Download - XACML Briefing for PMRM TC
![Page 1: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/1.jpg)
XACML Briefing for PMRM TC
Hal LockhartJuly 8, 2014
![Page 2: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/2.jpg)
What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any available information Superset of Permissions, ACLs, RBAC, etc Scales from PDA to Internet Federated policy administration OASIS and ITU-T Standard
![Page 3: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/3.jpg)
OASIS XACML Standardspecifies: An Architecture
Aka: Attribute-based Access Control (ABAC) A Policy Language
Format and Evaluation Semantics Request Formats
XML/SOAP JSON/REST Programatic (OpenAz Project)
![Page 4: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/4.jpg)
XACML Architecture
PDP
DecisionApplication
Administration
PolicyRepository
PEP
Enforcement
Client
AuthoritiesAttributeRepositories
PDP
PDP PDP
Resources
![Page 5: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/5.jpg)
Powerful Policy Expression “Anyone can use web servers with the ‘spare’ property
between 12:00 AM and 4:00 AM” “Salespeople can create orders, but if the total cost is
greater that $1M, a supervisor must approve” “Anyone view their own 401K information, but nobody
else’s” “The print formatting service can access printers and
temporary storage on behalf of any user with the print attribute”
“The primary physician can have any of her patients’ medical records sent to a specialist in the same practice.”
![Page 6: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/6.jpg)
Key XACML Features
Federated Policy Administration Multiple policies applicable to same situation Combining rules to resolve conflicts
Decision may include Obligations and Advice More than just Permit or Deny Obligation can specify present or future action Examples: Log request, require human approval,
delete data after 30 days Protect any resource
Web Server, Java or C++ Object, Room in building, Network Access, Web Service, Geographic Data, Health Records, etc.
![Page 7: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/7.jpg)
XACML Benefits Standard Policy Language
Investment protection Skills reuse
Leverage XML tools Policy not in application code
Reduce cost of changes Consistent application Enable audit
![Page 8: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/8.jpg)
Policy Evaluation in Brief - 1 Attribute-based access control (ABAC) Attributes associated with Subject(s),
Action, Resource or Environment Attributes may represent static (Group)
or dynamic (# of accesses) properties PDP is stateless
![Page 9: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/9.jpg)
Policy Evaluation in Brief - 2
Policies contain Boolean expressions If false, policy is not applicable If true, Effect (Permit or Deny) is
returned
![Page 10: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/10.jpg)
Policy Evaluation in Brief - 3 Combining Algorithms resolve
conflicting policy results Typical: Deny Overrides
Obligations which are associated with final Effect are also returned
Policies are tree structured to simplify management
![Page 11: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/11.jpg)
XACML Concepts
PolicySet
PoliciesObligations
Rules
Target
Obligations
Condition
Effect
Target
Target
![Page 12: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/12.jpg)
XACML Policy Tree
Policy Set
PolicyPolicy SetPolicy Set
PolicyPolicy PolicyRule
Rule Rule Rule Rule
Rule Rule
Rule
![Page 13: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/13.jpg)
Decision Request Interfaces Abstract Interface defined in XML
Profiled as real protocol over SOAP Programmatic Interfaces permitted, but
unspecified Javascript Object Notation (JSON) format
Functionally equivalent to XML/SOAP format xacml+json MIME type approved by IANA
REST-based communications Can carry JSON or XML format requests
![Page 14: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/14.jpg)
Prior XACML Privacy work Privacy Profile
Defines 2 Attributes – “Purpose” Category = Action or Resource
Rule to match Purposes XSPA XACML Profile
OASIS Standard in 2009 Based on prior work at HL7 Defines 53 Attributes (14 Normative) Several public interops New Profile in progress
![Page 15: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/15.jpg)
Referencing XACML in other Standards Attributes
What ones may be needed Category (Subject, Resource, etc.) Precise semantics (data-type, legal values)
Policy Agreed upon policies – normative Example policies – illustrate potential use
of attributes
![Page 16: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/16.jpg)
Useful Links XACML core specification
http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc
Privacy Profilehttp://docs.oasis-open.org/xacml/3.0/privacy/v1.0/xacml-3.0-privacy-v1.0.doc
XSPA Standardhttp://docs.oasis-open.org/xacml/xspa/v1.0/xacml-xspa-1.0-os.doc
Interop Policieshttps://
www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip
https://www.oasis-open.org/committees/download.php/32225/HIMSS-OASIS-Interop-documents.zip
![Page 17: XACML Briefing for PMRM TC](https://reader036.vdocument.in/reader036/viewer/2022081512/56815cba550346895dcab7fa/html5/thumbnails/17.jpg)
Discussion