A Non-technical User-Oriented Display Notation for XACML Conditions

Stepien, Bernard; Felty, Amy P.; Matwin, Stan

doi:10.1007/978-3-642-01187-0_5

Cited by 19 publications

(11 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We found that the XACML-based policy mechanism built into CDAShip was readily capable of expressing all these scenarios, but their native XACML representation was virtually incomprehensible for persons without formal training in computer science. We agree with Stepien et al that further abstractions are necessary to allow more useroriented authoring of consent policies (Stepien et al 2009). …”

Section: Practical Case Studysupporting

confidence: 57%

Protecting privacy during peer-to-peer exchange of medical documents

Weber-Jahnke

Obry

2011

Inf Syst Front

View full text Add to dashboard Cite

Privacy is an important aspect of interoperable medical information systems. Governments and health care organizations have established privacy policies to prevent abuse of personal health data. These policies often require organizations to obtain patient consent prior to exchanging personal information with other interoperable systems. The consents are defined in form of so-called disclosure directives. However, policies are often not precise enough to address all possible eventualities and exceptions. Unanticipated priorities and other care contexts may cause conflicts between a patient's disclosure directives and the need to receive treatments from informed caregivers. It is commonly agreed that in these situations patient safety takes precedence over information privacy. Therefore, caregivers are typically given the ability to override the patient's disclosure directives to protect patient safety. These overrides must be logged and are subject to privacy audits to prevent abuse. Centralized "shared health record" (SHR) infrastructures include consent management systems that enact the above functionality. However, consent management mechanisms do not extend to information systems that exchange clinical information on a peer-topeer basis, e.g., by secure messaging. Our article addresses this gap by presenting a consent management mechanism for peer-to-peer interoperable systems. The mechanism restricts access to sensitive, medical data based on defined consent directives, but also allows overriding the policies when needed. The overriding process is monitored and audited in order to prevent misuse. The mechanism has been implemented in an open source project called CDAShip and has been made available on SourceForge.

show abstract

Section: Practical Case Studysupporting

confidence: 57%

Protecting privacy during peer-to-peer exchange of medical documents

Weber-Jahnke

Obry

2011

Inf Syst Front

View full text Add to dashboard Cite

show abstract

“…With regard to our own past work, as mentioned, this work extends our work on conflict detection for firewalls [2]. We have also been involved in work on a tool for administering XACML policies, with a focus on usability for policy administrators that do not necessarily have a technical background [9,10]. An implementation of conflict detection (unverified) was also part of that work.…”

Section: Resultsmentioning

confidence: 89%

A verified algorithm for detecting conflicts in XACML access control rules

St-Martin

Felty

2016

Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs

View full text Add to dashboard Cite

We describe the formalization of a correctness proof for a conflict detection algorithm for XACML (eXtensible Access Control Markup Language). XACML is a standardized declarative access control policy language that is increasingly used in industry. In practice it is common for rule sets to grow large, and contain unintended errors, often due to conflicting rules. A conflict occurs in a policy when one rule permits a request and another denies that same request. Such errors can lead to serious risks involving both allowing access to an unauthorized user as well as denying access to someone who needs it. Removing conflicts is thus an important aspect of debugging policies, and the use of a verified algorithm provides the highest assurance in a domain where security is important. In this paper, we extend our previous work on verification of conflict detection for Cisco firewall rules. We focus on several XACML constructs, the most complex of which are used for expressing time constraints. XACML is a significantly more expressive language than the one used to express firewall rules in Cisco products, and time constraints provide a good illustration of that expressive power. We propose an algorithm to find conflicts and then use the Coq Proof Assistant to prove the algorithm correct. We develop a library of tactics to help automate the proof.

show abstract

“…In more dynamic scenarios, however, the generation of the PDP may add a constant time to policy evaluation. Finally, the use of a non-XML syntax for XACML is not new; e.g., a syntax similar to that of FACPL is proposed in [15], while a 'display' notation that combines a graphical interface with a natural language like format is introduced in [17]. But, again, such approaches do not rely on a formal semantics.…”

Section: Related Workmentioning

confidence: 99%