1 / 23

XACML Interop at RSA2008

XACML Interop at RSA2008. Andreas Sjöholm Product manager Axiomatics. XACML Interop at RSA2008. 2 nd XACML Interop Demonstrate XACML 2.0 interoperability XACML 2.0 capabilities in a healthcare scenario Utilizing HL7 etc.

maj
Download Presentation

XACML Interop at RSA2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XACML Interop atRSA2008 Andreas Sjöholm Product manager Axiomatics

  2. XACML Interop atRSA2008 • 2nd XACML Interop • Demonstrate XACML 2.0 interoperability • XACML 2.0 capabilities in a healthcare scenario • Utilizing HL7 etc. • Axiomatics, BEA Systems, IBM, Oracle, Red Hat, Cisco, Sun and U.S dept of Veterans Affairs

  3. High level objectives • Control access to specific portions of a healthcare record • Filter sensitive clinical information from being viewed • Ensure obligations are met • Provide vehicle to override consent (emergency overrides) = can-know or must-not-know basis

  4. Use Cases • Policy exchange • Authorization Decision Req/Resp • Fine grain auth • HL7 Permission based access • HL7 Patient consent directives • Data filtering obligations • Emergency override obligation

  5. Interoperability configuration Client – standard browser Application container – hosts web application and provide common services such as auth and authorization and general API External PEP – authorizes user’s access, initial context Context handlers – separated fdu to need of normative XACML Web Service Application – Provides access and operations on resource Resources – MR, lab&test results. Tagged with attributes Embedded PEP – fine grained, vendor specific, provide API to auth client for facilitate passing request and response (incl obligations) Authorization client – standard API to enterprise application for submitting requests and response. Gets applications context from PIP.

  6. Use Case: Policy Exchange Pri focus (inner): PAP creates policy Notification PDP uses Next step (outer): Larger context with Attribute management Manager services

  7. Use Case: Fine Grain Auth • Web browser access Health Care App • When auth needed for specific action Healthcare auth client collects attrib etc. • Embedded PEP take requests • Normative XACML resp/req • Coarse grained auth: front end, establish context

  8. Patient Consent Directives • Patient authorizes direct providers, but those not assigned to their case should not have access. • Patient authorizes normal care, except for Dr. Bob Busybody (who is his nosy neighbor) • Patient authorizes normal care, and further authorizes use of their data by cancer researchers • Patient authorizes normal care, but requires a confidential S/MIME email sent describing each access.

  9. Patient Consent Directives HL7 confidentiality codes

  10. HL7 Permission codes

  11. HL7 Permission based access • XACML 2.0 RBAC Profile • Demonstrate use of HL7 Identifiers • Local roles vs. HL7 standard permissions (inter-organizational purposes) • Requesting user obtains a set of HL7 permissions • Maps to virtual role

  12. HL7 Permission based access Request

  13. Policy references refer the request to the approprate policy Patient Consent Directive Access This policy requires an attribute which indicates consent to the access Policy for The CDA code These policies implement an RBAC model Policy for The MA code Policy for Resolving conflicting Confidentiality codes XACML Request Policy for The S code This policy combines the different consent directives. For instance, if a record is marked with both CDA and N, then both these policies have to say permit. The request starts always at the top level policy set which uses the confidentiality codes Policy for The N code Permission Policy Set Policy for The U code

  14. Top-policy for resolving conflicting confidentiality codes

  15. …policy when accessed resource has confidentiality code N (Normal)…

  16. …policy when access subject is role:physician.

  17. Access request

  18. Decision response • Access permitted • XACML Obligations - filter out certain sensitive data

  19. Sensitive data filter Patient’s directives

  20. XACMLPatientPrivacy • JAVA EE • Java Server Faces (JSF) 1.2 • Java API for XML Web Services (JAX-WS) 2.1 • Functionality • Patient elections • Local entity patient search • Patient Demographics • Patient Chart (problem list, procedures, lab, meds, vitals and radiology) • Clinical Notes • Patient Directive override for chart items, demographics, and notes.

  21. Emergency override

  22. Thank you and see you at RSA2008!

More Related