Subject: Re: [EXTERNAL] Re: [xacml] Suggested discussion topic -- what are common practices in how access-control attributes are bound to resources?
HL7 has developed international standards for a Security Labeling Service capable of binding Classifications to resources. Also metadata binding is done at the application level. Messages of different types include classification metadata in their structure which is taken from the resource. Healthcare has standard vocabularies in place and a Healthcare Classification system describing codes including, “Classification, sensitivity, integrity, compartment and handling caveats”.
Label information is provided to PDPs as ADI. Decisions are made based upon the policies pertaining to the ADI.
PDPs responding the decision requests may need to provide obligations for privacy enforcement obligations along with a decision to the PDP. Obligations may be fulfilled by an “obligation” service, also described in healthcare standards. This service may need to call the labeling services particularly in the case of redacted or masked information where the classifications may change.
End users, such as physicians have “clearances” to labeled data. Decisions are based on whether the clearance meet or exceed the resource classification. We do not bind physicians to records as a patient may see many physicians. Such assignments are for business workflow purposes not security. Also such assignments would be a management issue. Patients may also be bound to “Care teams” and such groups in “Relationship-based Access Control” schemes which may possibly look closely like ABAC.
Regards, Mike Davis
VHA Security Architect
Regards, Mike Davis
From: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of Martin Smith
Sent: Thursday, November 12, 2015 11:27 AM
To: David Brossard
Cc: William Parducci; rich levinson; XACML TC
Subject: [EXTERNAL] Re: [xacml] Suggested discussion topic -- what are common practices in how access-control attributes are bound to resources?
David--thanks. So at first glance it didn't seem like there was any resource metadata (attribute) binding in the scenario you describe. But on second thought I guess you could say that the database with the recordID->AssignedPhysician link was that binding (and the AssignedPhysician data is the resource attribute.) Interesting.
It does seem like the binding mechanism and therefore the metadata-finding method may vary widely by resource data type (structured DB, document, message, etc.) as well as other things. I was (am) hoping to find enough commonality in these approaches to support generalization or even guidance/recommendations.
I should also say that the present question came up as a result of trying to think through how one might implement the idea of default-deny-if-no-policy-reference we discussed last meeting. Also, both these questions are from the perspective of how ABAC/PBAC might be applied in a multi-organizational (federated) environment where standard approaches are important for interoperability.
On Wed, Nov 11, 2015 at 4:09 PM, David Brossard <email@example.com> wrote:
In Axiomatics deployments, attributes (metadata) largely come from databases. The PDP uses PIPs to retrieve those attributes via SQL calls. For instance:
- Policy: doctors can view a medical record if the record's assigned physician == the requestor id.
- Attributes used
- requestor id - provided by the PEP
- medical record id - provided by the PEP
- action id - provided by the PEP
- medical record assigned physician - retrieved from the record database using SELECT assignedPhysician FROM records WHERE recordId = ?
That is one of the most common ways.
Another option - specific to Windows Server 2012 - is to have the attribute metadata directly assigned to the documents (files / folders) as classification information. MS Windows allows for that. There's a video here that explains how that works.
Hope this helps,
On Wed, Nov 11, 2015 at 9:52 PM, Martin Smith <firstname.lastname@example.org> wrote:
My question is: in current practice today with current deployed products, how are resource metadata bound to resources (documents, etc.) Interested in access-control related resource attributes of course (vs search, etc metadata.) Also, how do PDP's (or PIP's) find these attributes?
VP of Customer Relations
+46(0)760 25 85 75
+1 312 774-9163
Martin F Smith, Principal
BFC Consulting, LLC
McLean, Va 22102
703 389-3224 mobile