[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Query filtering and XACML
|
Hello, I’m forwarding the following questions on behalf of Eli Lilly. They would like feedback from the TC. Thanks CBAC (Content Based Access Control) policies in XACML enable the specification of fine-grained policies for information access. This assumes that the user is requesting specific information for which sufficient metadata exists to adjudicate
access rights. Sensitive information may be exposed through a web service or by direct queries to a database. In the case of database queries a user may submit a non-specific request for all information about all people, such as "SELECT * FROM PERSON", which
can then be transformed into a more specific query, SELECT <PERMITTED COLUMNS> FROM PERSON WHERE <XACML policy conditions>, in which the rule conditions of applicable policies are converted into the corresponding SQL filter expressions and inserted into the
original query before evaluation on the backend database. The overall effect of this query rewrite is that the user can ask for all information, but will receive only the information he is entitled to see. When dealing with very large data sets is there any
technology for web services (SOAP, OData, or REST) that uses XACML policies to dynamically rewrite the web service request based upon results from the policy evaluation which is analogous to SQL query filters? |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]