In XACML, I am not sure if Obligations add more information or give more condition to rule decision. For example, I would like the response permits an access to a patient Electronic Health Record, BUT I would like to add obligations to deny access to specific records in the patient Electronic Health Record.
XACML Obligations are explanation or ask for more condition
298 Views Asked by Ray Salih At
1
There are 1 best solutions below
Related Questions in AUTHORIZATION
- Protect Server Actions with Next Auth in Next JS 14
- Set-Cookie header not forwarded by nginx to the client
- System.InvalidOperationException: The AuthorizationPolicy named: 'Admin' was not found
- Missing render HTML element for login requests from client to server
- How to get different types of authentication in Thymeleaf
- https://accounts.google.com/gsi/client missing 'Access-Control-Allow-Origin' header
- Authorization error with Django on Windows with IIS
- Role based restriction in requestMatchers in Spring Security does not receive sent Authorization header
- How do I get my Python code to pass the authorization needed for it to connect to Notion
- Integrating Okta via a Authorization Filter
- Verify Token To Login In Firebase (Aauthorization)
- When hashing an API key, should I hash the suffix / prefix as well?
- How can I implement synchronous registration on a website and a forum by linking their databases?
- Need to addlocal repo authorization to existing yaml file
- dropbox api video share_url authorization error
Related Questions in ACCESS-CONTROL
- Access-Control-Allow-Origin alwasy set to * in spring boot
- Unable to View Roles in Storage Account in Azure getting Blank
- How can i fix CORS policy problem in Nuxt?
- How do I enable access control on an already up and running MongoDb container?
- Is there a universal way to test the Access Control List of a folder and its children in PowerShell, independently of inheritance?
- CORS error when deploying MERN app: 'Access-Control-Allow-Origin' missing header for hosted server, and 404 Not Found on server deployment
- How can i restrict access to an Azure app service?
- Use my login system to control access to Digital Ocean Spaces objects
- Nestjs access control cannot read roles
- Creating a Limited Privilege PostgreSQL Role for Backend Server
- Conditional Binding for Objects in Google Cloud Storage Buckets
- Cloud Run/Build artifacts buckets are created with Fine Grained access policy by default
- Memory Access Control in Windows Memory Management
- Azure DevOps - Decode ACE permission bits
- Netlify Deployment Access-Control-Allow-Origin
Related Questions in XACML
- XACML policy that needs to evaluate based on different PiPs
- XACML trying to pull any of a list of values from azure roles
- How to configure a Policy engine and calculate attributes based on risk score Algorithm?
- How to express pagination in attribute based access control?
- Representing complex data types in XACML using Authzforce
- Obtain all Obligations from all the policies
- I am writing a ALFA policy for a case where I need to assign a value as empty string in my code. How to define empty string array
- Authzforce - XACML AttributeSelector
- XACML Obligations in sun's XACML implementation
- Using conversion-functions in XACML
- How does missing-attribute work in XACML?
- How i can send certificate for EAP-authentication to authzforce?Or how i can configured authzforce for it?
- How can I use subject-conflicts in a Authzforce request?
- How to convert CSV or XML to XACML based on Role Based Access Controll(RBAC)?
- How to convert CSV or XML to XACML?
Related Questions in ABAC
- Implementing ABAC in AWS where user may be in multiple teams
- Keycloak java script policy not visible after deploying as jar as per keycloak documentation
- Multiple casbin policy RBAC and ABAC in model can not work at the same time
- a dynamic membership error in Azure groups
- XACML policy that needs to evaluate based on different PiPs
- How to implement hybrid between RBAC and ABAC in Spring Boot?
- Implement ABAC in snowflake
- Apply role to resources based on tags
- ABAC - How to deal with access permissions for elements of collections using GET?
- ABAC - How is the PIP authenticated and authorized?
- ABAC - How does the PIP access the object data?
- Give AWS lambda function permission using ABAC
- Authorization of List/Search endpoints in REST API
- How to enable unlimited fine-grained ABAC in AWS for S3 objects?
- Compine RBAC with ABAC casbin
Related Questions in ALFA
- XACML policy that needs to evaluate based on different PiPs
- I am writing a ALFA policy for a case where I need to assign a value as empty string in my code. How to define empty string array
- Using conversion-functions in XACML
- XML (XACML) Syntax Error - String Literal was Expected
- In wso2 IS XACML policy how to validate role and its permissions
- Is there a way to define variables externally from XACML policy and refer them from inside the policy rules
- How can I write a "If..then" condition in Axiomatics
- Why combining algorithms in access control?
- URL accessible at specific hours only XACML
- XACML: how to find a long in a list of longs (list contains)
- What can I use as a XACML PDP?
- How to implement an ABAC policy using RoR
- Xacml policy test occurence of string in string bag
- What is the difference between Policy Target and Rule Target in ALFA or XACML?
- Understanding how XACML 3.0 attribute values are evaluated against a rule
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
In XACML, obligations (and advice) are meant to enrich the response the PEP receives back from the PDP. They are not meant to convey authorization logic.
Examples
Two-factor authentication
This example revolves around trust / authentication elevation.
Break The Glass
The aforementioned example comes from the break-the-glass scenario that occurs in healthcare.
Controlling access to a hierarchy of things (items, records)
In your example, you want to control access to items and sub-items. For instance an EHR is made up of PII, PHI, and financial information. Can a doctor view a patient's EHR they have a relationship with? Yes they should be able to. But you'd like to mask or redact the financial information as it is irrelevant to the doctor.
In that type of scenario, I would write different rules - one per sub-item. I want the authorization logic to be visible. I want to know there is a rule about doctors viewing PII, PHI, or financials.
I would potentially use the Multiple Decision Profile to ask questions on the different parts of the record.
Of course, if all you want to do is systematically mask just the one field, then you could get away with an obligation.
Best Practice
When you write obligations and advice, you should try not to hide authorization logic inside them. Use them to enrich authorization flows.