OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Fwd: one question regarding obligations in XACML

Could Michiharu or another obligations expert try to respond to this?

Thanks,
Anne Anderson
--- Begin Message ---
Dear seth,
 
    According to XACML obligations , PDP can restrict PEP before handling data to client as we have seen in XACML specificaiton for a medical system example in which PEP is obliged to do an Email to the patient whose record have been accessed.
 
The example in XACML specification doesnot give much details on this issue.
 
My question:
 
suppose we have a webservice displayPatients(patientdisplaycriteria) with return type of Patients[] (an array type i.e. group of patient records)
 
 
  Now user (healthcareworker) calls the webservice displayPatients ( totalcharges > 1000 $) and we have a group of patients whose totalcharges are greater than 1000 ,
but we have an access rule that the caller of the webservice healthcareworker in this example (let suppose) can only access upto one year old medical records.
so it imposes a restriction on the return data that PEP is going to handover to client (healthcareworker)
 
 
i.e. patients[] .admissiondate >  (sysdate() - 365 days )
 
can we write again the condition block in XACML obligation again .??
 
How can this condition can be communicated between  XACML PEP and  PDP.
 
 
I have one solution in my opinon , plz have a look on it ??
 
 
This what XACML specification have given in its medical system example :
 
 

[092] <Obligation ObligationId=

[093]      "urn:oasis:names:tc:xacml:example:obligation:email"

[094]      FulfillOn="Permit">

[095]      <AttributeAssignment AttributeId=

[096]      "urn:oasis:names:tc:xacml:1.0:example:attribute:mailto"

[097]             DataType="http://www.w3.org/2001/XMLSchema#string">

[098]             <AttributeSelector RequestContextPath=

[099]             "//md:/record/md:patient/md:patientContact/md:email"

[100]             DataType=”http://www.w3.org/2001/XMLSchema#string”/>

[101]      </AttributeAssignment>

[102]      <AttributeAssignment AttributeId=

[103]             "urn:oasis:names:tc:xacml:1.0:example:attribute:text"

[104]             DataType="http://www.w3.org/2001/XMLSchema#string">

[105]             <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">

[106]                    Your medical record has been accessed by:

[107]             </AttributeValue>

[108]      </AttributeAssignment>

[109]      <AttributeAssignment AttributeId=

[110]                    "urn:oasis:names:tc:xacml:example:attribute:text"

[111]             DataType="http://www.w3.org/2001/XMLSchema#string">

[112]             <SubjectAttributeDesignator AttributeId=

[113]             "urn:osasis:names:tc:xacml:1.0:subject:subject-id" DataType=”http://www.w3.org/2001/XMLSchema#string”/>

[114]      </AttributeAssignment>

[115]   </Obligation>

[116] </Obligations>

 
 At line # 092 and 093 there is an ObligationId email,  through which PEP understands what to do before handling data to User (have to do an email in this particular example), and from this email attribute it understands that the required Attributes as well.
 
 
My opinion
 
lets suppose we have an ObligationId ConditionGreatherThan e.g.
 

 

[092] <Obligation ObligationId=

[093]      "urn:oasis:names:tc:xacml:example:obligation:ConditionGreatherThan"

[094]      FulfillOn="Permit">

[095]      <AttributeAssignment AttributeId=

[096]      "urn:oasis:names:tc:xacml:1.0:example:attribute:admissiondate"

[097]             DataType="http://www.w3.org/2001/XMLSchema#string">

[098]             <AttributeSelector RequestContextPath=

[099]             "//md:/record/md:patient/md:admissiondate"

[100]             DataType=”http://www.w3.org/2001/XMLSchema#date”/>

[101]      </AttributeAssignment>

[102]      <AttributeAssignment AttributeId=

[103]             "urn:oasis:names:tc:xacml:1.0:example:attribute:thisdate"

[104]             DataType=http://www.w3.org/2001/XMLSchema#date>

[105]             <AttributeValue DataType=http://www.w3.org/2001/XMLSchema#date>

[106]                    sysdate()- 365

[107]             </AttributeValue>

[108]      </AttributeAssignment>

[115]   </Obligation>

[116] </Obligations>

 
 
All the values which are changes are marked with red.
i.e. can we have a similar function conditionGreatherThan through which we can specify that values returned to the client should be greather than any value (sysdate() - 365)
 
This is just my opinon , how it fits into the XACML framework , this is my question ???
 
 
 
with Best regards.
Muhammad Masoom Alam
University of Innsbruck Austria
+43 512 507 6462
+43 512 22455 410
 
--- End Message ---

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]