Xacml Studio Reference

1. Introduction.

XACML-Studio (XS) is an authorization policy editor that allows creating, editing, importing from XML and exporting to XML policies defined by XACML 2.0 specification [1]. XS is a web application that runs on Rails [2] platform.

Picture 1. Main Screen

2. Policy Object Persistence.

All policies are stored in MySQL database. Each XML element that is defined in XACML 2.0's "urn:oasis:names:tc:xacml:2.0:policy:schema:os" namespace is mapped to a database object. This approach makes policy repository searchable. Each policy or policy set in the repository can be used as a template for building a new policy or policy set. Copy/Paste operations are applicable to any object stored in the repository making it easy to use existing policy fragments as building bricks for new policies. There are two paste operations available: deep and shallow. The former copies the selected node and all descendants, while the latter copies the selected node only.

Picture 2. Copy/Paste

3. Intuitive UI.

The XS's UI is implemented with EXT JavaScript library [3]. EXT's UI elements like Tree View and Grids have been used to render the policy's objects in hierarchical manner and show object's properties. The partial data load is used to avoid transmitting too many policy objects to a browser within one HTTP request. Only limited number of top policy objects are loaded in each request. More data can be loaded when a user expands a tree node or press "next/previous" button to navigate through top level objects.

Picture 3. Next/Previous

The policies can be filtered as well by using "Filter" options. Currently policy or policy set IDs and description fields are used for filtering.

Picture 4. Filtering

To see all descendants of a selected object "Expand All" menu item can be used:

Picture 5. Expand All

A context menu is associated with each tree node. The menu contains all functions that are available for a current node (e.g. multiple "New" items).

Picture 6. Context Menu

To reduce native XACML verbosity short names and symbols are used for data types and function names. A user doesn't need to remember the full function name or data type - she can select them from a predefined list with short and more intuitive names.

Picture 7. Choosing Function ID

Picture 8. Choosing Data Type

4. Serialization and Deserialization.

A user can import a policy/policy set from an existing XML document. One policy set is predefined in XS and is used as a pseudo root for all other policies and policy sets. After a policy is imported, all its XML elements become database objects in policy repository and can be used as building bricks for other policies. Any XS's object that exists in policy repository can be exported back to an XML file.

Picture 9. Importing an XML

Picture 10. Exporting an XML

5. Prerequisites.

XS has been tested on Windows and Linux/Debian with the following Rails configuration:

  1. Windows:
    1. Ruby 1.8.6
    2. Rails 2.1.1
    3. MySQL 5.0.27
    4. Ext 2.2
  2. Linux/Debian:
    1. Ruby 1.8.7
    2. Rails 2.1.1
    3. MySQL 5.0.27
    4. Ext 2.2

6. XS Installation and Running.

  1. Install Ruby/Rails/MySQL versions that are provided in "Prerequisites"
  2. Make sure that Ruby executables are in PATH
  3. Download Ext2 from http://extjs.com/products/extjs/download.php
  4. Download XS sources zip file (see XS Sources) and unpack it to a root directory (<ROOT>)
  5. Unpack Ext2 archive to <ROOT>/public directory
  6. Rename <ROOT>/public/ext2 to <ROOT>/public/ext
  7. Start MySQL server
  8. Create development and production users that could be found in <ROOT>/config/database.yml file.
  9. Assign administrative permissions for the database users, e.g. GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' IDENTIFIED BY PASSWORD admin
  10. Change current directory to <ROOT>
  11. Run: rake db:create
  12. Run: rake db:migrate
  13. Run: ruby script/server

By default server will run in 'development' mode, if you want to run it in 'production' mode, uncomment:

  # ENV['RAILS_ENV'] ||= 'production'
  in <ROOT>/config/environment.rb

If you run server in production mode, make sure that production database user is given administrative permissions. If everything was installed successfully the working URL for XS should be available at http://localhost:3000/xs/index.html

To add a new user to XACML-Studio, edit SMTP settings in <ROOT>/config/environments/development.rb (or production.rb), because an email notification is used when a new user is added. By default, all users have read-only permission to the policies. If you need a full read-write access to the system, register as a super user with the user ID 'admin'. To change the default super user ID edit the following line in the same *.rb file:

   XS_Config.super_users = ['admin']

7. Useful Scripts & Tips.

  1. Use "Filter" to reduce the number of policies displayed in XS
  2. Use <ROOT>/bin/imp_pol.pl for bulk policy import from XML files
  3. Use <ROOT>/bin/exp_pol.pl for bulk policy export to XML files

8. Bulk Policy Import.

  1. cd <ROOT>/bin
  2. perl imp_pol.pl policy.xml ...

Note: WWW::Mechanize perlmod is required to run this script

9. Bulk Policy Export.

To export policy sets use:

  1. cd <ROOT>/bin
  2. perl exp_pol.pl output_dir <ps.ids
  3. Where ps.ids is a file with policy set IDs that can be generated by running: mysql -u <user> -p<pwd> -D xacml_studio_dev -e "select id from policy_sets where policy_set_id=0" --delimiter "" >ps.ids. You'll need to remove the first line in the generated file.

To export policies use:

  1. cd <ROOT>/bin
  2. perl exp_pol.pl -p output_dir <p.ids
  3. Where p.ids is a file with policy IDs that can be generated by running: mysql -u <user> -p<pwd> -D xacml_studio_dev -e "select id from policies where policy_set_id=0" --delimiter "" >p.ids. You'll need to remove the first line in the generated file.

Note: WWW::Mechanize perlmod is required to run this script

9. Testing.

XS has been tested by importing all policies from XACML 2.0 conformance test suite [4], exporting them back to XML files and validating the exported files with XACMLight [5] PDP engine.

10. Sources.

# Type URL
1. Download Page http://sourceforge.net/project/showfiles.php?group_id=243604
2. Subversion Trunk https://xacml-studio.svn.sourceforge.net/svnroot/xacml-studio/trunk

11. Development Tools.

Eclipse [6] and Aptana Studio [7] have been used as a major development tool for creating XS.

12. References.

  1. XACML 2.0 - http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
  2. Ruby on Rails - http://www.rubyonrails.org/
  3. EXT - http://extjs.com/
  4. XACML 2.0 Conformance Tests - http://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip
  5. XACMLight - http://sourceforge.net/projects/xacmllight
  6. Eclipse - http://www.eclipse.org/
  7. Aptana Studio - http://www.aptana.com/