XACML-based directory server

I hadn't spoken to Andrew Ferguson (he's director, group marketing and global channel, for Australia's eB2Bcom, which he co-founded in '96) since last year's European ID Conference, but he did pop into my inbox recently to give me an update on one of his pet projects, ViewDS.

I hadn't spoken to Andrew Ferguson (he's director, group marketing and global channel, for Australia's eB2Bcom, which he co-founded in '96) since last year's European ID Conference (see "The case for XLDAP"), but he did pop into my inbox recently to give me an update on one of his pet projects, ViewDS.

ViewDS v7.2 (now in final beta test, due for release in September) will be, according to Andrew, the world's first Directory to implement XACMLv3 as an Access Control and authorization model for Access to LDAP Directory content. ViewDS v7.2 will implement support for an XACMLv3 based fine grained authorization model, called XBAC, in the Directory itself. XBAC fully implements the ABAC (Attribute Based Access Control Model), which uses attributes to describe access control rules and access requests in a structured language. As most of you are aware, attributes are sets of labeled properties which can be used to describe any entity (not only the subject) that needs to be considered for authorization purposes. ABAC thus will offer fine-grained and context-aware access control that adapts to dynamically changing needs. As per the XACML standard authorization queries are formed using a combination of an access subject, a resource, an action and environment.

MORE: A directory worth a look

A fuller list of all the additions and improvements in v7.2 can be found at the ViewDS website but among those I think are important are:

• A range of new Single Sign On developments in ViewDS Access Presence including Login using OpenID, and Login using SAML Assertions.

• A new XACML v3.0 Policy Administration Point tool to allow users the ability create, edit, delegate and distribute policies across the enterprise will be released. This PAP will also support the creation of Roles or importing of roles from other applications. XACML v3.0 Policy Enforcement Points for Microsoft IIS and Apache will be provided as well as a Java and DotNet WSDL document library.

• It will be possible to identify the entries that an access control applies to based on any attribute values. As an example, permission to manage all contractors' entries -- no matter where they reside within the directory -- could be granted based on the presence of "employeeType=contractor" in their individual entries.

There's a whole lot more, though, so you should check it out for yourself at ViewDS.

Learn more about this topic

Microsoft's directory team forced to reconsider ignored standards

The case for XLDAP

The IETF at 25: Unfinished business

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies