OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft

On 14 July, Bill Parducci writes: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
 > Anne Anderson wrote:
 > > A subject wants to view a given hospital patient record, which is
 > > an XML document file.  The policy is that subjects can view
 > > patient records only if they are in role "hospital administrator"
 > > or if their "subject-id" matches the <attending physician> or
 > > <patient name> values in the patient record.
 > > 
 > > The system does not want to have to ask about each node in the
 > > record, because its policy is either to give access to the entire
 > > document or not at all.
 > > 
 > > I think this is a realistic use case.
 > how does the system 'not ask about each node', yet evaluate them 
 > individually? i assume the assumption is that there is a deny-override 
 > mechanism that allows the system to discontinue evaluation once it hits 
 > a deny on a component? (in that case the schema designer had better put 
 > the sensitive stuff first! ;o)

Here is how:

   <Subject>subject-id="Anne Anderson"</Subject>
           <md:PatientName>Anne Anderson</md:PatientName>
           <md:Physician>Dr. Doofus</md:Physician>

<Policy PolicyId="Anne's example" CombiningAlgorithm="whatever">
      <Resource MatchId="anyURI-match">
 <Rule Effect="Permit">
   <Condition FunctionId="or">
      <Apply FunctionId="string-match">
      <Apply FunctionId="string-match">
      <Apply FunctionId="string-match">

This corresponds to a human-managed policy where there is a
folder of patient records.  A subject comes up to the Medical
Records department and asks to see Record0001 (not "diagnosis
field in Record0001").  The clerk knows the hospital's policy is
that someone can only see a patient record if they are the
physician, the patient, or an administor, so asks to see ID.  The
clerk then matches the ID against the physician name and patient
name in the requested patient record (or says "Yes, Ma'am" if the
requester is an administrator).  If there is a match, the clerk
hands the entire Record001 (or a copy of it) to the requester.

 > also, it would seem that the additional administrative burden (element 
 > level security access rules) would warrant a level of protection that is 
 > equally as granular? i dunno, it just seems like a stretch to me because 
 > my experience is that 'all or nothing' access control is generally 
 > associated with 'all or nothing' access control policy. ('hospital 
 > administrator' can see doc, 'bill' can't).

I think this IS an "all or nothing" access control policy.  It is
just "all, if administrator or match on these fields" and
"nothing otherwise".


 > b
 > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.

Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]