OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [EXTERNAL] Re: [xacml] Suggested discussion topic -- what are common practices in how access-control attributes are bound to resources?


Just to add to Mike's email, HL7 actually docucmented all this publicly and have use cases that lend themselves very well to XACML: (I see you are a contributor there Mike!)

http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Access_Control_Based_on_Category_of_Action

Also, Martin, there are many other verticals / standards with well-defined ontologies. In my example I used a database as a source of metadata. Another example is XML documents (you mentioned that) and for instance the ACORD standard. ACORD defines document formats (XML-based) for insurance-related documents. You could imagine there be a PEP (XML gateway / proxy) intercepting such documents and sending authorization requests to a PDP e.g. "Can Bob view field X of doc #123?". These requests could be bundled via MDP.

Getting a Deny would make the XML gateway redact the element. Note that - in line with Mike Davis' examples - you could also use obligations to mask / encrypt fields rather than redact them altogether.

In this scenario, the metadata comes from the exchanged document itself.

HTH,
David.

On Fri, Nov 13, 2015 at 2:01 AM, Davis, John M. <Mike.Davis@va.gov> wrote:

HL7 has developed international standards for a Security Labeling Service capable of binding Classifications to resources.  Also metadata binding is done at the application level.  Messages of different types include classification metadata in their structure which is taken from the resource.  Healthcare has standard vocabularies in place and a Healthcare Classification system describing codes including, “Classification, sensitivity, integrity, compartment and handling caveats”.   

 

Label information is provided to PDPs as ADI.  Decisions are made based upon the policies pertaining to the ADI. 

 

PDPs responding the decision requests may need to provide obligations for privacy enforcement obligations  along with a decision to the PDP.  Obligations may be fulfilled by an “obligation” service, also described in healthcare standards.  This service may need to call the labeling services particularly in the case of redacted or masked information where the classifications may change.

 

End users, such as physicians have “clearances” to labeled data.  Decisions are based on whether the clearance meet or exceed the resource classification.  We do not bind physicians to records as a patient may see many physicians.  Such assignments are for business workflow purposes not security.  Also such assignments would be a management issue.  Patients may also be bound to “Care teams” and such groups in “Relationship-based Access Control” schemes which may possibly look closely like ABAC.

 

 

Regards, Mike Davis

VHA Security Architect

760-632-0294

 

Regards, Mike Davis

 

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Martin Smith
Sent: Thursday, November 12, 2015 11:27 AM
To: David Brossard
Cc: William Parducci; rich levinson; XACML TC
Subject: [EXTERNAL] Re: [xacml] Suggested discussion topic -- what are common practices in how access-control attributes are bound to resources?

 

David--thanks. So at first glance it didn't seem like there was any resource metadata (attribute) binding in the scenario you describe. But on second thought I guess you could say that the database with the recordID->AssignedPhysician link was that binding (and the AssignedPhysician data is the resource attribute.) Interesting. 

 

It does seem like the binding mechanism and therefore the metadata-finding method may vary widely by resource data type (structured DB, document, message, etc.) as well as other things. I was (am) hoping to find enough commonality in these approaches to support generalization or even guidance/recommendations. 

 

I should also say that the present question came up as a result of trying to think through how one might implement the idea of default-deny-if-no-policy-reference we discussed last meeting. Also, both these questions are from the perspective of how ABAC/PBAC might be applied in a multi-organizational (federated) environment where standard approaches are important for interoperability.  

 

Regards,

 

Martin

 

 

 

On Wed, Nov 11, 2015 at 4:09 PM, David Brossard <david.brossard@axiomatics.com> wrote:

Hi Martin,

 

In Axiomatics deployments, attributes (metadata) largely come from databases. The PDP uses PIPs to retrieve those attributes via SQL calls. For instance:

 

  • Policy: doctors can view a medical record if the record's assigned physician == the requestor id.
  • Attributes used
    • requestor id - provided by the PEP
    • medical record id - provided by the PEP
    • action id - provided by the PEP
    • medical record assigned physician - retrieved from the record database using SELECT assignedPhysician FROM records WHERE recordId = ?

That is one of the most common ways.

 

Another option - specific to Windows Server 2012 - is to have the attribute metadata directly assigned to the documents (files / folders) as  classification information. MS Windows allows for that. There's a video here that explains how that works.

 

Hope this helps,

David.

 

On Wed, Nov 11, 2015 at 9:52 PM, Martin Smith <bfc.mclean@gmail.com> wrote:

My question is: in current practice today with current deployed products, how are resource metadata bound to resources (documents, etc.)  Interested in access-control related resource attributes of course (vs search, etc metadata.)  Also, how do PDP's (or PIP's) find these attributes? 

 

 

 

Thanks,

 

Martin

 

 


 

--

Martin F Smith, Principal

BFC Consulting, LLC

McLean, Va 22102



 

--

David Brossard
VP of Customer Relations
+46(0)760 25 85 75

+1 502 922 6538
Axiomatics AB

Västmannagatan 4
S-111 24 Stockholm, Sweden

Axiomatics for developers: http://developers.axiomatics.com

Connect with us on LinkedIn | Twitter | Google + | Facebook | YouTube



 

--

Martin F Smith, Principal

BFC Consulting, LLC

McLean, Va 22102

703 506-0159

703 389-3224 mobile




--
David Brossard
VP of Customer Relations
+46(0)760 25 85 75
+1 312 774-9163
+1 502 922 6538
Axiomatics AB

Västmannagatan 4
S-111 24 Stockholm, Sweden
Axiomatics for developers: http://developers.axiomatics.com
Connect with us on LinkedIn | Twitter | Google + | Facebook | YouTube


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]