XACML or DB approach

Question

I went through the XACML document and it explains about maintaining authorization policies in an XML file, the same can be done by keeping the policies in database, My question is what is the advantage of storing policies in XML file like XACML over DB approach, because at the end of the day its just parsing an XML or querying database.

Answer 1

@user3405607: If I understand you correctly you are questioning the need for "complicated" XACML standard/spec when a database evaluation engine would do the "same" job?

If so, the answer is that a DB-based engine can only provide access control decisions for simple rules, mostly ACL related. For example if you have resources X, Y, Z and users A, B, C, you could design a simple table like:

  +----------+----------+----------+
  |    X     |     Y    |    Z     |
  +----------+----------+----------+
A | 1        |  0       |  1       |
  |          |          |          |
B | 1        |  0       |  1       |
  |          |          |          |
C | 0        |  1       |  1       |
  +----------+----------+----------+ 

But as you can see this will not scale. Of course you can then make role based ACL rather than using user -> resource mapping. But again this will only cater to simple rules.

How would you handle a simple rule "A user in finance department can approve an order if he is not the one who raised the order and if the order amount is less than his maximum approval limit", assuming the department is captured in an Active Directory?

Of course if all those details needed in the rule (department, order issuer, amount, max amount) are all in a DB, you could consider writing complex SQL queries to do the job for you but then again, the policies containing rules can only get more complicated and soon you will end up with complex policies that turn into a complex decision tree for which writing DB queries will be not worth the hassle.

Also, it will soon end up that you will actually have to write a good sized code to perform and parse all these queries and responses and in fact this will be the entity called a PDP in XACML literature.

The need for XACML also goes beyond that since it defines a standards based policy language as well as a request-response protocol.

I would suggest you to read up on some of the basic material on this matter since my explanation may not do justice to the complexity involved and the need for a dedicated evaluation engine that is not solely reliant on DB queries.

Answer 2

XACML policy repository can be any thing, database or file system or any registry. But if you think about clustering, security, manageability and performance. I guess using database approach is good.. Let me provide few reason for it..

1. If multiple PDP nodes (different machines) are running in a clustered environment, It is easy that nodes are pointed same database. Then policies can be managed by master nodes and we do not want to worry about policy distribution of across other nodes.
2. XACML policy can contain meta data that is associate with it. Policy Order is an one of meta data that is associated with the policy. If we use file based approach, we may need to manage them in a separate way. But if it is a database it is just adding another column into policy table. Actually practical PDP, There can be some other associated meta data such as policy enable/disable, policy updater, last update time and so on.
3. If you are not using policy caching, I guess it is better to use database approach. It may be fast. Some database may provide caching itself. If you have meta data, they can be also retrieved by a single SQL query

However, I do not think practical PDP would never read and load policies for each request. Once PDP initializes Policy would be load into the caches. In that case, there would not be any performance issue with file base approach. But, if cache are expired frequently, then most of time policies may be loaded. So it is always better to go for database approach.