Home ยป Security Policy Enforcement

Attribute Based Access Control

Security Policy Manager ABAC Features

  • XML based Attribute Based Access Control policies
  • 29 context attributes available for policy decision
  • 44 functions available to manipulate attributes
  • Modular policies using rules, policies, and policy sets
  • Full integration with the underlying OS-MAC policy
  • Construct releasability policies across any MAC domain
  • Construct refining policies within any MAC domain
  • Update policies while the database is on-line
  • Customizable auditing based upon policy outcome
  • Dynamically set row-fields based upon policy outcome
  • Policy decision based upon any row-field value
  • Hide database objects based upon policy outcome
  • Perform set operations on groups of attributes
  • Policy engine integrated with server for fast execution

Security Policy Manager Description

The Trusted RUBIX Security Policy Manager (SPM) is a mechanism to enforce flexible and dynamic Attribute Based Access Control (ABAC) security policies during the operation of the Trusted RUBIX Relation Database Management System (RDBMS). Security policies are created using the XML based Security Policy Markup Language (SPML). SPML allows policy creation and execution using a host of context attributes and functions to manipulate them. SPML also allows actions to be executed based upon the outcome of the security policy execution. Policies may be configured to release information across any domain defined by the underlying Multilevel Secure or Type Enforcement Mandatory Access Control policy (OS-MAC).

SPML is based upon the policy language of the OASIS XACML 2.0 standard. The attributes used to write policy logic are typed (e.g., string, integer) and are categorized as subject attributes (e.g., subject name, subject IP address), resource attributes (e.g., object name, object label, row values), action attributes (e.g., operation, operation category), and environment attributes (e.g., system date and time). The functions used to manipulate attribute values are categorized as logic functions (e.g., and, or), comparative functions (e.g., equal, greater than), conversion functions (e.g., cast, convert to lower case), group-of-values functions (e.g., testing if a value is in a group of values), and set functions (e.g., intersection, union).

Access control logic code is organized into rules, policies, and sets of policies and algorithms may be specified to define how they interact with each other. Policies and policy sets may be referenced by name allowing for the elegant, modular design of complex policy logic and the reuse of policy logic without code duplication. Policies are assigned to RDBMS objects and may be specified to protect a single object or an entire subtree of objects. Policies may also be configured to automatically protect newly created objects.

Policies may be configured to override the underlying OS-MAC policy (i.e., a releasability policy) or to further restrict operations beyond the OS-MAC policy (i.e., a refining policy). Objects that have no ABAC policy associated with them are by default protected by the underlying OS-MAC security policy.

In addition to permitting or denying a database operation on an object, SPML may be used to define actions that are conditionally taken based upon policy decisions. Possible actions are to set the value of a specific row field during a row-based operation, to change the default behavior when an operation is denied, and to write a customizable audit record.

Security Policy Markup Language (SPML) Features

Major Language Constructs:
attribute: Value reflecting the context of the database system used to make policy decisions.
target: Set of context attributes for which a rule, policy, or policy set applies.
rule: Predicate over attributes used to reach an outcome of permit or deny.
policy: Set of rules that combine to form a single policy outcome.
policy set: Set of policies or other policy sets that combine to form a single policy outcome.
obligation: Action performed conditionally based upon policy or policy set outcome.

Subject Attributes:
subject-id subject-name
group-id group-name
session-start-time session-start-date
session-start-dateTime ip-address
dns-name session-label

Resource Attributes:
resource-label resource-name
row-label table-label
view-label schema-label
catalog-label database-label
column-name table-name
view-name schema-name
catalog-name database-name
any row-field value  

Action and Environment Attributes:
action-id action-type
current-time current-date
current-dateTime  
Comparison Functions:
equal not-equal
greater-than greater-than-or-equal
less-than less-than-or-equal
time-in-range dnsName-match
ipAddress-match regexp-match
MAC-check  

Mathematical Functions:
add sum
multiply subtract
mod divide
round abs
floor  

Conversion Functions:
cast string-normalize-to-lower-case
concatenate string-normalize-space
map and

Boolean Functions:
or and
n-of not

Set and Bag Functions:
one-and-only bag-size
is-in bag
any-of all-of
any-of-any all-of-any
any-of-all all-of-all
map intersection
union at-least-one-member-of
subset set-equals

Obligations:
set-field: Set a row-field with a value constructed from attributes (row select, insert, or update).
set-error-code: Set the error code used after a policy denial thus changing the default database behavior.
audit: Write an audit record containing values constructed from attributes.