In XACML, I am not sure if Obligations add more information or give more condition to rule decision. For example, I would like the response permits an access to a patient Electronic Health Record, BUT I would like to add obligations to deny access to specific records in the patient Electronic Health Record.
XACML Obligations are explanation or ask for more condition
297 Views Asked by Ray Salih At
1
There are 1 best solutions below
Related Questions in AUTHORIZATION
- Using Flat Files for authorization instead of using database tables
- Restrinct action to one single PC under MVC C# web application?
- Outgoing WSS authorization from WebRequest C#
- User is authorised when using IE but not Chrome/Firefox
- C# "The underlying provider failed on Open."
- Can't deny access to role in web.config authorization element
- SonarQube LDAP authentication is not working
- Authorization Model: Context of Role?
- Best practice building login for Node.js using socket.io and express
- Where to apply domain level permissioning
- Should i do authorization on my Domain Services?
- Authorize user by retrieving credentials from LDAP and passing into OAuth 1.0a using Atlassian Stash REST API
- How to redirect to another page from OnAutherization Of MVC in angularjs
- AngularJS header authorization format in Interceptor
- Role concept in the authorization
Related Questions in ACCESS-CONTROL
- Google Drive Sync + Read-only access
- Appying Denning security Model for django admin site
- NSTimer does not invoke a private func as selector
- How to block an action or controller without using AccessControl in Yii2?
- How do I check in PowerShell if a service has read access to a certain folder?
- Git for project with overlapping public and private portions
- XACML: How to control the access to the properties in a resource
- No 'Access-Control-Allow-Origin' header is present on the requested resource with API and website on same port
- REST API - How to restrict access to resources by role?
- Complex Authorization using XACML
- Twilio IP Address Control List for sending SMS/MMS messages
- Is it possible to edit the value of a public variable from another module?
- restrict viewing photos and article content on a wordpress site
- Roles missing in mongodb
- Access a control created at runtime (WPF)
Related Questions in XACML
- Is one XACML file per user a good approach?
- XACML: How to control the access to the properties in a resource
- Complex Authorization using XACML
- WSO2ESB Create a custom EntitlementCallbackHandler
- WSO2 4.5.0 XACML entitlement with role in secondary user store
- WSO2 is: What happens when more than one user store return an attribute with the same name?
- What is a standard way to call WSO2 ESB as PEP for XACML Authorization wtih IDP from webapplication?
- WSO2 Identity server GUI creating different attribute id for policy and request
- Does XACML distinguish between "attribute value is null" and "attribute is missing"
- Wso2 Identity server: improve the performance of an AttributeFinderModule for attributes on resources
- WSO2 Identity Server XACML Policies with XPathVersion being XPath 2.0
- How to use OpenAz ServiceFactory method?
- How do I unmarshall this XACML XML snippet using JAXB?
- SOAP Header Errors in JAVA Web Service
- How to parse OpenAM XACML using JVM?
Related Questions in ABAC
- Authorization Model: Context of Role?
- Asp.net 4 Webforms Authorization using attribute
- XACML: How to control the access to the properties in a resource
- Complex Authorization using XACML
- WSO2 Identity server GUI creating different attribute id for policy and request
- Unknown tag encountered parsing AttributeCertificate from DER file with BouncyCastle
- py-abac pdp implementation failing for correct "rules" match also
- how to match XACML 3.0 request against policy stored in policy store
- Compare attributes inside a XACML policy
- In which layer to implement RBAC in a web application?
- Keycloak java script policy not visible after deploying as jar as per keycloak documentation
- Fine-grained authorization for web applications
- In wso2 IS XACML policy how to validate role and its permissions
- Is there a way to define variables externally from XACML policy and refer them from inside the policy rules
- AWS IAM assuming same role with session tag for tenant isolation
Related Questions in ALFA
- Complex Authorization using XACML
- WSO2 Identity server GUI creating different attribute id for policy and request
- how to match XACML 3.0 request against policy stored in policy store
- In XACML and ALFA, how can I achieve a layered set of policies that check environment attributes?
- How to define 4 eyes principle in ALFA (/XACML)?
- Compare attributes inside a XACML policy
- How to define a administrative policy in ALFA for delegation?
- Is there a standard or preferred way to use obligations and advice in XACML and ALFA?
- How to use XACML and PIP in real application?
- Correct approach to use XACML at granular level
- In wso2 IS XACML policy how to validate role and its permissions
- Is there a way to define variables externally from XACML policy and refer them from inside the policy rules
- Axiomatics - condition editor
- Complex XACML, combination and dependencies of bags
- How can I write a "If..then" condition in Axiomatics
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
In XACML, obligations (and advice) are meant to enrich the response the PEP receives back from the PDP. They are not meant to convey authorization logic.
Examples
Two-factor authentication
This example revolves around trust / authentication elevation.
Break The Glass
The aforementioned example comes from the break-the-glass scenario that occurs in healthcare.
Controlling access to a hierarchy of things (items, records)
In your example, you want to control access to items and sub-items. For instance an EHR is made up of PII, PHI, and financial information. Can a doctor view a patient's EHR they have a relationship with? Yes they should be able to. But you'd like to mask or redact the financial information as it is irrelevant to the doctor.
In that type of scenario, I would write different rules - one per sub-item. I want the authorization logic to be visible. I want to know there is a rule about doctors viewing PII, PHI, or financials.
I would potentially use the Multiple Decision Profile to ask questions on the different parts of the record.
Of course, if all you want to do is systematically mask just the one field, then you could get away with an obligation.
Best Practice
When you write obligations and advice, you should try not to hide authorization logic inside them. Use them to enrich authorization flows.