atom feed43 messages in org.oasis-open.lists.xacmlRE: [xacml] Draft BTG Profile
FromSent OnAttachments
David ChadwickNov 23, 2010 9:06 am.doc
Rich.LevinsonNov 23, 2010 11:01 am 
Davis, John M.Nov 23, 2010 11:48 am.doc
Rich.LevinsonNov 23, 2010 11:53 am 
Smith, MartinNov 23, 2010 1:55 pm 
Mary McRaeNov 23, 2010 2:04 pm 
Ludwig SeitzNov 24, 2010 12:48 am 
David ChadwickNov 25, 2010 6:13 am 
David ChadwickNov 25, 2010 6:26 am 
David ChadwickNov 25, 2010 6:36 am 
Ludwig SeitzNov 25, 2010 7:05 am 
Doron GrinsteinNov 25, 2010 7:28 am 
David ChadwickNov 25, 2010 9:05 am 
David ChadwickNov 25, 2010 9:56 am 
Ludwig SeitzNov 26, 2010 12:31 am 
Ludwig SeitzNov 26, 2010 12:53 am 
Erik RissanenNov 26, 2010 2:25 am 
David ChadwickNov 26, 2010 8:51 am 
Bill ParducciNov 26, 2010 9:06 am 
David ChadwickNov 26, 2010 9:08 am 
Rich.LevinsonNov 28, 2010 12:41 pm 
David ChadwickNov 29, 2010 3:45 am 
David ChadwickNov 29, 2010 4:20 am 
Erik RissanenNov 29, 2010 5:38 am 
Davis, John M.Nov 29, 2010 8:45 am 
Smith, MartinNov 29, 2010 9:59 am 
Davis, John M.Nov 29, 2010 10:41 am 
David ChadwickNov 29, 2010 11:58 pm 
David ChadwickNov 30, 2010 12:33 am 
David ChadwickNov 30, 2010 12:47 am 
Smith, MartinNov 30, 2010 7:37 am 
David ChadwickDec 1, 2010 12:34 am 
David ChadwickDec 1, 2010 12:37 am 
David ChadwickDec 1, 2010 1:05 am 
David ChadwickDec 1, 2010 1:28 am 
Davis, John M.Dec 2, 2010 7:37 am.gif
David ChadwickDec 3, 2010 1:44 am 
Smith, MartinDec 3, 2010 5:58 am 
David ChadwickDec 3, 2010 7:17 am 
Davis, John M.Dec 6, 2010 10:05 am 
Davis, John M.Dec 8, 2010 10:14 pm.gif, .gif
Hal LockhartDec 16, 2010 9:02 am.gif, .gif
David ChadwickDec 16, 2010 11:24 am 
Subject:RE: [xacml] Draft BTG Profile
From:Davis, John M. (Mike@va.gov)
Date:Nov 23, 2010 11:48:58 am
List:org.oasis-open.lists.xacml
Attachments:

David,

1. BTG is a common healthcare concept. The Draft BTG profile seems to describe
a concept somewhat different. I've included a short paper which provides
definitions, descriptions and requirements for BTG and "emergency access" as two
distinct and different concepts within the healthcare domain. Here is a short
description from HL7's Access Control Service Functional Model:

"Break‐glass is named after the glass panel that protects a fire alarm. Everyone
in the building is authorized to use the fire alarm to report a fire, but the
ramifications of misuse are substantial. The fragile glass panel is sufficient
to avoid accidental triggering, and it forces the user to stop and think

before acting. In the context of this document, a “Break Glass” scenario
involves a situation where the access control policy will authorize the user to
access certain information or functionality, but only after the user attests
that one or more relevant conditions exist."

2. As described in the draft profile, the most important concept is that the
profile requires a BTG permission. This does not match the notion of BTG as
used in healthcare which is much more like a user controlled "gateway" much such
as a fire alarm. I'll explain by means of a use case:

In this healthcare scenario, a user is authorized to access patient records (has
appropriate permissions). Some records (e.g., VIP) are sequestered behind a BTG
barrier. A user attempting to access a VIP record will be presented with a
warning banner indicating that the record is protected and that access will
subject the user to increased auditing (and perhaps other controls such as
notifications to system admins). In any case, the requester has two options; 1)
abort or 2) continue. If 2) is chosen the record is presented. The
distinguishing characteristic is that no elevation of user permissions and no
special "BTG permission" is required, the user is already in the "clinician"
group authorized to view records. This is analogous to students in a high
school. They are all members of a group who are "authorized" to pull the fire
alarm. Doing so falsely will subject the student to discipline but the student
does not need the teachers authorization to pull the alarm when conditions
warrant.

This is distinguished from emergency access of the first kind (normal emergency
room operations). In emergency access #1, the context of the emergency
(significant harm or risk of death to the patient) needs to be presented so that
the access control system evaluates the appropriate policy set (e.g. A clinician
at one hospital may not be authorized access to records at another under normal
conditions of “treatment”). In emergency access #1, the XSPA SAML attribute
assertion profile provides an "Emergency Access" purpose of use attribute. This
purpose of use allows the PDP to select and evaluate the appropriate policy for
the "emergency" condition as opposed to normal "treatment". Again, it is not
the user permissions that are evaluated but the fundamental context of the
policy environment.

There is emergency access of the second kind which is a variation of emergency
access #1. In emergency access #2, the requester makes the request for
information under the purpose of use of treatment and clinical role.
Authorization to view the record under these conditions is denied (perhaps an
underlying privacy policy is being enforced). In response the clinician
responds by elevating permissions by asserting the “emergency role” in the XSPA
SAML Assertion profile thereby elevating privileges under the same POU of
“treatment” and overriding the original policy decision. In our work in HL7 we
have found the “emergency” role/permission unnecessary as POU has the added
benefit of putting in place (and managing) an emergency context vice a simple
role. Emergency #2 is probably closer to what is intended by the Draft BTG
profile but is significantly different from what is described above.

I believe additional discussion is warranted on the fundamental concepts of the
Draft BTG profile, first to ensure common understanding of the different forms
of access, the uses of policy, purpose of use and permission and second to
establish sound use cases that will sufficiently clarify the purpose and
conditions under which use of such a profile is warranted.

Regards, Mike Davis, CISSP

Department of Veterans Affairs

Office of Health Information

Security Architect

760-632-0294

-----Original Message----- From: David Chadwick [mailto:d.w.@kent.ac.uk] Sent: Tuesday, November 23, 2010 9:07 AM To: xacml Subject: [xacml] Draft BTG Profile

Dear List

about a year ago we discussed the standardisation of the Break The Glass
response (see Seth Proctor's message of 17 Dec 2009) and decided that a profile
to standardise the BTG response would be useful. Unfortunately Seth left Sun
before we got around to writing it.

Consequently Stijn Lievens and myself from Kent have produced a first version
(attached) for your consideration. I know its not in the correct format yet, but
we can fix that once the technical content has been agreed.

Comments appreciated

regards

David

--

*****************************************************************

David W. Chadwick, BSc PhD

Professor of Information Systems Security School of Computing, University of
Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick

Tel: +44 1227 82 3221

Fax +44 1227 762 811

Mobile: +44 77 96 44 7184

Email: D.W.@kent.ac.uk

Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html

Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html

Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5

*****************************************************************

--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php