Who uses XACML? - security

Has anyone written XACML Implementations other than the Sun XACML Implementation and XEngine?
Who uses them in their products?
Which vendors provide a PDP? I read something about a WebLogic XACML Provider. What other products support XACML?

This has been answered on the XACML TC list already: http://markmail.org/message/w7msffsbi6qzgfoj
XACML is used in a wide variety of industries today. Trying to summarize what's been said
There are 2 types of implementations today:
open-source implementations
They are either backed by commercial organizations, foundations, or universities.
These include:
(Sun-backed) SunXACML (http://sunxacml.sourceforge.net/) - very much dead on its own but used in other products such as WS02's offering (see below)
(R&D-backed) SICSACML (http://www.sics.se/node/2465) backed by SICS, the Swedish Institute for Computer Science, and now taken up by Axiomatics (www.axiomatics.com)
(University-backed) Heras AF (http://www.herasaf.org/heras-af-xacml.html): Orange is using their product. Orange is one of the leading telecommunications providers in Europe.
WS02 is a company that was born from the Apache Synapse project and expanded into different areas successfully including XACML by using the initial SunXACML implementation (http://wso2.org/library/identity-server/user-management/xacml). I am not sure they have customers using XACML today.
Enterprise XACML (http://code.google.com/p/enterprise-java-xacml/) but not updates in nearly a year
Brad Cox also a neat approach to implementing XACML as described in his blog and paper at http://bradjcox.blogspot.com/
Commercial products
Oracle OES provides a SunXACML-based XACML 2.0 implementation. It is hard to know whether OES customers are using XACML features.
IBM Tivoli Security Policy Manager
Axiomatics Policy Server took SICSACML and marketed it in 2006 - their product fully implements XACML 3.0. Their customers include "one of the world's largest bank", Paypal, Bell Helicopter, Swedish National Healthcare service, SOS Alarm, and DATEV eG as listed at www.axiomatics.com/customers.html
There are other vendors such as Jericho Systems and Nextlabs that offer XACML. Also Securent (later bought by CISCO) had a XACML offering.
Lastly I recommend you visit the XACML TC (http://www.oasis-open.org/committees/xacml/) where you can see its contributing members. Those include Oracle, Axiomatics, Boeing, Veterans Administration, EMC who are regular contributors.

I'm a member of the team at IBM that builds a security policy management solution, including XACML for authorization policy; and I used to be the team lead for the XACML runtime component itself. The product is called Tivoli Security Policy Manager, and is definitely under active development.
WebLogic used to be built by BEA, before they were acquired by Oracle. I'm not sure if Oracle still sells it or not.
Axiomatics also has a XACML solution, as does Jericho Systems.

WSO2 Identity Server (http://wso2.org/) is a open source entitlement engine which is based on the sunxacml. WSO2 Identity Server contains a nice XACML UI policy editor which can be easily used to create complex XACML policies. There is a PIP layer to plug any attribute finder module with it. Therefore you are able to find your attribute from any database, LDAP user store , web services and many more .... Also there are decision caching, policy caching and PIP level attribute caching to improve the performance. You can refer the implementation source code from here [1]
[1] https://svn.wso2.org/repos/wso2/branches/carbon/3.2.0/components/identity/org.wso2.carbon.identity.entitlement/

DATEV (a german IT service provider w 5800 employees) announced in 2010 that they will use XACML. Swedish software company Axiomatics will develop a Datev version of its identity management solution.

XACML implementations (Sun, XEngine, and EnterpriseXACML) are currently interpeters, which makes it hard to debug how a decision was reached since debuggers show the interpreter's internal code, not the policy itself.
I've written a compiler for DOD/DISA that transforms XACML directly to Java code. The goal was making policies easier to understand, not speed, but it is gratifying that compiled policies run in about a tenth the space and time as Sun's interpreter.
The compiler has now been verified by using the same Oasis compliance tests that Sun's interpreter uses. Out of ~400 tests, it passes all but 8. Current problem areas are cases the standard isn't clear on; Subject Categories and PolicySet IdReferences to name two.
I'm wiring it up as a SAML-P service this weekend. Release plans aren't final yet but we'll probably release it as open source on forge.mil as soon as the SOA version stabilizes.
Note added: There's a link to an AFCEA paper about it at http://bradjcox.blogspot.com/2011/03/compiling-xacml-to-java-source.html

BiTKOO (http://bitkoo.com) has XACML 3.0 integrated into its Keystone family of authorization management products. I'm the architect of BiTKOO's XACML core technologies (PDP, PAP, PEP).
A wide variety of organizations are now using XACML based solutions for authorization management. Most are large organizations - government agencies (foreign, domestic, military, and state), universities, media companies, industrial companies, etc.

I'm aware that this questions was posted a few years ago but it can be relevant right now to people looking for open source XACML implementations.
The project AuthZForce provide an opensource XACML 3.0 implementation with a multi tenant REST API along with a java based API. It also provide an XACML SDK.
AuthZForce is available on github, on the OW2 repository and a docker container as well as a debian package are available
http://github.com/authzforce
https://tuleap.ow2.org/projects/AuthzForce/
I'm one of the core developper of the project so feel free to reach me if you have any questions.

This may not be helpful as it's not a COTS product, but it may be of interest to you or others.
There is an open-source XACML implementation at http://code.google.com/p/enterprise-java-xacml/ which I've used recently. It covers the entire specification and has pretty decent policy evaluation performance considering it's not optimised.

You can have a look at http://www.herasaf.org/ . It is a highly developed open source project (Although I don't know which license they are under) I looks really promising, but there is still a lot of work to do.

If you are looking for an alternative to Sun XACML you should really have a look at HERAS-AF (www.herasaf.org). It's a very active project and their support is very good and fast responding (e.g. forum.herasaf.org). Code is in good quality and it provides very much extension points. The API is clear and very easy to use. Have a look at the getting started guide. It is developed and published under Apache2 license.

OpenAM, an open source access management and web Single Sign On solution, previously known as OpenSSO, provides a PDP and has support for XACML 3.0 for importing and exporting policies.
More information at openam.forgerock.org.

PicketBoxXACML, formerly JBossXacml also wraps SunXacml's implementation and provides an updated PDP. There's not alot of documentation out there on it, but it's open source.

Hi you might also want to have a look at ViewDS identity Solutions (see http://www.viewds.com). ViewDS have two XACML solutions. Access Sentinel which provides for externalised authorisation services with a PDP/PIP and two PAPs (DortNet & Java) and a variety of PIPS. Their product also supports Delegation, Roles Management & obligations. ViewDS Identity Solutions also have an LDAP Directory with its own integrated searching and matching engine and have XACML enabled the Directory. That is they use XACML to provide the Policy based authorisation system for accessing Directory information over the Web.

Here's an interesting discussion at Forrester blog http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead that actually updates the state of XACML as of 2013. Be sure to read the comments as well.

Related

Hybris production support activities

I am pretty new to Hybris. I am a bit curious about the activities that are taken care of by the production support team in Hybris. please share the information about what are the activities generally a production support person take care.
Maybe this can give you some idea:
Study guide for SAP Certified Support Specialist - SAP Commerce 1811: https://cxwiki.sap.com/display/education/Study+guide+for+SAP+Certified+Support+Specialist+-+SAP+Commerce+1811
I think the scope can be quite big, and it will depend on your contract / agreement. It could cover things like:
Handling day-to-day operations (e.g. backups)
Managing releases or patches
Managing users (e.g. Creating/Updating accounts manually)
Operating Backoffice (e.g. Reloading the widgets, etc) or PCM
Monitoring the system (e.g. Using DynaTrace)
Fixing performance issues
Fixing synchronization issues
Setting up the infrastructure (e.g. clustering, caching, logging, etc)
Being familiar with integration with other services (e.g. Data Hub)
Knowing how to indetify and fix issues / problems in general
etc

Build a web app basing on a dms kernel

I need your help for my question.
I need to build a web based application that should perform some activity of document management. I'm evaluating existing document management solution and I need a solution that expose api via rest or other protocol, so that I can interact with them from my application.
I read about alfresco, sharepoint and knowledge tree but I find difficult to understant prices for commercial use. Can someone help me with a comparison of function/prices for a commercial use?
Alfresco is available in two versions, Alfresco Community Edition and Alfresco Enterprise. Alfresco Community is under the LGPL license. Assuming you want to use it in-house (not distribute it to others), you can use + customise + extend Alfresco Community to your heart's content, without restriction or charge. (LGPL/GPL/etc are distribution licenses, not use licenses, so only kick in when you redistribute). However, Alfresco Community comes with no commercial support, only support provided by the community. For a lot of uses that's good enough, but for other cases you'll want to be able to ring someone for support / get hotfixes backported to your version / etc. In that case...
Alfresco Enterprise is paid for, coming with commercial support (including SLAs, pick up the phone and talk to an expert etc), along with a handful of features that matter in big deployments (clustering being one). Pricing depends on a few things, mostly around size of deployment and SLA, but for small deployments isn't too bad. For big deployments, it can be a huge saving over other systems! Give sales a call, they're very friendly, and only rarely buy me beer ;-)
If you don't want to run your own repo, there's also the Alfresco Cloud version, which comes with a public API. With this, Alfresco themselves run and maintain the instance for you, and you can use the public API to store / retrieve / manage / etc your content. It's much simpler to get going with! But you don't quite get as much control or customisation as with the on-premise versions.
SharePoint might already be covered by your existing Microsoft licensing deal, if you have one. If not, you'd need to decide between licensing on a per-server or per-user basis. See Microsoft pages like this to get an idea of the options, then ring your Microsoft sales rep to get an idea of the pricing. In many cases, you'd need to pay someone else for support, so you'd be back to a similar thing as with Alfresco Community vs Enterprise.
If you're not sure what system to go with, you might be safest and best off implementing your project using CMIS (Content Management Interoperability Services). This provides a common way to talk to content repositories, allowing you to store/retrieve/browse/search/permissions/etc irrespective of what the underlying repo is. Alfresco provide some information on it, and Apache Chemistry provides open source client libraries for most common programming languages, which makes getting started very quick. There's also an excellent book on CMIS which I can very much recommend! And not only because the authors of that have been known to buy me beer too... ;-)

Has Rational ClearQuest been superseded by Team Concert?

According to the Wikipedia details associated with IBM Rational ClearQuest the "latest" version of this product was released in October 2011.
Would I be right in assuming that this is no longer actively being actively developed by IBM and that their alternative Rational Team Concert is their preferred offering in this space?
Please allow me to introduce myself, I'm Howie Bernstein the ClearCase and ClearQuest product manager. Right now we are in an open beta with two significant features for ClearCase and ClearQuest. ClearCase is in beta with Role-based Access Control Lists for ClearCase elements, and ClearQuest is in beta with Multi-record update in ClearQuest Web (as well as a few other features). If you are presently a ClearCase or ClearQuest customer, you can access the open beta here: https://www14.software.ibm.com/iwm/web/cc/earlyprograms/rational/cacv801/
It would be a mistake to think of RTC as a replacement for ClearCase and ClearQuest. It would depend entirely on what features of ClearCase and ClearQuest your organization depends on. For organizations that make little use in ClearCase of dynamic views, process triggers, build auditing (and others) then perhaps switching to RTC SCM would be a reasonable consideration. The same can be said for ClearQuest. If your organization takes advantage of the advanced customization features of ClearQuest and depends on those features to execute your custom workflow, then RTC might not be a good solution for you.
In our development organization, we use all three, together. We use ClearQuest for external RFE and APAR submission and workflow, we use ClearCase for our SCM (on the ClearCase and ClearQuest teams, as well as other teams throughout IBM) and we use RTC for our work item planning and execution. We have excellent bridging and synchronization capabilities between CC/CQ and RTC that makes this possible.
As to the future, we have development teams working on new features in both ClearCase and ClearQuest and we plan to introduce new versions in the future.
ClearCase like ClearQuest are still "maintained", but without any new outstanding feature.
RTC is more an aggregation of three tools:
Work Items management (replacing ClearQuest)
Source Control management (Jazz source Control, replacing ClearCase)
Build Engine (like BuildForge, but also able to communicate with Hudson/Jenkins with RTC4)
So RTC isn't just a replacement to ClearQuest, but a way to ensure a traceability durng the application development life cycle:
from the initial request (Work Item)
to the code changes (source control)
to the build from a specific revision of the code (build engine)

Design Patterns for security and data access control

Having recently discovered design patterns, and having acquired the excellent Head First Design Patterns book (can really recommend it!), I am now wondering about design patterns for security and controlling access to records in data stores.
My use case is a bespoke CRM style application, with contacts, businesses, and users who have different levels of access, including being limited to read only access, or even a subset of records. I will only be doing distinct entity level access control, not field level.
Can anyone recommend any security orientated design patterns that would fit the above?
If it makes a difference, I am using ASP.Net MVC, Entity Framework 4 and SQL Server 2008.
Security is what we call Cross-cutting concern and it's never easy deal with.
If you need to deal with the security from ASP.NET MVC level you would consider to look at MVC tutorial :
http://www.asp.net/learn/mvc/
If you want to know more about the security from the domain model level, an interesting question was already asked :
DDD User Security Policies
Hope this helps
There does exists a group of patterns realted to security, though most of them fucuses on securing integrated systems. I have found no book that is as well written and usable as GOF/Head-first, though I did enjoy the one online at www.securitypatterns.org.
Security is as much about architecture (sever setup, network topology...) as its about programing, so I would recommend that you start out with a general security book. Also pick up a book specifically on .NET/Windows security, since robust security programming is very technology specific (I, as UNIX/Java programmer, will have a completly different toolbox than
a .NET programmer and can unfortunatly not help you with a book on this last subject).
A good place to start on security (although not necessarily a "security design patterns" book) is Ross Anderson's Security Engineering.

How to Get End-User (Client) Feedback on Custom Development Projects

My company is a custom development shop for a number of projects, some larger and some smaller. Currently we handle all of our client communication through email. So we email a design doc, they mark it up and send it back. Then we roll out a beta version of their product and they email us with any bugs, new features, etc. And so on....
As I am working on implementing a new bug tracking system (it looks like it will be Mantis right now), I got to wondering how we could best allow our customers an interface with our development process that would provide better tracking of feature requests and client submitted bugs as well as communicate our responses back to the client.
If anyone is aware of a a bug tracking system that does this exceptionally well I'd be interested to hear of that. Otherwise I'm just looking for some general guidelines or good business practices that have allowed your companies to interface effectively and efficiently with your clients.
UPDATE: My company uses a LAMPP stack and as we are a small shop with a limited budget we tend to stick to tools that are open-source and free.
Do most people either use Team Foundation Server to handle this or emails back and forth?
I think the key is to have the dedicated tracking system there for bugs/requests, and to establish a set process for communication. With that at minimum you will start getting consistent feedback. From there you can tweak it to get your specific needs.
As an aside, rather than just using e-mail for your communication, I strongly recommend going to smething like BaseCamp for a project management tool. I find that it helps greatly with keeping messages, documentation, and timelines communicated to the client.
If you are using Team Foundation Server, I recommend you to install TeamPlain Web Access. They allow you to expose a web interface to your TFS project. The only things left to do, is give rights to your client and a username and a password.
Otherwise, there is some paying tools like FogBugz. Of course, the principal is having to bug reporting tools directly linked to your Source Control so that the developers can easily fix bugs.
Although I know of no specific tools (at least no open source ones), I suggest that you setup a system which will cover your overall requirements gathering and implementation process. Requirements could be tracked in the system, which would also contain the design documents (which could be "checked out from" and "committed to" the system). This way, you would tackle the problem of having multiple revisions of design documents around. Addionally, the design documents and the requirements could be tracked easily. If this system were linked to your source code management system, you would additionally ease your development process/requirements tracking.
Another possibility is to use two products in concert, here's our current setup with a team of 12:
osTicket for incoming requests from clients
Allows for issues to be handled by support staff and bugs to be verified
Status can be checked with just an email address and ticket ID
Typically users don't submit detailed enough bug reports so is a good first step
redmine for development tickets
Ticket created by QA or a developer if issue is a real bug
Provides solid enough project and release management
Is a solid step up from trac and mantis (and provides migration tools)

Resources