Google Site Search

Google
 

Saturday, April 12, 2008

Tests for the Oasis XACML Interoperability Event at RSA Conference 2008

Now that we have seen the Policy Set(s) for the interoperability tests, I would like to point out the tests that pass in requests and expect the desired result. Please note that these tests are just a reflection of the interaction that happened between the Health care application developed by the Department of Veterans Affairs (VA) and the PDPs of individual companies.

The JUnit Test Case is here: InteropUnitTestCases

The various request files used in this test case are available at:
OasisXACMLInteroperabilityEventAtRSAConferenceRequests


Pseudo-Code for the evaluation:

if ( ! (request.subject.locality == request.environment.locality) )
    if ( ! ("hl7.pea-001" ==
            any-of(request.subject.hl7.permission)) )
      Result = Deny
    else
      Result = Permit
      response.add(Obligation(emergency.override, ffon-permit))
    end
  end
  if ( ! Result == Deny )
    if (request.hl7.conf-code == "UBA")
      if ( ! (request.subject.subject-id == 
              any-of(request.resource.hl7.dissented-subject-id) ) )
        Result = Permit
      else
        Result = Deny
        response.add(Obligation(privacy.constraint, ffon-deny)
      end
    end
  end
  if ( ! (Result == Deny )
    if (request.hl7.conf-code == "MA")
      if (request.subject.subject-id ==
          any-of(request.resource.hl7.object.1.dissented-subject-id) )
        Result = Permit
        response.add(Obligation(privacy.constraint.object.1, ffon-permit)
      end
        ...
      if (request.subject.subject-id ==
          request.resource.hl7.object.n.dissented-subject-id)
        Result = Permit
        response.add(Obligation(privacy.constraint.object.n, ffon-permit)
      end
    end
  end
  if ( ! (Result == Deny))
    if (request.resource.type == "resource.hl7.progress-note)
      if (request.resource.progress-note.signed == false)
        if ( ! (request.subject.subject-id == 
                anyof(request.resource.progress-note.author-subject-id) ) )
          Result = Deny
        end
      end
    end
  end
  if ( ! (Result == Deny))
    if (request.subject.role == role.hl7.physician)
      check-vrole-permissions()
    end
    if ( ! (Result == Permit) )
      if ( (hl7.prd-003 == subset-of(subject.hl7.permission[n-values]) &&
           (hl7.prd-005 == subset-of(subject.hl7.permission[n-values]) &&
           (hl7.prd-006 == subset-of(subject.hl7.permission[n-values]) &&
           (hl7.prd-009 == subset-of(subject.hl7.permission[n-values]) &&
           (hl7.prd-010 == subset-of(subject.hl7.permission[n-values]) &&
           (hl7.prd-012 == subset-of(subject.hl7.permission[n-values]) &&
           (hl7.prd-017 == subset-of(subject.hl7.permission[n-values]) )
        check-vrole-permissions()
      end
    end
    // need to add here a deny if no permit found
  end

  check-vrole-permissions()
    if (request.resource.type == "hl7-medical-record")
      if ( request.resource.hl7.permission[m-values] ==
           subset-of(subject.hl7.permission[n-values] )
         Result = Permit
      end
    end
  return
Posted by at No comments:
Labels: , ,

PolicySet for the Oasis XACML Interoperability at RSA Conference

The policies are available for usage here. <==
(Note: To get to the policies, click the link at here).


The top level policy that drives the entire interop is:

XacmlPolicySet-01-top-level.xml
==================================

<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Top level policy set which combines the CDA and N confidentiality codes.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:emergency"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:emergency</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:CDA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>UBA</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:CDA</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:MA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>MA</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:MA</PolicySetIdReference>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:MA:default-to-permit"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA"
Effect="Permit">
<Description>
If a Deny was obtained for object above then set Permit by default.
</Description>
</Rule>
</Policy>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:bus-rule"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:progress-note</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:N"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N</PolicySetIdReference>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:PermCollections</PolicySetIdReference>
</PolicySet>
</PolicySet>



XacmlPolicySet-02a-CDA.xml
===========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:CDA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the UBA confidentiality code.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:CDA"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:CDA:1"
Effect="Permit">
<Description>
If the access subject is NOT one of those users which consent has
been removed, then permit.
</Description>
<Target/>
<Condition>
<!-- True if hl7:dissented-subject-id NOT EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<!-- True if hl7:dissented-subject-id EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:dissented-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:CDA:2"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation instructs the PEP to apply privacy constraints to -->
<!-- user's responsibility for the data. -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:privacy:constraint"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-02b-N.xml
=========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for evaluating the subject:role attributes.
This implements an RBAC policy. This policy set matches
subject roles and refers to permission policy sets.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:physician"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:role:hl7:physician</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
</PolicySet>



XacmlPolicySet-02c-N-PermCollections.xml
=========================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:PermCollections"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for evaluating the subject:hl7:permission attributes.
This implements an RBAC policy. This policy set matches
subject roles and refers to permission policy sets.
</Description>
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Target/>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set-0"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
<PolicySet
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set-1"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
</PolicySet>
</PolicySet>
</PolicySet>



XacmlPolicySet-02d-prog-note.xml
==================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:progress-note"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the business rule for unsigned progress notes.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:progress-note"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:sig"
Effect="Permit">
<Description>
If the progress-note is signed allow any user to see it. If not signed
then only author may see it.
</Description>
<Target/>
<Condition>
<!-- True if resource:hl7:progress-note:signed EQUAL TO True -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>True</AttributeValue>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note:signed"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:author"
Effect="Permit">
<Description>
If a Permit was not obtained then subject must be author.
</Description>
<Target/>
<Condition>
<!-- True if hl7:dissented-subject-id EQUAL TO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note:author-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:deny-sig"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation informs the PEP access denied unsigned non-author -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:deny:unsigned:non-author"
FulfillOn="Deny"/>
</Obligations>
</Policy>
</PolicySet>


XacmlPolicySet-02e-MA.xml
==========================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:MA"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the MA confidentiality code.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:MA"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA:1"
Effect="Deny">
<Description>
If the access subject is NOT one of those users which consent has
been removed, then deny.
Note: there is reverse logic here because the Obligation that denies
access to the user for this object must be issued when the user has
obtained a Permit. So, the caller of this policy must know to reverse
sense as well.
</Description>
<Target/>
<Condition>
<!-- True if hl7:radiology:dissented-subject-id NOTEQUALTO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<!-- True if hl7:radiology:dissented-subject-id EQUALTO subject:subject-id -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<ResourceAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA:2"
Effect="Permit">
<Description>
If a Deny was not obtained above then set Permit by default.
</Description>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation instructs the PEP to apply privacy constraints to -->
<!-- user's responsibility for the data. -->
<Obligation
ObligationId=
"urn:va:xacml:2.0:interop:rsa8:obligation:ma:privacy:constraint:radiology"
FulfillOn="Permit"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-02f-emergency.xml
=================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:emergency"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set to allow emergency access for non-facility subjects.
Returns Deny if user not from supported facility AND does not have emergency perm
Returns Permit if not from supported facility AND not denied access
Returns NotApplicable if plain old user from supported facility
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:emergency"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Target/>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:emergency:deny"
Effect="Deny">
<Description>
If the subject is not from a supported facility AND
. if the subject does not have emergency permission THEN Deny access.
</Description>
<Target/>
<Condition>
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<!-- AND if hl7:pea-001 NOT EQUAL TO ANYOF subject:hl7:permission -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId=
"urn:oasis:names:tc:xacml:1.0:subject:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<EnvironmentAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:environment:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
<!-- True if hl7:pea-001 NOT EQUAL TO ANYOF subject:hl7:permission -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:hl7:pea-001</AttributeValue>
<SubjectAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:emergency:permit"
Effect="Permit">
<Description>
If a Deny was not obtained above AND subject not part of a supported
facility then subject must have emergency permission.
</Description>
<Target/>
<Condition>
<!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId=
"urn:oasis:names:tc:xacml:1.0:subject:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<EnvironmentAttributeDesignator
AttributeId=
"urn:va:xacml:2.0:interop:rsa8:environment:locality"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Obligations>
<!-- These obligations provide specific instructions to PEP in the response -->
<!-- This obligation informs the PEP user granted emergency access -->
<Obligation
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:emergency:permit"
FulfillOn="Permit"/>
</Obligations>
</Policy>
</PolicySet>



XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml
==============================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId=
"urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set that points to the Permission PolicySet for medical record
resources and actions.
</Description>
<Target/>
<PolicySetIdReference
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:PPS:PRD-004</PolicySetIdReference>
</PolicySet>



XacmlPolicySet-04-N-PPS-PRD-004.xml
====================================
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:PPS:PRD-004"
PolicyCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
<Description>
Policy set for the PRD-004 permission. This permission allows
access to all medical records.
</Description>
<Target/>
<Policy
PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:N:PPS:PRD-004:1"
RuleCombiningAlgId=
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:demographics</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:chart</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:problemlist</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:procedures</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:laboratory</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:medications</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:vitals</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string"
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:patientsearch</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:policy:N:PPS:PRD-004:1:rule:1"
Effect="Permit">
<Condition>

<!-- Returns true iff the first argument is a subset of the second argument -->
<!-- i.e. the permissions required by the resource must be a -->
<!-- subset of the permissions supplied by the subject -->

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">

<!-- 1st argument: returns the values of all Attributes with -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" and -->
<!-- AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission" -->
<ResourceAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission"/>

<!-- 2nd argument: returns the values of all Attributes with -->
<!-- DataType="http://www.w3.org/2001/XMLSchema#string" and -->
<!-- AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission" -->
<SubjectAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"/>

</Apply>
</Condition>
</Rule>
<Rule
RuleId="urn:va:xacml:2.0:interop:rsa8:rule:N:PPS:PRD-004:1:rule:2"
Effect="Deny">
<Description>
If a Permit was not obtained above then set Deny by default.
</Description>
</Rule>
</Policy>
</PolicySet>
Posted by at No comments:
Labels: , ,

Monday, April 7, 2008

Oasis XACML Interoperability Event at RSA Conference (Day 1)

Just wanted to inform the readers that multiple companies including JBoss/Red Hat are couped up at the Moscone Center to demonstrate Oasis XACML 2.0 interoperability with a health care application developed by the Department of Veterans Affairs (VA). You can read the press release that went out today on this one here.


OASIS Members Demonstrate Interoperability of XACML Access Control Standard in HITSP Health Care Scenario

In a nutshell, this interoperability is an important step towards embracing a potential solution to the growing access control space and a real proof to a growing complex space of Health care.

Hopefully during the week, I am going to give more details on the interoperability with policies, requests, access decisions etc.

UPDATE: The use cases that were incorporated into the health care application have been successfully tested with the PDPs of all the vendors at the interop.
Posted by at 1 comment:
Labels: ,
Subscribe to: Posts (Atom)