OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] Comments on xacml-profile-hierarchical-resources draft

  • 1.  Re: [xacml] Comments on xacml-profile-hierarchical-resources draft

    Posted 07-15-2004 16:00
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft


    On 14 July, Bill Parducci writes: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
     > Anne Anderson wrote:
     > 
     > > A subject wants to view a given hospital patient record, which is
     > > an XML document file.  The policy is that subjects can view
     > > patient records only if they are in role "hospital administrator"
     > > or if their "subject-id" matches the <attending physician> or
     > > <patient name> values in the patient record.
     > > 
     > > The system does not want to have to ask about each node in the
     > > record, because its policy is either to give access to the entire
     > > document or not at all.
     > > 
     > > I think this is a realistic use case.
     > 
     > how does the system 'not ask about each node', yet evaluate them 
     > individually? i assume the assumption is that there is a deny-override 
     > mechanism that allows the system to discontinue evaluation once it hits 
     > a deny on a component? (in that case the schema designer had better put 
     > the sensitive stuff first! ;o)
    
    Here is how:
    
    Request:
       <Subject>subject-id="Anne Anderson"</Subject>
       <Resource>resource-id="http://www.medco.com/patient-records/Record0001.xml";
         <ResourceContent>
             <md:Record>
               <md:PatientName>Anne Anderson</md:PatientName>
               <md:Physician>Dr. Doofus</md:Physician>
               <md:Diagnosis>sick</md:Diagnosis>
             </md:Record>
         </ResourceContent>
       </Resource>
       <Action>action-id="read"</Action>
    
    <Policy PolicyId="Anne's example" CombiningAlgorithm="whatever">
       <Target>
          <Resource MatchId="anyURI-match">
              <AttributeValue
                 DataType="anyURI">http://www.medco.com/patient-records/Record0001.xml</AttributeValue>
              <ResourceAttributeDesignator
                 AttributeId="resource-id"
                 DataType="anyURI"/>
          </Resource>
       </Target>
     <Rule Effect="Permit">
       <Condition FunctionId="or">
          <Apply FunctionId="string-match">
             <AttributeSelector
                RequestContextPath="//Resource/ResourceContent/md:Record/md:PatientName/text()"
                DataType="string"/>
             <SubjectAttributeDesignator
                AttributeId="subject-id"
                DataType="string"/>
          </Apply>
          <Apply FunctionId="string-match">
             <AttributeSelector
                RequestContextPath="//Resource/ResourceContent/md:Record/md:Physician/text()"
                DataType="string"/>
             <SubjectAttributeDesignator
                AttributeId="subject-id"
                DataType="string"/>
          </Apply>
          <Apply FunctionId="string-match">
             <AttributeValue            
                DataType="string">urn:medco:role:Administrator</AttributeValue>
             <SubjectAttributeDesignator
                AttributeId="role"
                DataType="anyURI"/>
          </Apply>
       </Condition>
      </Rule>
    </Policy>
    
    This corresponds to a human-managed policy where there is a
    folder of patient records.  A subject comes up to the Medical
    Records department and asks to see Record0001 (not "diagnosis
    field in Record0001").  The clerk knows the hospital's policy is
    that someone can only see a patient record if they are the
    physician, the patient, or an administor, so asks to see ID.  The
    clerk then matches the ID against the physician name and patient
    name in the requested patient record (or says "Yes, Ma'am" if the
    requester is an administrator).  If there is a match, the clerk
    hands the entire Record001 (or a copy of it) to the requester.
    
     > also, it would seem that the additional administrative burden (element 
     > level security access rules) would warrant a level of protection that is 
     > equally as granular? i dunno, it just seems like a stretch to me because 
     > my experience is that 'all or nothing' access control is generally 
     > associated with 'all or nothing' access control policy. ('hospital 
     > administrator' can see doc, 'bill' can't).
    
    I think this IS an "all or nothing" access control policy.  It is
    just "all, if administrator or match on these fields" and
    "nothing otherwise".
    
    Anne
    
     > b
     > 
     > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php.
     > 
    
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]