Google Site Search

Google
 

Saturday, April 12, 2008

PolicySet for the Oasis XACML Interoperability at RSA Conference

The policies are available for usage here. <==
(Note: To get to the policies, click the link at here).


The top level policy that drives the entire interop is:

XacmlPolicySet-01-top-level.xml

==================================

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Top level policy set which combines the CDA and N confidentiality codes.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:emergency"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:emergency</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:CDA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>UBA</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:CDA</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:MA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>MA</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:MA</PolicySetIdReference>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:MA:default-to-permit"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA"
Effect="Permit">
<Description>
If a Deny was obtained for object above then set Permit by default.
</Description>
</Rule>
</Policy>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:bus-rule"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:progress-note</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:N"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N</PolicySetIdReference>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:PermCollections</PolicySetIdReference>
</PolicySet>
</PolicySet>



XacmlPolicySet-02a-CDA.xml

===========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:CDA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the UBA confidentiality code.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:CDA"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:CDA:1"
Effect="Permit">
<Description>
If the access subject is NOT one of those users which consent has
been removed, then permit.
</Description>
<Target/>
<Condition>
<!-- True if hl7:dissented-subject-id NOT EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<!-- True if hl7:dissented-subject-id EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:dissented-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:CDA:2"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation instructs the PEP to apply privacy constraints to -->
<!-- user's responsibility for the data. -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:privacy:constraint"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-02b-N.xml

=========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for evaluating the subject:role attributes.
This implements an RBAC policy. This policy set matches
subject roles and refers to permission policy sets.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:physician"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:role:hl7:physician</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
</PolicySet>



XacmlPolicySet-02c-N-PermCollections.xml

=========================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:PermCollections"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for evaluating the subject:hl7:permission attributes.
This implements an RBAC policy. This policy set matches
subject roles and refers to permission policy sets.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set-0"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set-1"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
</PolicySet>
</PolicySet>



XacmlPolicySet-02d-prog-note.xml

==================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:progress-note"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the business rule for unsigned progress notes.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:progress-note"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:sig"
Effect="Permit">
<Description>
If the progress-note is signed allow any user to see it. If not signed
then only author may see it.
</Description>
<Target/>
<Condition>
<!-- True if resource:hl7:progress-note:signed EQUAL TO True -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>True</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note:signed"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:author"
Effect="Permit">
<Description>
If a Permit was not obtained then subject must be author.
</Description>
<Target/>
<Condition>
<!-- True if hl7:dissented-subject-id EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note:author-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:deny-sig"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation informs the PEP access denied unsigned non-author -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:deny:unsigned:non-author"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>


XacmlPolicySet-02e-MA.xml

==========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:MA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the MA confidentiality code.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:MA"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA:1"
Effect="Deny">
<Description>
If the access subject is NOT one of those users which consent has
been removed, then deny.
Note: there is reverse logic here because the Obligation that denies
access to the user for this object must be issued when the user has
obtained a Permit. So, the caller of this policy must know to reverse
sense as well.
</Description>
<Target/>
<Condition>
<!-- True if hl7:radiology:dissented-subject-id NOTEQUALTO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<!-- True if hl7:radiology:dissented-subject-id EQUALTO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA:2"
Effect="Permit">
<Description>
If a Deny was not obtained above then set Permit by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation instructs the PEP to apply privacy constraints to -->
<!-- user's responsibility for the data. -->
<Obligation
ObligationId=
"urn:va:xacml:2.0:interop:rsa8:obligation:ma:privacy:constraint:radiology"
FulfillOn="Permit"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-02f-emergency.xml
=================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:emergency"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set to allow emergency access for non-facility subjects.
Returns Deny if user not from supported facility AND does not have emergency perm
Returns Permit if not from supported facility AND not denied access
Returns NotApplicable if plain old user from supported facility
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:emergency"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:emergency:deny"
Effect="Deny">
<Description>
If the subject is not from a supported facility AND
. if the subject does not have emergency permission THEN Deny access.
</Description>
<Target/>
<Condition>
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<!-- AND if hl7:pea-001 NOT EQUAL TO ANYOF subject:hl7:permission -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId=
"urn:oasis:names:tc:xacml:1.0:subject:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<EnvironmentAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:environment:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
<!-- True if hl7:pea-001 NOT EQUAL TO ANYOF subject:hl7:permission -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:pea-001</AttributeValue>
<SubjectAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:emergency:permit"
Effect="Permit">
<Description>
If a Deny was not obtained above AND subject not part of a supported
facility then subject must have emergency permission.
</Description>
<Target/>
<Condition>
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId=
"urn:oasis:names:tc:xacml:1.0:subject:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<EnvironmentAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:environment:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation informs the PEP user granted emergency access -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:emergency:permit"
FulfillOn="Permit"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml

==============================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId=
"urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set that points to the Permission PolicySet for medical record
resources and actions.
</Description>
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:PPS:PRD-004</PolicySetIdReference>
</PolicySet>



XacmlPolicySet-04-N-PPS-PRD-004.xml
====================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:PPS:PRD-004"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the PRD-004 permission. This permission allows
access to all medical records.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:N:PPS:PRD-004:1"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:demographics</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:chart</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:problemlist</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:procedures</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:laboratory</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:medications</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:vitals</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:patientsearch</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:policy:N:PPS:PRD-004:1:rule:1"
Effect="Permit">
<Condition>

<!-- Returns true iff the first argument is a subset of the second argument -->
<!-- i.e. the permissions required by the resource must be a -->
<!-- subset of the permissions supplied by the subject -->

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">

<!-- 1st argument: returns the values of all Attributes with -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" and -->
<!-- AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission" -->
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission"/>

<!-- 2nd argument: returns the values of all Attributes with -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" and -->
<!-- AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission" -->
<SubjectAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"/>

</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:N:PPS:PRD-004:1:rule:2"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
</Policy>
</PolicySet>

No comments: