Google Site Search

Google
 

Saturday, April 12, 2008

Summary Review: Oasis XACML Interoperability Event at the RSA Conference 2008

Now that the RSA Conference 2008 has finished in San Francisco, I would like to take some time to inform you about the grand success of the Oasis XACML Interoperability event with JBoss/RedHat and other interoperability participants namely BEA Systems, IBM, Oracle, Sun, Axiomatics, Cisco and Department of Veteran Affairs.

Information from the Oasis site is here.

The press release for the event from Oasis is here.

The code that has undergone two successful consecutive Oasis XACML Interoperability Event will be soon (matter of days) as JBossXACML v2.0.2.GA. The pending item is some documentation on usage. This library will also be included in the JBoss AS 5.0 to provide xacml capabilities.

References:
1) PolicySets used in the interop.
2) Tests used for the interop.

Details:
In a nutshell, XACML is a language focused solely on Access Control. All it does is Access Control and nothing else. Given this, at the interoperability event, the VA folks came out with health care scenarios associated with Patient Privacy. There are HL7 Confidentiality Codes that can be associated with Patient medical records.

Let me give some examples:
1) Your neighbor is a doctor and is snoopy in nature. You certainly do not want him to have access to your medical records. Would you? As a patient, you can associate the UBA confidentiality code with a list of doctors that you do not want to have access to your records (dissent list).
2) A patient arrives at a facility in an emergency. The providers do not have access to the patient records that is housed at another facility. They can trigger an "emergency override" to get access to the records. Shouldn't they in an emergency?
3) A patient can decide to mask a portion of his medical records (eg. radiology tests ' results) from a list of providers.

The VA developed an excellent application that had a decent GUI and in the background, it interacted with its own PIP (Policy Information Point) to derive the attributes needed to create the XACML requests. Once the xacml requests were generated (based on the application interaction), then they were passed to the PDP (Policy Decision Point) of the vendors.

Summary:
A simulated health care application with real medical records' data that was driven by xacml based use cases.

Additional References:
Oasis XACML Interoperability Document Bundle
^^^^^ (VERY IMPORTANT RESOURCE) ^^^^

Samples:
The following are examples of SAML2 payload carrying XACML request/responses.

Here is a sample of the request coming from the health care web application to back end PDP.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:RequestAbstract Destination="destination-uri" 
ID="s2846efb514a944cc3dc5b65ed8a76dde449787617" 
IssueInstant="2008-03-19T22:18:42Z" Version="2.0" 
xacml-samlp:InputContextOnly="true" xacml-samlp:ReturnContext="true" 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xacml-samlp:XACMLAuthzDecisionQueryType">
<saml:Issuer 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">vaPepEntity</saml:Issuer>
<xacml-context:Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os 
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">


<xacml-context:Subject>
<xacml-context:Attribute 
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Dr. Alice</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Subject>

<xacml-context:Resource>
<xacml-context:Attribute 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource: resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Anthony Gurrola</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017
</xacml-context:AttributeValue>
</xacml-context:Attribute>

<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>xxx-DummyConfCode</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:dissented-subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Dr. Alice</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>
urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Resource>
<xacml-context:Action/>
<xacml-context:Environment>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:environment:locality" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Facility A</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Environment>
</xacml-context:Request>
</samlp:RequestAbstract>


Now a sample of a response (which does include the xacml request for which the response is)
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
ID="response-id:1" Version="2.0" 
IssueInstant="2008-03-19T22:17:13Z">
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:xacml:1.0:status:ok">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
Version="2.0" ID="response-id:1" IssueInstant="2008-03-19T22:17:13Z">
<saml:Issuer>issuer-1</saml:Issuer>
<saml:Statement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"  
xsi:type="xacml-samlp:XACMLAuthzDecisionStatementType" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   
xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:saml:assertion:schema:os" >
<xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >
<xacml-context:Result >
<xacml-context:Decision>Permit</xacml-context:Decision>
<xacml-context:Status>
<xacml-context:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"></xacml-context:StatusCode>
<xacml-context:StatusMessage>ok</xacml-context:StatusMessage> 
</xacml-context:Status>
<xacml:Obligations  xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >
<xacml:Obligation ObligationId="obligation-10" FulfillOn="Permit">
</xacml:Obligation>
<xacml:Obligation ObligationId="obligation-20" FulfillOn="Permit">
<xacml:AttributeAssignment AttributeId="a-120" 
DataType="http://www.w3.org/2001/XMLSchema#string" 
xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"/>
</xacml:Obligation>
</xacml:Obligations>
</xacml-context:Result>
</xacml-context:Response>

<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance/" 
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os 
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>100001</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:role" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>Chief Resident</AttributeValue>
<AttributeValue>Doctor</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:hl7permission" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>PRD-017</AttributeValue>
<AttributeValue>PRD-003</AttributeValue>
<AttributeValue>PRD-010</AttributeValue>
<AttributeValue>PRD-006</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:locality" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>Facility A</AttributeValue>
</Attribute>
</Subject>
<xacml-context:Resource>
<Attribute AttributeId="urn:va:names:xacml:2.0:record_type" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>patientchart</AttributeValue>
</Attribute>
</xacml-context:Resource>
<xacml-context:Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>read</AttributeValue>
</Attribute>
</xacml-context:Action>
<xacml-context:Environment></xacml-context:Environment>
</xacml-context:Request>

</saml:Statement>
</saml:Assertion>
</samlp:Response> 


Reference:
Oasis XACML Interoperability (RSA Conference 2008)

NOTE:If you need additional info, do not hesistate to email me at "asaldhan at redhat dot com" <======

1 comment:

ravi said...

Hi Anil: First of all thank you for your xacml effort.
I have a basic question. can your component is deployed on an jbi compliant container.i heard that jboss is looking to go for jbi 2.0 spec. any idea when that is released and whether this component will be a part of it as a service engine.

your reply will greatly help me.