Controlling READ/WRITE of information as sets.
Document-level access control:
AuthType Basic AuthName "Patient Data Area" AuthGroupFile /usr/local/apache/passwd/groups Require group Doctors
WebAccessControl: give Bob write access to class sales projections.
Subgraph access control:
Abstract access control:
Specific endowment language
Read or write a particular field.
Roles for describing endowments in large strokes
PrimaryCarePhysician implies access to medical history.
SalesManager implies access to projections.
Rules extending endowments
Radiologist at accredited clinic implies access to X-ray corpus.
SalesManager in Boston implies access to regional Massachusetts projections.
Obligations
Doctor must not deliver medical history to third parties.
SalesManager must not deliver projections to competitor for drugs or favors.
Request |
@prefix xacml: <urn:oasis:names:tc:xacml:2.0:context:schema:os> . @prefix subject1: <urn:oasis:names:tc:xacml:1.0:subject:> . @prefix subject2: <urn:oasis:names:tc:xacml:2.0:subject:> . @prefix hl7-subject: <urn:oasis:names:tc:xspa:1.0:subject:hl7:> . @prefix hl7-resource: <urn:oasis:names:tc:xspa:1.0:resource:hl7:> . @prefix hl7-xspa: <urn:oasis:names:tc:xspa:1.0:hl7:> . @prefix resource: <urn:oasis:names:tc:xacml:1.0:resource:> . @prefix env: <urn:oasis:names:tc:xspa:1.0:environment:> . <> doc:schemaLocation "urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/ access_control-xacml-2.0-context-schema-os.xsd" . [ a xacml:Request ; xacml:Subject [ subject1:subject-id "Dr. Bob" ; subject1:locality "Facility A" ; subject2:role "physician" ; hl7-subject:permission hl7-xspa:prd-006 , hl7-xspa:prd-010 ; subject2:purpose "Healthcare Treatment" . ] ; xacml:Resource [ resource:resource-id "Bambi Smith" ; hl7-resource:type hl7-resource:medical-record . ] ; env:locality "Facility A" . ] . |
FILTER( x:UBA_notExcludes_subject($p, "Bob") && # protocol x:UBA_notExcludes_role($p, <physician>) && (/* MA? */) && x:data_includes(?p, <P_006>) && # CONSTRUCT rule x:data_includes(?p, <P_010>) && # CONSTRUCT rule x:locality_includes(?p, "192.168.1.1") && # protocol x:role_includes(?p, <physician>) )
PREFIX :mydb <http://cityhospital.example/dbs> CONSTRUCT { ?o a :PatientObservation . ?o :patient ?p . ?p foaf:name ?pName . ?p :takes ?takes . ?o :doctor ?d . ?d foaf:name ?dName }
WHERE { ?o mydb:patient ?p . ?o mydb:doctor ?d . ?d mydb:name ?dName . ?p mydb:patientName ?pName . }
CONSTRUCT { ?o a :PatientObservation . ?o :patient ?p . ?p foaf:name ?pName . ?p :takes ?takes . ?o :doctor ?d . ?d foaf:name ?dName } WHERE { GRAPH <ACCESS> { ?_requestor acls:username $USER ; acls:ip $IP ; } ?o obs:patient ?p . ?o obs:doctor ?d . ?d ppl:name ?dName . OPTIONAL { ?p ppl:familyName ?pName . GRAPH <ACCESS> { ?acl acls:entitles ?_requester ; acls:toSee acls:identity . } } OPTIONAL { ?p obs:medication ?takes . GRAPH <ACCESS> { ?acl acls:entitles ?_requester . acls:toSee acls:medication } } }
Queries:
SELECT { ?o :patient ?p . ?p :takes ?takes . ?o :doctor ?d . ?d :foaf:name "Dr. Bob" }
are executed against a virtual graph:
CONSTRUCT { ?o a :PatientObservation .
?o :patient ?p .
?p foaf:name ?pName .
?p :takes ?takes .
?o :doctor ?d .
?d foaf:name ?dName }
which is populated according to your privileges.
WHERE {
… OPTIONAL {
?prescription pres:medication ?takes ;
pres:start ?start ;
pres:end ?end .
GRAPH <ACCESS> {
?userrole roles:user $USER ;
roles:role ?role
FILTER (?role = "researcher" || ?role = "care-giver")
FILTER (?IPADDR = "10.2.3.4" || ?IPADDR = "192.172.5.6")
}
?takes meds:application "ADHD" .
# OPTIONAL { …?inst… } !BOUND(?inst) is an idiom for negation as failure in SPARQL 1.
OPTIONAL { ?prescription obs:institution ?inst .
?inst addr:city "NY" .
?takes meds:application "antidepressant" }
FILTER (!bound(?inst))
} …
}
OPTIONAL {
?x foo:valuableStuff ?stuff .
GRAPH <ACCESS> {
?acl acls:entitles ?_requester ;
acls:paid ?paid .
FILTER (?paid > .05)
}
}
This data will self-destruct in 30 seconds.
CONSTRUCT {
?x spy:mission ?mission .
policy:obligation [
policy:delete spy:yourMission ;
policy:when "00:00:05"
]
}
<foo> a xacml:Policy ; xacml:pair [ xacml:pattern "{ ?a ppl:familyName ?b . }" ; xacml:covers hl7:identity ] ; xacml:pair [ xacml:pattern "{ ?a obs:medication ?b . }" ; xacml:covers hl7:medication ] .
exec SA_SYSDBA.CREATE_POLICY ( policy_name => DEFENSE', column_name => 'CTXT1'); Create security levels and labels: exec SA_COMPONENTS.CREATE_LEVEL(‘DEFENSE', 1000, 'UN', 'UNCLASSIFIED'); exec SA_COMPONENTS.CREATE_LEVEL(‘DEFENSE', 2000, 'SE', 'SECRET'); exec SA_LABEL_ADMIN.CREATE_LABEL(‘DEFENSE', 1004, 'UN'); exec SA_LABEL_ADMIN.CREATE_LABEL(‘DEFENSE', 1005, ‘SE'); EXEC SA_USER_ADMIN.SET_USER_LABELS(‘DEFENSE', ‘JOHN',‘SE’);