OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] Why medical samples?

The orginal XACML usecases and requirements are available on the TC's web site. They include medical usecases as well as ones from other domains.

As Seth points out, in presenting a set of examples, it is convenient to base all of them on the same underlying situation simply to avoid having to provide a lengthy explaination of the context of each example. 

I think medical records were chosen for several reasons:

1. Most people have at least some familiarity with doctors and hospitals, and some idea what kinds of information they deal with.

2. The need for access control to medical information is pretty obvious. In the US, the need to comply with HIPAA has made this a practical issue of some urgency.

3. Medical records provide one of the easiest to understand contexts for the use of policies based on content introspection (also known as instance-based accesss control.) An example of this kind of thing is a single policy that says "everybody can read their own medical record." This is a feature of XACML which is not present in most currently deployed authorization schemes, so an example is important.


> -----Original Message-----
> From: Seth Proctor [mailto:Seth.Proctor@Sun.COM]
> Sent: Monday, October 11, 2004 1:52 PM
> To: Kuketayev, Argyn
> Cc: xacml-users@lists.oasis-open.org
> Subject: Re: [xacml-users] Why medical samples?
> On Mon, 2004-10-11 at 13:46, Kuketayev, Argyn wrote:
> > This question is stupid indeed, but I'm going to ask it anyways :)
> >
> > Why's everyone using medical samples? Is it where XACML originated?
> Heh. Not a stupid question at all. I'm sure lots of other 
> people wonder
> at that too.
> In my opinion, the medical world today provides a lot of very 
> good, very
> tangible security use-cases and examples. Therefore, the 
> examples in the
> specification are all about medical records (just to stay 
> consistent, I
> think). A lot of the XPath questions that people raise are 
> based on the
> examples in the spec, so the medical theme is carried over.
> Dunno. Maybe there is a deeper reason. Can anyone from the early XACML
> days shed some light on this?
> seth

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]