intended conformance point of the XSPA XACML profile

[Richard Franck <Richard_Franck@us.ibm.com>]

Hello all,

I have been tied up in a meeting all week, so I have not been able to kick off the continued discussion on the XSPA attributes and the requirements of the NHIN. I will try to start up a couple of different threads this morning while I have some time.

This first thread is to ask a fundamental question about the nature of the XSPA profile of XACML. The question can be stated succintly as: what is the intended conformance point of this profile? In other words, of the arrows shown in Figure 1 of the profile (p. 9 of the Public Review Draft 02), which of those transactions are intended to carry the attributes defined in the profile, and in what context? I think it would also be useful to refer to Figure 1 in the XACML 2.0 CORE specification as well (p. 17). This diagram is a bit more explicit and calls out some of the data flows that are only implied in the diagram from the XSPA profile.

My hunch (and it is only a hunch, because I think there are a few different interpretations that can be drawn from the XSPA document itself), is that the attributes are intended to apply in two places:
1. Between the Policy Enforcement Point and the Policy Decision Point. This corresponds to data flow #4 in the diagram from XACML CORE. The context of the transaction is the XACMLAuthzDecisionQuery / XACMLAuthzDecisionStatement defined in the SAML-XACML profile.
2. Between the Policy Enforcement Point and the Policy Information Point. This corresponds to data flow #6 in the diagram from XACML CORE. The attributes are carried on the AttributeQuery / AttributeStatement defined in the SAML CORE profile, as described in the SAML-XACML profile. I'm not entirely clear on where in a SOAP message those attributes get carried.

It is my further hunch that it is not indended that the XSPA XACML profile applies between the Policy Administration Point and the Policy Decision Point. This corresponds to data flow one in the XACML Core diagram, and it is also described (somewhat differently) in the SAML-XACML profile as using the XACMLPolicyQuery / XACMLPolicyStatement defined in that profile.

So I have two requests:

1. Can the list confirm or correct my hunches about the intended conformance point(s) of the XSPA XACML profile?

2. Can the list help me understand the use of certain attributes defined in the profile, in terms of how it could make sense to carry them on the particular data flows? The particular attributes I have questions about are: subject:hl7:permission, resource:org:permission, resource:hl7:dissenting-subject-id, resource:hl7:dissenting-role. (And I guess all of the *dissenting* attributes defined in Table 2.) I simply cannot identify a data flow where (a) the requesting side of the flow would have the information defined by these attributes and (b) the responding side of the flow would have any need of it.

Regards,

Richard Franck
Certified IT Architect, IBM Global Business Services
Healthcare and Life Sciences
office: 1-919-254-4771
mobile: 1-919-302-3880
e-mail: Richard_Franck@us.ibm.com