DirX Access Authorization

General Principles

This chapter deals predominantly with the authorization process of the resources and services that are integral part of the DirX Access product, residing in the DirX Access Server. However, some of its principles and rules apply also on authorization done by DirX Access for third-party resources.

The DXA Server and everything inside it is protected in two ways:

  • Container-level protection via a physical PEP

    • At the DXA Server container, there is a PEP deployed that intercepts any request and enforces its authorization. This authorization is done based purely on the request parameters. With the use of multi-PEP feature, the physical PEP can be subdivided into several virtual PEPs to apply different configuration and policies .

  • Java Services API Authorization Layer

    • Services running inside of the DXA Server container communicate with each other through their public interfaces. Each external request typically translates into many internal calls between these services. Each of this call may consider different service-level resource and operation and can also be subject to fine-grained (attribute-level) policies.

Java Services API Authorization Layer

The request-level authorization granularity achieved by the container-level authorization becomes too coarse-grained in certain scenarios. E.g., when performing actions over user OTP credentials record. The record contains all the OTP-authentication relevant data: last generated secret, communication address, and number of consecutive login failures. Let’s have a look at what data shall be administered by what role: the last generated secret being a single-use, shall be managed by the authentication process of DirX Access only; the communication address, if the self-management is enabled, shall be managed by the user themselves; and the number of login consecutive login failures shall be managed by the support desk staff when requested by the user when they accidentally blocked their account.

Described scenario can be achieved by employment of the Java Services API Authorization Layer. This authorization process is performed by DirX Access when accessing any data via the AppRepoService. At the external interfaces, this service is currently used when requesting via the Config RESTful Web Service and SCIM endpoint. Furthermore, to achieve integrity of the results across the whole system, the process is employed also when accessing the AppRepoService from other services running inside the Services container. This means that also the internal public API, the Callout interfaces, is protected by the same means and policies.

The DXA service interfaces represent a part of the DXA’s API. DXA enables to apply authorization policies at this level, that enforce:

  • ability to perform authorization against the original request at any point of processing of this request (in any subsequently called service) on any data indirectly touched by this request (e.g., configuration reading),

  • consistency in authorization - any call of any method has to undergo the same authorization process, whether requested directly or being just an intermediary task for other request resolution,

  • authorization of internally deployed (within the DXA Services container) third-party modules (e.g., Callout implementations),

  • fine-grained authorization of DXA internal resources - enabling to define and enforce policies at the level of attributes of each resource.

The Do use internal authorization parameter of PEPs enables the authorization of DXA internal resources. The internal authorization can take place in the following case:

  • REST API (SCIM, OData) calls.

    • The DirX Access Jetty XML configuration specifies the identifier of the DirX Access PEP which resolves to a PEP based on the request URL using PEP assignments, see the Figure 1 for that algorithm.

Container-level Protection via a Physical PEP

DirX Access Services container is deployed out-of-the-box with a PEP instance named DirX Access PEP. This PEP intercepts any request received at the external interfaces of the container and enforces their authorization. Although it is theoretically possible to exchange this PEP for a different one, from the maintenance point of view, this is not advised, rather, the configuration parameters of this PEP shall be changed.

The authorization by the physical (deployable) PEP is done based on the parameters of the HTTP request received. Mainly, the requested URL is transformed into the resource part of the authorization request, while the HTTP method is transformed into the action part.

The DXA Server container provides many unrelated services and resources, hence, DirX Access extends the PEP in a way that this independence is reflected. Namely, DXA enables to assign to the main PEP multiple additional PEPs each of which is applicable for a subset of the resources. Each PEP assignment is bound to a context path that determines for what subset of resources the PEP is applied.

attachments/Finding PEP++_++ActivityDiagram
Figure 1. Finding a PEP based on the request URL using PEP assignments

With the introduction of Multi-PEP assignments configuration the physical PEP can be subdivided into several virtual PEPs.

By having one default PEP with application of the Multi-PEP assignments, the whole container is always protected, meaning any newly deployed resource is protected from the beginning, while respective sub-resources (applications) can be given their own configuration and policies.

This assignment has also an influence on the resource and policy trees generation. Each resource, when configured, is assigned to certain PEP. Subsequently, when creating authorization policies, each PEP is passed only the policies relevant to its own resources. This in turn means that there is a strict border between what policies are used for what requests. Not only this helps for the performance, but also enables to prevent unintentional misconfigurations. E.g., when configuring the authorization policies for DirX Access Manager – application intended for the administrators‘ access with administrator policies, the whole web application shall be delegated to its own PEP (via the multi-PEP assignment) and any contained resource would then be assigned to this DirX Access Manager-specific PEP. Any changes to any other PEPs then have no effect within this new PEP.

For each request, only one applicable PEP is chosen and is determined according to the following algorithm (see Figure 1):

  • Follow the order in which the PEP assignments are configured. For each configured PEP assignment:

    • If the context path is a prefix to the request URL path and the port matches, recursively call this algorithm on the PEP from this assignment.

    • If no PEP chosen from the assignments, use the parent PEP as the one applicable.

This algorithm implies, that the assignment rules might generate resource (sub)sets that are not mutually disjunctive. Instead, the choice is deterministic due to their configurable ordering. Furthermore, the PEP assignments might be applicable hierarchically.

The multi-PEP approach has several implications:

  • There is a clear separation of container endpoints and policies that are used for each one of them. As the endpoints might be published for completely unrelated purposes, the policies necessary for their protection would be also unrelated. Configuring them separately (via a chain PEP-PDP-PRP) is a less error-prone approach.

  • The whole container is protected by default by the parent PEP, so there is no possibility that a newly published resource would be unintentionally unprotected.

  • Configuring policies separately also means the memory containing the policies is smaller for each separate PDP, which improves the overall authorization decision performance.

Policy Assignment to Respective PDPs

The authorization model used by DXA and conforming to the XACML authorization model is based on the separation of duties between PEP-PDP-PRP. The multi-PEP configuration enables to transitively assign different policy sources (PRPs) to respective PEPs. In DXA, currently, the PDP-PRP assignment is one-to-one and is implicit (all under the XacmlPdp configuration object).

attachments/RBAC Policies Construction++_++ActivityDiagram
Figure 2. RBAC policies construction

The RBAC policies are constructed in the evaluation machine as trees having the root-nearest branches representing the respective roles and the leaves containing the resources. We state that each PDP has only the policies necessary to be present. These policies contain resources with authorities equivalent to authorities of PEPs assigned to the given PDP. This can be achieved by (see Figure 2):

  • Construct the policy tree from the root to the leaves.

  • For each PDP:

    • Get all the PEPs which use given PDP.

    • For each of these PEPs

      • Get all the PEPs using the same authority identifier as given PEP and add them to the PDP-specific authority list.

    • Create a copy of the initial policy tree.

    • For each leaf in the policy tree:

      • Remove it from the tree if the authority of the resource in the leaf isn’t contained in the PDP-specific authority list.

    • Remove all branches with no resources in the leaves.

DirX Access RBAC

The DirX Access Role-Based Access Control (RBAC) policy configuration model enables a simple configuration of the RBAC policies via the configuration interface. Permitted resources and actions are assigned via rule and policy sets to existing roles.

Within this triple - role, action, resource - the resource is the part having some correlation to the applicable PEP. Namely, to each resource a PEP is explicitly assigned. However, the PEP assignment is in place only to resolve an authority to be used in the policies.

attachments/RBAC Policies++_++ERD
Figure 3. RBAC policy configuration objects

The Figure 3 depicts the RBAC policy structure which can be read as follows: a user with role(s) can perform action(s) on resource(s) if condition(s) is met. The action result can be extended by obligation(s). Actions and resources should be provided, obligations and conditions are optional.

We strongly recommend reading sections of the RBAC Authz Policies related to RBAC policies before continuing.

Subject in Authorization Process

Generally, services running inside of the Services container communicate with each other through their public interfaces. Each external request typically translates into many internal calls between these services. Each of this call may consider different service-level resource and operation. When processing any external request, there are two types of authorization context:

  • Using authenticated session – for processing of the direct target of the request,

  • Using delegation subject (the subject enabled to perform any action) – for processing of the intermediary request, such as configuration retrieval.

Policies for User and Configuration Attributes

This section provides a guide when creating policies for user attributes stored in the Shadow User Tree and configuration attributes using the DirX Access Manager. It is recommended to proceed from the top down when creating or changing policies, e.g. start with a role, then policy and rule, selecting actions, creating and selecting resources and optionally using obligations and conditions. The DirX Access Manager facilitates this up-down approach by a button in attribute fields that opens a dialog window where you can manage configuration objects related to the attribute. For example, go to ConfigurationPoliciesRBAC authorizationRoles in the left menu in DirX Access Manager, open a role and click the button in the Authorization policy identifiers field.

Resources in Authorization Process

The resources available at Java Services API Authorization layer are predefined via the Source structure of the DirX Access Manager. The layer has also predefined PEP (DirX Access Internal) that is used for all the internal requests and via which the administrator can get to configuration via the Source structure.

Due to the high performance complexity of the authorization evaluation, there are two specific resources types that shall be considered for configuration for each internal resource that is subject to the authorization policies. First one is the resource that is a MUST for any further processing of the authorization of the overall resource record and any of its attributes. That is the URN generated for the resource as such, without any attribute-specific suffix. Second resource type is the type with suffix :all_properties that states that all the internal attributes are subject to given policy. When applying this resource type, there is no need for the first type to be defined.

Resources for User Attributes

This section details the creation of resources for user attributes.

attachments/User Attribute Resource Definition++_++ActivityDiagram
Figure 4. Resources for user attributes

The Figure 4 shows resources required for defining a policy for a user attribute attr1 residing in a type UserType1. In most cases two resources are needed, one for the type and one for the attribute.

The AppRepoEntity is an exception, some of its attributes are types with properties. Additional resources are required as you can see in the diagram.

To check if an attribute type is a complex type, you can go to the OpenAPI specification for a given DirX Access REST API and find the type and attribute definition:

  • configuration REST API:

    • <host name, port>/config/openapi.json

  • user REST API:

    • <host name, port>/scim/openapi.json
Resources for Configuration Attributes
attachments/Configuration Attribute Resource Definition++_++ActivityDiagram
Figure 5. Resources for configuration attributes

The Figure 5 shows resources required by a policy for the configuration attribute attr1 residing in the type ConfigType. At least two resources are required, one for the attribute and one for the type. Additional resources must be provided if the attr1 type is a sub-type.

A sub-type is a type of configuration attribute containing other attributes or an array of items which type is a sub-type. An example of a sub-type attribute is AuthnMethodComposite.steps.

The Table 1 details each resource depicted in the Figure 2 and Figure 3. Usually, the Pep identifier is also provided in resources.

Table 1. The definition of resources
Resource identifier Source Source detail Source detail property

ConfigType

net.atos.dirx.access.apprepo.api.config.ConfigBase

ConfigType

-

ConfigType.attr1

ConfigType

attr1

ConfigType.attr1.subAttr1

ConfigType

attr1.subAttr1

ConfigType.attr1.subAttr2

ConfigType

attr1.subAttr2

UserType1

net.atos.dirx.access.apprepo.api.entity.EntityBase

UserType1

-

UserType1.attr1

UserType1

attr1

UserType2

UserType2

-

UserType2.attr1

UserType2

attr1

UserType2.attr2

UserType2

attr2

Action in Authorization Process

The external REST interface provides the standard CRUD operations on all the resources. Internally, these operations are translated into following authorization actions:

  • List entities of given type -> list, read

  • Get single entity -> read

  • Create entity -> create

  • Replace entity -> update

  • Patch entity -> update

  • Delete entity -> delete

    • To fully grant a delete action permission, two resources have to be considered. One for the whole Type and the second for all_properties.

Obligations

There are two predefined obligations intended to be used along with resources for configuration and user attributes, the Default obligation and Original obligation. They affect the result of actions the following way:

  • Default obligation meaning the user has permission for the default value of an attribute.

  • Original obligation meaning the user has permission for the original value of an attribute.

The detailed description of obligations and impact on the authorization follows.

attachments/Obligations
Figure 6. Policies for attributes attr1, attr2 in the type Type
Table 2. The obligations and authorization decisions for attributes
Obligation for attr2 Create
attr1, attr2		 Read Modify
attr1new,
attr2new		 Replace
attr1new,
attr2new

1

Deny

attr1, attr2default

attr1, attr2default

attr1new, attr2original

attr1new,
attr2original

2

Default

attr1new,
attr2default

attr1new,
attr2default

3

Original

attr1new, attr2original

attr1new, attr2original

4

Permit

attr1, attr2

attr1, attr2

attr1new,
attr2new

attr1new,
attr2new

Consider a type Type with attributes attr1, attr2 and policies for these attributes as depicted in the Figure 6. The user is permitted to perform any operation on the attribute attr1. The authorization result for the attribute attr2 varies, see Table 2. The table also shows the result of the create, read, modify and replace operation on attributes attr1, attr2. For example, if the obligation for the attribute attr2 is original, the result of the operation modify is: attribute attr1 changes to a new value, attribute attr2 remains unchanged.

The configuration attributes of a type sub-type brings additional complexity. Consider the attribute attr2 of a type SubType has sub-attributes attr2.subAttr1, attr2.subAttr2. The authorization is enforced the following way:

  1. If the attribute attr2 is permitted, then the result is as defined in the table 3.

  2. Otherwise, the attribute attr2 authorization decision outweighs decisions for sub-attributes attr2.subAttr1 and attr2.subAttr2.

Table 3. The obligations and authorization decisions for the attr2 configuration attribute
Obligation for subAttr2 Create
attr1,(subAttr1, subAttr2)		 Read Modify
attr1, (subAttr1new, subAttr2new)		 Replace
attr1, (subAttr1new, subAttr2new)

Deny

attr1, (subAttr1, subAttr2default)

attr1, (subAttr1, subAttr2default)

attr1, (subAttr1new, subAttr2new)

attr1, (subAttr1new, subAttr2new)

Default

Original

Permit

attr1, (subAttr1, subAttr2)

attr1, (subAttr1, subAttr2)

Modification of SubType Collections

The most specific case is authorization for collections of SubTypes. When such a collection is part of a replace operation or fully replaced via a modify operation, the outcome depends on the user’s permissions. If all necessary permissions are granted, the new collection replaces the old one entirely; otherwise, the collection may be merged with the existing one based on what the user is authorized to modify, and what actions the user is authorized for.

The following properties are treated as SubType collections in config: AuthnMethodComposite.compositeSteps, AuthnMethodOtpCallback.targets, Pep.multiPepAssignments (for all Pep subTypes), OAuthServerEndpoint.oauthAuthzTokens, OAuthServerEndpoint.oauthProtecteds, CryptoContainer.entries, AbacPolicyContainer.policies, Resource.parameters.

There is a BCOC (Backwards Compatibility Oriented Configuration) for collection authorization behavior, configured via /etc/bcoc/complexListsAuthorization.json. By default, BCOC is enabled. This only applies to ConfigBase objects. For EntityBase objects (like AppRepoEntity), a separate authorization mechanism is always used.

In ConfigBase, since SubType entries don’t have unique IDs, the OpenAPI spec uses the x-primaryKey annotation. This indicates which SubType properties should be used to match items in a collection during replacement.

Behavior When BCOC is Disabled

When BCOC is disabled, authorization is evaluated separately for SubTypes. The user must be explicitly authorized for the SubType (either its all_properties or individual sub-properties). Authorization for the parent does not grant automatic access to SubType properties.

The user can affect the collection in three ways, he can add to id, remove from it, or modify an existing item in the collection (or multiple of these actions at one time). Authorization for these actions is done separately. The table below shows, how the authorization is done for the separate actions on the collection. Note that to be able to modify a property and its sub-properties, the user must be authorized for the update action on the resource itself (either as type or all_properties).

In the tables, "authorized" refers to the permit obligation; unauthorized properties are subject to filtering based on obligation (deny, original, default).
Table 4. The authorization for SubTypes in collections
Action Required Authorization Behavior if not fully authorized

Add (create new item)

EITHER:

  • create on the collection type

  • create on individual sub-properties

OR:

  • create on all_properties of the SubType

Unauthorized sub-properties are removed (filtered) from the created item.

Remove (delete item from collection)

EITHER:

  • delete on the collection type

  • delete on all individual sub-properties

OR:

  • delete on all_properties of the SubType

Item will not be removed if user lacks delete on any required sub-property.

Modify (update existing item)

EITHER:

  • update on the collection type

  • update on individual sub-properties being changed

OR:

  • update on all_properties of the SubType

Only authorized sub-properties are modified; others remain unchanged.
Behavior When BCOC is Enabled

When BCOC is enabled (default), the authorization behavior changes (to be on part with the previous versions of DirX Access):

  • Authorization is evaluated only for the update action (no separate create/delete).

  • If the user is authorized for all_properties of the parent type, they are automatically authorized for the SubType as well.

Note that to be able to modify a property and its sub-properties, the user must be authorized for the update action on the resource itself (either as type or all_properties).

Table 5. The authorization behavior for SubTypes in collections (BCOC enabled)
Action Required Authorization Behavior if not fully authorized

Add (create new item)

EITHER:

  • update on all_properties of the parent type

OR:

  • update on the collection property

  • update on sub-properties

OR:

  • update on all_properties of the SubType

Unauthorized sub-properties are removed (filtered) from the created item.

Remove (delete item from collection)

EITHER:

  • update on all_properties of the parent type

OR:

  • update on the collection property

  • update on all sub-properties of the item

Item will not be removed if user lacks update on any required sub-property.

Modify (update existing item)

EITHER:

  • update on all_properties of the parent type

OR:

  • update on the collection property

  • update on modified sub-properties

OR:

  • update on all_properties of the SubType

Only authorized sub-properties are updated; others remain unchanged.
AppRepoEntity Lists Authorization

For AppRepoEntity and its list-like properties (otpCallbackList, rfc4226List, rfc6238List, passwordList, etc.), authorization follows the same model as in the Non-BCOC section.

When these lists are modified via the Users SCIM endpoint, the user must be authorized for the specific actions performed.

Authorization rules are defined for SubType resources such as AppRepoOtpCallback, AppRepoRfc4226, AppRepoRfc6238, and AppRepoPassword, including their sub-properties.

Authorization for Simple Collections modification

Simple collections (not SubTypes) like List<String>, List<IndividualBaseReference>, or maps of key-value pairs follow the standard authorization model.

To update such collections, the user needs to be authorized for the update action on the property. This gives him rights to add new entries, and also remove existing.

For more granular control, it’s possible to specify:

  • create permission: allows adding new entries but not removal

  • delete permission: allows removing entries but not adding

The create and delete permissions only apply, when the user is not authorized for update.

Use cases

Enabling Administration of User Authentication Methods

The objective is that any user with DirX Access Administrator role can read all user attributes and replaced selected attributes related to authentication stored in the Shadow User Tree. The user must be logged using a particular authentication method, in this case the Composite X509 OtpMail Authentication authentication method with assurance level 12.

The administrator will be able to manage the following types: AppRepoEntity, AppRepoOtpCallback, AppRepoRfc4226, AppRepoRfc6238, AppRepoPassword.

Attributes permitted to replace are:

  • AppRepoEntity: otpCallbackList, rfc4226List, rfc6238List, passwordList

  • AppRepoOtpCallback: communicationAddress,

  • AppRepoRfc4226: sharedSecret, counter,

  • AppRepoRfc6238: sharedSecret, timeDrift.

It cannot replace the .numberOfLoginFailures. The AppRepoPassword does not have any properties except the numberOfLoginFailures.

Solution Using DirX Access RBAC

The aim is to restrict access to DirX Access internal resources which the Java Services API Authorization Layer is designed for. We can take advantage of DirX Access RBAC authorization.

attachments/Administration of User Authentication Methods
Figure 7. RBAC policies for administration of entities authentication methods

The Figure 7depicts configuration objects - policies - implementing this use case. The following steps will lead you through the configuration using the DirX Access Manager. We can start creating the role and go all the way down to actions, conditions and resources.

  1. Create the DirXAccessAdmin role.

    1. In the role, click a button in the Authorization policy identifiers field opening a dialog with policies.

    2. Create the DirX Access Admin policy.

      1. In the policy, click a button in the Rule identifiers.

      2. Create the ReplaceEntity rule.

        1. In the rule, select update, create and delete in the Action identifiers field, to be able to perform all these actions with the sub-resources, or leave it blank to allow all actions for the rule.

        2. In the rule, click a button in the Resource identifiers field.

        3. Create resources according to the table 4 and select only those used by the ReplaceEntity rule.

        4. In the rule, click a button in the Condition identifiers field.

        5. Create the Entity Administration Assurance level condition and select it in the Condition identifiers field.

          1. Set the Assurance level field to 12.

      3. Select the ReplaceEntity rule in the Rule identifiers field.

      4. Create the ReadEntity rule the same way you created ReplaceEntity (all resources and the condition already exist) and select it in the Rule identifiers field.

    3. Select the DirX Access Admin policy in the Authorization policy identifiers field.

Table 4: Definition of resources

Resource identifier Source Source detail Source detail property

AppRepoOtpCallback

net.atos.dirx.access.apprepo.api.entity.EntityBase

AppRepoOtpCallback

-

AppRepoOtpCallback. all_properties

AppRepoOtpCallback

all_properties

AppRepoOtpCallback. communicationAddress

AppRepoOtpCallback

communicationAddress

AppRepoRfc4226

AppRepoRfc4226

-

AppRepoRfc4226. all_properties

AppRepoRfc4226

all_properties

AppRepoRfc4226. sharedSecret

AppRepoRfc4226

sharedSecret

AppRepoRfc6238

AppRepoRfc6238

-

AppRepoRfc6238. all_properties

AppRepoRfc6238

all_properties

AppRepoRfc6238. sharedSecret

AppRepoRfc6238

sharedSecret

AppRepoPassword

AppRepoPassword

-

AppRepoPassword. all_properties

AppRepoPassword

all_properties