new one she just created. The request fails. Sample attributes and values are listed below.
Resource Attributes |
Values |
Resource-ID |
|
Resource-location |
webserver1.acme.com |
Access Subject Attributes |
Values |
Subject-ID |
Alice |
Subject-Security-Domain |
acme.com |
Action Attributes |
Values |
Action-ID |
Copy |
This sample policy can be summarized as follows:
Target: This policy is only applicable if Resource-location = “webserver1.acme.com”
AND Resource-ID contains “confidential.acme.com”
Rule: This rule is only applicable if Action-ID = “Copy”
Then if
Access-Subject.Subject-Security-Domain = “acme.com”
DENY
Obligation:
On DENY log copy attempt.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase417"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.1.7 Prevent sensitive data from being copied from one resource to another</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
>webserver1.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType=" urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains">
<AttributeValue DataType=http://www.w3.org/2001/XMLSchema#string
>confidential.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Deny"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase417.copy">
<Description>This rule is only applicable if Action-ID contains "Copy"</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">Copy</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log-transfer-attempt"
FulfillOn="Deny">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
</Policy>
Acme security policy prohibits unapproved applications from reading and modifying sensitive data. Alice attempts to open a sensitive document with an unauthorized application. The request fails. Sample attributes and values are listed below.
Resource Attributes |
Values |
Resource-ID |
|
Resource-location |
webserver1.acme.com |
Access Subject Attributes |
Values |
Subject-ID |
Alice |
Subject-Security-Domain |
acme.com |
Codebase Attribute |
Values |
Authorized-application |
false |
Action Attributes |
Values |
Action-Protocol |
HTTP |
This sample policy can be summarized as follows:
Target: This policy is only applicable to Resource-location = “webserver1.acme.com”
AND Resource-ID contains “confidential.acme.com”
Rule: This rule is only applicable if Action-Protocol contains “HTTP”
Then if
Access-Subject.Subject-Security-Domain = “acme.com” AND Authorized-application = false
DENY
Obligation:
On DENY log attempt to use an authorized application
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase418"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.1.8 Prevent sensitive data from being read/modified by unauthorized applications</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
>webserver1.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType="urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:anyURI-contains">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"
>confidential.acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Deny"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase418.httpProtocol">
<Description>This rule is only applicable if Action-Protocol contains HTTP</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">HTTP</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">acme.com</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#boolean">false</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:codebase:authorized-application"
DataType="http://www.w3.org/2001/XMLSchema#boolean"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:codebase"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
<ObligationExpressions>
<ObligationExpression
ObligationId="urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:log-transfer-attempt"
FulfillOn="Deny">
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</AttributeAssignmentExpression>
<AttributeAssignmentExpression
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Rule>
</Policy>
Acme security policy prohibits sensitive data from being transferred using unsecure protocols. Alice attempts to retrieve a document resource on a server using the ftp protocol, in which case the attempt fails.
Resource Attributes |
Values |
Resource-location |
192.168.0.1 |
Access Subject Attributes |
Values |
Subject-ID |
CN=Alice, OU=Contractor, O=Acme, C=US |
Action Attributes |
Values |
Action-Protocol |
FTP |
This sample policy can be summarized as follows:
Target: This policy is only applicable if Subject-ID ends with “O=Acme,C=US”
Rule:
If Action-Protocol = “FTP”
DENY
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase421"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.2.1 Prevent traffic flow between network resources, based on protocol</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:x500Name-match">
<AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"
>O=Acme,C=US</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Deny"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase421.ftpProtocol">
<Description>This rule is only applicable if Action-Protocol equals FTP</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">FTP</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
Acme security policy restricts access to certain secure access zones based on an authenticated subject DN of a user when using certificate-based authentication and the destination IP address. Alice, a contractor at Acme, attempts access a server containing sensitive data within a secure access zone, but is denied based on her subject-id OU value.
Resource Attributes |
Values |
Resource-location |
10.0.0.1 |
Access Subject Attributes |
Values |
Subject-ID |
CN=Alice, OU=Contractor, O=Acme, C=US |
Action Attributes |
Values |
Action-Protocol |
HTTP |
Action-Method |
GET |
This sample policy can be summarized as follows:
Target: This policy is only applicable to resource type Resource-location = 10\.\d*\.\d*\.\d*
Rule: This rule is only applicable if Subject-ID ends with “O=Employee,O=Acme,C=US”
Then if
Action-Protocol = “HTTP” AND
Action-Method = “GET”
THEN
PERMIT
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase422"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<Description>4.2.2 Restrict users to certain network resources, based on subject-id</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:3.0:function:ipAddress-match">
<AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern"
>10.0.0.0-10.255.255.255</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-location"
DataType="urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule
Effect="Permit"
RuleId="urn.oasis.names.tc.xacml.dlp_nac.policies.useCase422.employee">
<Description>This rule is only applicable if subject-id ends with O=Employee,O=Acme,C=US</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:x500Name-match">
<AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"
>O=Employee,O=Acme,C=US</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:x500Name"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"/>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">HTTP</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"/>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
<AttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-method"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
Conformance to this profile is defined for policies and requests generated and transmitted within and between XACML systems.
Conformant XACML policies and requests SHALL use the IP Address and DNS Name datatypes and functions defined in Section 2 for their specified purpose and SHALL NOT use any other identifiers for the purposes defined by attributes in this profile. Conformant XACML PDPs SHALL implement these datatypes and functions. The following table lists the datatypes and functions that must be supported.
Note: “M” is mandatory “O” is optional.
Identifiers |
|
urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-value |
M |
urn:oasis:names:tc:xacml:3.0:data-type:ipAddress-pattern |
M |
urn:oasis:names:tc:xacml:3.0:function:ipAddress-match |
M |
urn:oasis:names:tc:xacml:3.0:function:ipAddress-endpoint-match |
M |
urn:oasis:names:tc:xacml:3.0:function:ipAddress-value-equal |
M |
urn:oasis:names:tc:xacml:3.0:data-type:dnsName-value |
M |
urn:oasis:names:tc:xacml:3.0:data-type:dnsName-pattern |
M |
urn:oasis:names:tc:xacml:3.0:function:dnsName-match |
M |
urn:oasis:names:tc:xacml:3.0:function:dnsName-endpoint-match |
M |
urn:oasis:names:tc:xacml:3.0:function:dnsName-value-equal |
M |
Conformant XACML policies and requests SHALL use the category identifiers defined in Section 2 for their specified purpose and SHALL NOT use any other identifiers for the purposes defined by categories in this profile. The following table lists the categories that must be supported.
Note: “M” is mandatory “O” is optional.
Identifiers |
|
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject |
M |
urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject |
M |
urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine |
M |
urn:oasis:names:tc:xacml:3.0:subject-category:recipient-machine |
M |
urn:oasis:names:tc:xacml:1.0:subject-category:codebase |
M |
urn:oasis:names:tc:xacml:3.0:attribute-category:action |
M |
Conformant XACML policies and requests SHALL use the attribute identifiers defined in Section 2 for their specified purpose and SHALL NOT use any other identifiers for the purposes defined by attributes in this profile. The following table lists the attributes that must be supported.
Note: “M” is mandatory “O” is optional.
Identifiers |
|
urn:oasis:names:tc:xacml:1.0:resource:resource-id |
M |
urn:oasis:names:tc:xacml:1.0:resource:resource-location |
M |
urn:oasis:names:tc:xacml:1.0:subject:subject-id |
M |
urn:oasis:names:tc:xacml:3.0:subject:subject-security-domain |
M |
urn:oasis:names:tc:xacml:3.0:subject:removable-media |
M |
urn:oasis:names:tc:xacml:1.0:subject:authentication-time |
M |
urn:oasis:names:tc:xacml:1.0:subject:authentication-method |
M |
urn:oasis:names:tc:xacml:1.0:subject:request-time |
M |
urn:oasis:names:tc:xacml:3.0:subject:authn-locality:ip-address |
M |
urn:oasis:names:tc:xacml:3.0:subject:authn-locality:dns-name |
M |
urn:oasis:names:tc:xacml:3.0:codebase:authorized-application |
M |
urn:oasis:names:tc:xacml:1.0:action:action-id |
M |
urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-protocol |
M |
urn:oasis:names:tc:xacml:3.0:dlp-nac:action:action-method |
M |
urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:encrypt |
M |
urn:oasis:names:tc:xacml:3.0:dlp-nac:obligation:marking |
M |
Conformant XACML policies and requests SHALL use attribute values in the specified range or patterns as defined for each attribute in Section 2 (when a range or pattern is specified).
NOTE: In order to process conformant XACML policies and requests correctly, PIP and PEP modules may have to translate native data values into the datatypes and formats specified in this profile.
The following individuals have participated in the creation of this specification and are gratefully acknowledged:
Participants:
John Tolbert, The Boeing Company
Richard Hill, The Boeing Company
Crystal Hayes, The Boeing Company
David Brossard, Axiomatics AB
Hal Lockhart, Oracle
Steven Legg, ViewDS
Committee members during profile development:
|
|
|
Revision |
Date |
Editor |
Changes Made |
WD 1 |
8/21/2013 |
John Tolbert |
Initial committee draft. |
WD 2 |
9/6/2013 |
John Tolbert, Richard Hill, Crystal Hayes |
Added glossary terms, text for use cases and examples, attributes for recipient machine and recipient-removable-media, and data-types for macAddress. |
WD 3 |
10/18/2013 |
John Tolbert, David Brossard |
Added glossary terms, edited text, added sample policy for use case example 1. |
WD 4 |
11/18/2013 |
Hal Lockhart |
Added IP Address and DNS Name datatypes and functions. Adjusted attribute definitions and example to use new datatypes. Added them to conformance section. |
WD 5 |
3/18/2014 |
John Tolbert |
Separated action-id, action-protocol, and action-method. Moved authorized-application from subject to codebase category. |
WD 6 |
6/10/2014 |
John Tolbert, Richard Hill, Hal Lockhart |
Added Log obligation, inserted policy examples, fixed typos and some word changes. Removed Mask from IP address datatypes. Removed network match function. Replaced IP address wildcards with IP address range list. |
WD 7 |
6/26/2014 |
Hal Lockhart |
Fixed typo in ipAddress-pattern definition. Corrected typos, conformance to profile and datatype mismatches in examples |
WD 8 |
7/30/2014 |
Steven Legg |
Defined a recipient-machine subject category to hold attributes of the machine to which access is intended to be granted. Defined a JSON short name for recipient-machine and added a reference to the JSON Profile. Replaced recipient-subject-id, requesting-machine and recipient-machine attributes with the subject-id attribute in the recipient-subject, requesting-machine and recipient-machine subject categories respectively. Replaced subject-id-qualifier attribute with a new subject-security-domain attribute that is a better fit for the purpose. Moved and renamed recipient-subject-id-qualifier to subject-security-domain in the recipient-subject category. Replaced the recipient-removable-media attribute with the removable-media attribute in the recipient-machine category. Updated the examples in section 4 to reflect the preceding changes. Rewrote the XACML policy in example 4.1.2.2 to be consistent with its high level description. Added a missing term for (Action-ID = “Copy”) into the XACML policy in section 4.1.5.2. Tweaked the matching of DNs in the examples in section 4.2 and added sample XACML policies. Added category identifiers to the Conformance section and revised the attribute identifiers. |
WD09 |
7/30/2014 |
Steven Legg |
Accepted the changes to WD08. |