[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
Anne Anderson wrote:
> A subject wants to view a given hospital patient record, which is
> an XML document file. The policy is that subjects can view
> patient records only if they are in role "hospital administrator"
> or if their "subject-id" matches the <attending physician> or
> <patient name> values in the patient record.
>
> The system does not want to have to ask about each node in the
> record, because its policy is either to give access to the entire
> document or not at all.
>
> I think this is a realistic use case.
how does the system 'not ask about each node', yet evaluate them
individually? i assume the assumption is that there is a deny-override
mechanism that allows the system to discontinue evaluation once it hits
a deny on a component? (in that case the schema designer had better put
the sensitive stuff first! ;o)
also, it would seem that the additional administrative burden (element
level security access rules) would warrant a level of protection that is
equally as granular? i dunno, it just seems like a stretch to me because
my experience is that 'all or nothing' access control is generally
associated with 'all or nothing' access control policy. ('hospital
administrator' can see doc, 'bill' can't).
b
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]