Google Site Search

Google
 

Tuesday, April 29, 2008

Oasis SAML and XACML Presentation

I am going to be making a presentation on Oasis SAML and XACML at the ExpeditionWorkshop (Exploring Identity Management Landscape) at NIST.

The workshop page is located here.

If you would like to take a peek at my presentation, then click here.

Oasis SAML v2 is a specification that deals with Federated Identity and Oasis XACML v2 is a specification that deals with access control.

Examples:
If you need to take a peek at SAML2 payload carrying XACML2 request/response, then please take a look at my other post.

Oasis Webinar: OpenID, Higgins, i-names, and XDI

===================
From: Dee Schur
Subject: Complimentary OASIS Webinar -- 'Hear the Experts Describe the
Relationship between OpenID, Higgins, i-names, and XDI' -- 6 May 2008,
11:00AM EDT

**Hear the Experts Describe the Relationship between OpenID, Higgins,
i-names, and XDI**

Join us for another **COMPLIMENTARY** and thought-provoking OASIS Webinar:

Date: Tuesday, May 6, 2008

Time: 11:00 AM - 12:00 PM EDT

Reserve your Webinar seat now at:

https://www1.gotomeeting.com/register/332275036

Overview:
What do OpenID, the Higgins Project, i-names, and XDI (XRI Data Interchange)
all have in common? They all use the XRI 2.0 digital identifier
specifications and XRDS discovery format from the OASIS XRI (Extensible
Resource Identifier) Technical Committee. Come to this one-hour webinar and
learn:

* Why distributed directories, digital identity frameworks, ontologies,
reputation systems, and other emerging Web technologies need abstract
structured identifiers.

* How XRI syntax combines the best features of URNs (Uniform Resource Names)
and HFNs (Human-Friendly Names).

* How XRIs are backwards-compatible with URIs (Uniform Resource Identifiers)
and IRIs (Internationalized Resource Identifiers).

* How XRDS documents are rapidly becoming the defacto service discovery
format for user-centric identity and data portability.

* The problems XRI and XRDS solved for OpenID Authentication 2.0.

* There will be a question and answer period following the presentation.
=================================================

Sunday, April 27, 2008

Entering Sensitive Information on HTTP Site

Conor's Web Log of Esoterica: What's wrong with this picture?

This is a ****SERIOUS**** no-no. Financial institutions should always use SSL to take in user identity.

The W3C WSC spec is trying to come out with strong guidelines.
http://www.w3.org/2006/WSC/drafts/rec/

With the financial institutions primary targets of phishing schemes, it is imperative that all sensitive information about the customer is entered on a secure page. Maybe utilize EV Certificates and the browser indicators (green bars).

Sunday, April 20, 2008

W3C WSC published a working draft of XIT

2008-04-03: The Web Security Context Working Group has published a Working Draft of Web Security Context: Experience, Indicators, and Trust. This specification deals with the trust decisions that users must make online, and with ways to support them in making safe and informed decisions where possible. In order to achieve that goal, this specification includes recommendations on the presentation of identity information by Web user agents; on handling errors in security protocols in a way that minimizes the trust decisions left to users, and induces them toward safe behavior where they have to make these decisions; and on data entry interactions that will make it easier for users to enter sensitive data into legitimate sites than to enter them into illegitimate sites. Learn more about the Security Activity.

Thursday, April 17, 2008

US Federal Agency GSA bets huge on Open Source

Open source 'reduces risk,' federal agency's CIO says
The agency uses a laundry list of great open-source software--initially for its information systems but also increasingly for transactional mission-critical systems--such as JBoss, Linux (Red Hat), Bugzilla (bug tracking), JUnit (testing), JMeter (Apache performance monitoring tool), Eclipse, KnowledgeTree (content management), and others.


The use of Open Source in the government sector is not a surprising news, given the fact that OSS can either match or exceed the functionalities of commercial closed-source software.

This news kind of coincided with my decision to participate in an Identity Management Workshop at the prestigious NIST on April 30th, 2008. I will be speaking on Oasis Standards SAML and XACML.

References:
http://www.gcn.com/blogs/tech/46132.html
http://www.linuxtoday.com/news_story.php3?ltsn=2008-04-17-018-26-NW-SW-PB

Saturday, April 12, 2008

Summary Review: Oasis XACML Interoperability Event at the RSA Conference 2008

Now that the RSA Conference 2008 has finished in San Francisco, I would like to take some time to inform you about the grand success of the Oasis XACML Interoperability event with JBoss/RedHat and other interoperability participants namely BEA Systems, IBM, Oracle, Sun, Axiomatics, Cisco and Department of Veteran Affairs.

Information from the Oasis site is here.

The press release for the event from Oasis is here.

The code that has undergone two successful consecutive Oasis XACML Interoperability Event will be soon (matter of days) as JBossXACML v2.0.2.GA. The pending item is some documentation on usage. This library will also be included in the JBoss AS 5.0 to provide xacml capabilities.

References:
1) PolicySets used in the interop.
2) Tests used for the interop.

Details:
In a nutshell, XACML is a language focused solely on Access Control. All it does is Access Control and nothing else. Given this, at the interoperability event, the VA folks came out with health care scenarios associated with Patient Privacy. There are HL7 Confidentiality Codes that can be associated with Patient medical records.

Let me give some examples:
1) Your neighbor is a doctor and is snoopy in nature. You certainly do not want him to have access to your medical records. Would you? As a patient, you can associate the UBA confidentiality code with a list of doctors that you do not want to have access to your records (dissent list).
2) A patient arrives at a facility in an emergency. The providers do not have access to the patient records that is housed at another facility. They can trigger an "emergency override" to get access to the records. Shouldn't they in an emergency?
3) A patient can decide to mask a portion of his medical records (eg. radiology tests ' results) from a list of providers.

The VA developed an excellent application that had a decent GUI and in the background, it interacted with its own PIP (Policy Information Point) to derive the attributes needed to create the XACML requests. Once the xacml requests were generated (based on the application interaction), then they were passed to the PDP (Policy Decision Point) of the vendors.

Summary:
A simulated health care application with real medical records' data that was driven by xacml based use cases.

Additional References:
Oasis XACML Interoperability Document Bundle
^^^^^ (VERY IMPORTANT RESOURCE) ^^^^

Samples:
The following are examples of SAML2 payload carrying XACML request/responses.

Here is a sample of the request coming from the health care web application to back end PDP.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:RequestAbstract Destination="destination-uri" 
ID="s2846efb514a944cc3dc5b65ed8a76dde449787617" 
IssueInstant="2008-03-19T22:18:42Z" Version="2.0" 
xacml-samlp:InputContextOnly="true" xacml-samlp:ReturnContext="true" 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xacml-samlp:XACMLAuthzDecisionQueryType">
<saml:Issuer 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">vaPepEntity</saml:Issuer>
<xacml-context:Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os 
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">


<xacml-context:Subject>
<xacml-context:Attribute 
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Dr. Alice</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Subject>

<xacml-context:Resource>
<xacml-context:Attribute 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource: resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Anthony Gurrola</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017
</xacml-context:AttributeValue>
</xacml-context:Attribute>

<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>xxx-DummyConfCode</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:dissented-subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Dr. Alice</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>
urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Resource>
<xacml-context:Action/>
<xacml-context:Environment>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:environment:locality" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Facility A</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Environment>
</xacml-context:Request>
</samlp:RequestAbstract>


Now a sample of a response (which does include the xacml request for which the response is)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
ID="response-id:1" Version="2.0" 
IssueInstant="2008-03-19T22:17:13Z">
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:xacml:1.0:status:ok">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
Version="2.0" ID="response-id:1" IssueInstant="2008-03-19T22:17:13Z">
<saml:Issuer>issuer-1</saml:Issuer>
<saml:Statement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"  
xsi:type="xacml-samlp:XACMLAuthzDecisionStatementType" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   
xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:saml:assertion:schema:os" >
<xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >
<xacml-context:Result >
<xacml-context:Decision>Permit</xacml-context:Decision>
<xacml-context:Status>
<xacml-context:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"></xacml-context:StatusCode>
<xacml-context:StatusMessage>ok</xacml-context:StatusMessage> 
</xacml-context:Status>
<xacml:Obligations  xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >
<xacml:Obligation ObligationId="obligation-10" FulfillOn="Permit">
</xacml:Obligation>
<xacml:Obligation ObligationId="obligation-20" FulfillOn="Permit">
<xacml:AttributeAssignment AttributeId="a-120" 
DataType="http://www.w3.org/2001/XMLSchema#string" 
xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"/>
</xacml:Obligation>
</xacml:Obligations>
</xacml-context:Result>
</xacml-context:Response>

<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance/" 
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os 
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>100001</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:role" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>Chief Resident</AttributeValue>
<AttributeValue>Doctor</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:hl7permission" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>PRD-017</AttributeValue>
<AttributeValue>PRD-003</AttributeValue>
<AttributeValue>PRD-010</AttributeValue>
<AttributeValue>PRD-006</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:locality" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>Facility A</AttributeValue>
</Attribute>
</Subject>
<xacml-context:Resource>
<Attribute AttributeId="urn:va:names:xacml:2.0:record_type" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>patientchart</AttributeValue>
</Attribute>
</xacml-context:Resource>
<xacml-context:Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>read</AttributeValue>
</Attribute>
</xacml-context:Action>
<xacml-context:Environment></xacml-context:Environment>
</xacml-context:Request>

</saml:Statement>
</saml:Assertion>
</samlp:Response> 


Reference:
Oasis XACML Interoperability (RSA Conference 2008)

NOTE:If you need additional info, do not hesistate to email me at "asaldhan at redhat dot com" <======

JBossXACML v2.0.2.GA released

Note: JBossXACML v2.0.3.CR1 is here. <=======

After a very successful interoperability at the Oasis XACML Interoperability event at the RSA Conference 2008, I released the v2.0.2.GA libraries of JBossXACML. The JIRA issue is SECURITY-193.

What should be expected in 2.0.2.GA libraries?
1) Oasis XACML v2.0 core.
2) SOAP v1.1/SAML2.0Payload carrying XACML requests/response capabilities (Using OpenSAML v2.0).
- We will have packaged servlets for usage. :)
3) JAXB v2.0 Object Model to deal with policies, requests etc (if not interested in dealing with xml).

Stay tuned.

Additionally, as part of the Open Console or Embedded Console of JBoss AS5, we should have a decent free xacml editor to create policy sets (in the works now).

Where should I look for the files to download?
http://www.jboss.org/jbosssecurity/download/index.html

Information:
Wiki: http://wiki.jboss.org/wiki/JBossXACML

My appreciation to Marcus Moyses for all the help he rendered during the pre-interop preparation. Marcus is leading our xacml console effort.

Testimonials

April 24, 2008
The demo is now operational, so no code changes are necessary at the moment. We started from a commercial product that did not meet expectations. In fourteen days effort we were able to retarget and deliver using JBossXACML, mainly by closely following the JBossXACML test cases. I am very happy we discovered the alternative, and it is much more robust than the commercial alternative. Well done!


UPDATE: November 16, 2008
I know that many folks out there in the community and the industry are making use of JBossXACML. I would really like to know if JBossXACML has been useful to you. So please drop me a note at (Anil dot Saldhana at redhat dot com) if you find JBossXACML useful. When people find OSS projects useful, it gives its developers satisfaction. CHEERS!!!

Tests for the Oasis XACML Interoperability Event at RSA Conference 2008

Now that we have seen the Policy Set(s) for the interoperability tests, I would like to point out the tests that pass in requests and expect the desired result. Please note that these tests are just a reflection of the interaction that happened between the Health care application developed by the Department of Veterans Affairs (VA) and the PDPs of individual companies.

The JUnit Test Case is here: InteropUnitTestCases

The various request files used in this test case are available at:
OasisXACMLInteroperabilityEventAtRSAConferenceRequests


Pseudo-Code for the evaluation:

if ( ! (request.subject.locality == request.environment.locality) )
if ( ! ("hl7.pea-001" ==
any-of(request.subject.hl7.permission)) )
Result = Deny
else
Result = Permit
response.add(Obligation(emergency.override, ffon-permit))
end
end
if ( ! Result == Deny )
if (request.hl7.conf-code == "UBA")
if ( ! (request.subject.subject-id ==
any-of(request.resource.hl7.dissented-subject-id) ) )
Result = Permit
else
Result = Deny
response.add(Obligation(privacy.constraint, ffon-deny)
end
end
end
if ( ! (Result == Deny )
if (request.hl7.conf-code == "MA")
if (request.subject.subject-id ==
any-of(request.resource.hl7.object.1.dissented-subject-id) )
Result = Permit
response.add(Obligation(privacy.constraint.object.1, ffon-permit)
end
...
if (request.subject.subject-id ==
request.resource.hl7.object.n.dissented-subject-id)
Result = Permit
response.add(Obligation(privacy.constraint.object.n, ffon-permit)
end
end
end
if ( ! (Result == Deny))
if (request.resource.type == "resource.hl7.progress-note)
if (request.resource.progress-note.signed == false)
if ( ! (request.subject.subject-id ==
anyof(request.resource.progress-note.author-subject-id) ) )
Result = Deny
end
end
end
end
if ( ! (Result == Deny))
if (request.subject.role == role.hl7.physician)
check-vrole-permissions()
end
if ( ! (Result == Permit) )
if ( (hl7.prd-003 == subset-of(subject.hl7.permission[n-values]) &&
(hl7.prd-005 == subset-of(subject.hl7.permission[n-values]) &&
(hl7.prd-006 == subset-of(subject.hl7.permission[n-values]) &&
(hl7.prd-009 == subset-of(subject.hl7.permission[n-values]) &&
(hl7.prd-010 == subset-of(subject.hl7.permission[n-values]) &&
(hl7.prd-012 == subset-of(subject.hl7.permission[n-values]) &&
(hl7.prd-017 == subset-of(subject.hl7.permission[n-values]) )
check-vrole-permissions()
end
end
// need to add here a deny if no permit found
end

check-vrole-permissions()
if (request.resource.type == "hl7-medical-record")
if ( request.resource.hl7.permission[m-values] ==
subset-of(subject.hl7.permission[n-values] )
Result = Permit
end
end
return

PolicySet for the Oasis XACML Interoperability at RSA Conference

The policies are available for usage here. <==
(Note: To get to the policies, click the link at here).


The top level policy that drives the entire interop is:

XacmlPolicySet-01-top-level.xml

==================================

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Top level policy set which combines the CDA and N confidentiality codes.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:emergency"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:emergency</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:CDA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>UBA</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:CDA</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:MA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>MA</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:MA</PolicySetIdReference>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:MA:default-to-permit"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA"
Effect="Permit">
<Description>
If a Deny was obtained for object above then set Permit by default.
</Description>
</Rule>
</Policy>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:bus-rule"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:progress-note</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:N"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N</PolicySetIdReference>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:PermCollections</PolicySetIdReference>
</PolicySet>
</PolicySet>



XacmlPolicySet-02a-CDA.xml

===========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:CDA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the UBA confidentiality code.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:CDA"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:CDA:1"
Effect="Permit">
<Description>
If the access subject is NOT one of those users which consent has
been removed, then permit.
</Description>
<Target/>
<Condition>
<!-- True if hl7:dissented-subject-id NOT EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<!-- True if hl7:dissented-subject-id EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:dissented-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:CDA:2"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation instructs the PEP to apply privacy constraints to -->
<!-- user's responsibility for the data. -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:privacy:constraint"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-02b-N.xml

=========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for evaluating the subject:role attributes.
This implements an RBAC policy. This policy set matches
subject roles and refers to permission policy sets.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:physician"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:role:hl7:physician</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
</PolicySet>



XacmlPolicySet-02c-N-PermCollections.xml

=========================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:PermCollections"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for evaluating the subject:hl7:permission attributes.
This implements an RBAC policy. This policy set matches
subject roles and refers to permission policy sets.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set-0"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set-1"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
</PolicySet>
</PolicySet>



XacmlPolicySet-02d-prog-note.xml

==================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:progress-note"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the business rule for unsigned progress notes.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:progress-note"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:sig"
Effect="Permit">
<Description>
If the progress-note is signed allow any user to see it. If not signed
then only author may see it.
</Description>
<Target/>
<Condition>
<!-- True if resource:hl7:progress-note:signed EQUAL TO True -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>True</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note:signed"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:author"
Effect="Permit">
<Description>
If a Permit was not obtained then subject must be author.
</Description>
<Target/>
<Condition>
<!-- True if hl7:dissented-subject-id EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note:author-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:deny-sig"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation informs the PEP access denied unsigned non-author -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:deny:unsigned:non-author"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>


XacmlPolicySet-02e-MA.xml

==========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:MA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the MA confidentiality code.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:MA"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA:1"
Effect="Deny">
<Description>
If the access subject is NOT one of those users which consent has
been removed, then deny.
Note: there is reverse logic here because the Obligation that denies
access to the user for this object must be issued when the user has
obtained a Permit. So, the caller of this policy must know to reverse
sense as well.
</Description>
<Target/>
<Condition>
<!-- True if hl7:radiology:dissented-subject-id NOTEQUALTO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<!-- True if hl7:radiology:dissented-subject-id EQUALTO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA:2"
Effect="Permit">
<Description>
If a Deny was not obtained above then set Permit by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation instructs the PEP to apply privacy constraints to -->
<!-- user's responsibility for the data. -->
<Obligation
ObligationId=
"urn:va:xacml:2.0:interop:rsa8:obligation:ma:privacy:constraint:radiology"
FulfillOn="Permit"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-02f-emergency.xml
=================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:emergency"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set to allow emergency access for non-facility subjects.
Returns Deny if user not from supported facility AND does not have emergency perm
Returns Permit if not from supported facility AND not denied access
Returns NotApplicable if plain old user from supported facility
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:emergency"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:emergency:deny"
Effect="Deny">
<Description>
If the subject is not from a supported facility AND
. if the subject does not have emergency permission THEN Deny access.
</Description>
<Target/>
<Condition>
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<!-- AND if hl7:pea-001 NOT EQUAL TO ANYOF subject:hl7:permission -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId=
"urn:oasis:names:tc:xacml:1.0:subject:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<EnvironmentAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:environment:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
<!-- True if hl7:pea-001 NOT EQUAL TO ANYOF subject:hl7:permission -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:pea-001</AttributeValue>
<SubjectAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:emergency:permit"
Effect="Permit">
<Description>
If a Deny was not obtained above AND subject not part of a supported
facility then subject must have emergency permission.
</Description>
<Target/>
<Condition>
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId=
"urn:oasis:names:tc:xacml:1.0:subject:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<EnvironmentAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:environment:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation informs the PEP user granted emergency access -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:emergency:permit"
FulfillOn="Permit"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml

==============================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId=
"urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set that points to the Permission PolicySet for medical record
resources and actions.
</Description>
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:PPS:PRD-004</PolicySetIdReference>
</PolicySet>



XacmlPolicySet-04-N-PPS-PRD-004.xml
====================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:PPS:PRD-004"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the PRD-004 permission. This permission allows
access to all medical records.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:N:PPS:PRD-004:1"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:demographics</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:chart</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:problemlist</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:procedures</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:laboratory</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:medications</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:vitals</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:patientsearch</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:policy:N:PPS:PRD-004:1:rule:1"
Effect="Permit">
<Condition>

<!-- Returns true iff the first argument is a subset of the second argument -->
<!-- i.e. the permissions required by the resource must be a -->
<!-- subset of the permissions supplied by the subject -->

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">

<!-- 1st argument: returns the values of all Attributes with -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" and -->
<!-- AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission" -->
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission"/>

<!-- 2nd argument: returns the values of all Attributes with -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" and -->
<!-- AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission" -->
<SubjectAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"/>

</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:N:PPS:PRD-004:1:rule:2"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
</Policy>
</PolicySet>

Monday, April 7, 2008

Oasis XACML Interoperability Event at RSA Conference (Day 1)

Just wanted to inform the readers that multiple companies including JBoss/Red Hat are couped up at the Moscone Center to demonstrate Oasis XACML 2.0 interoperability with a health care application developed by the Department of Veterans Affairs (VA). You can read the press release that went out today on this one here.


OASIS Members Demonstrate Interoperability of XACML Access Control Standard in HITSP Health Care Scenario


In a nutshell, this interoperability is an important step towards embracing a potential solution to the growing access control space and a real proof to a growing complex space of Health care.

Hopefully during the week, I am going to give more details on the interoperability with policies, requests, access decisions etc.

UPDATE: The use cases that were incorporated into the health care application have been successfully tested with the PDPs of all the vendors at the interop.