[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
Anne Anderson wrote: > A subject wants to view a given hospital patient record, which is > an XML document file. The policy is that subjects can view > patient records only if they are in role "hospital administrator" > or if their "subject-id" matches the <attending physician> or > <patient name> values in the patient record. > > The system does not want to have to ask about each node in the > record, because its policy is either to give access to the entire > document or not at all. > > I think this is a realistic use case. how does the system 'not ask about each node', yet evaluate them individually? i assume the assumption is that there is a deny-override mechanism that allows the system to discontinue evaluation once it hits a deny on a component? (in that case the schema designer had better put the sensitive stuff first! ;o) also, it would seem that the additional administrative burden (element level security access rules) would warrant a level of protection that is equally as granular? i dunno, it just seems like a stretch to me because my experience is that 'all or nothing' access control is generally associated with 'all or nothing' access control policy. ('hospital administrator' can see doc, 'bill' can't). b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]