XACML Obligation Profile for Healthcare Version 1.0

XACML Obligation Profile for Healthcare Version 1.0

Working Draft 01

13 February 2013

Technical Committee:

OASIS eXtensible Access Control Markup Language (XACML) TC

Chairs:

Hal Lockhart (), Oracle

Bill Parducci (), Individual

Editor:

Mohammad Jafari (), Veterans Health Administration

John M. Davis (), Veterans Health Administration

Additional artifacts:

· N/A

Related work:

· N/A

Declared XML namespaces:

· N/A

Abstract:

· This profile provides a vocabulary of standard obligation identifiers used in exchange of health records, together with the corresponding attributes. Moreover, it defines a mechanism for defining static characteristics of obligations and the relations among them in the form of an obligation definition. Also, a set of standard rule- and policy-combining algorithms are defined which specify obligation combining behavior.

Status:

This Working Draft (WD) has been produced by one or more TC Members; it has not yet been voted on by the TC or approved as a Committee Draft (Committee Specification Draft or a Committee Note Draft). The OASIS document Approval Process begins officially with a TC vote to approve a WD as a Committee Draft. A TC may approve a Working Draft, revise it, and re-approve it any number of times as a Committee Draft.

Initial URI pattern:

http://docs.oasis-open.org/xacml/xspa-obl/v1.0/csd01/xspa-obl-v1.0-csd01.html

(Managed by OASIS TC Administration; please don’t modify.)

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Table of Contents

1 Introduction 5

1.1 Glossary 5

1.2 Terminology 5

1.3 Normative References 5

1.4 Non-Normative References 6

2 Application Context 7

3 Prefixes 8

4 Lifecycle of an Obligation 9

4.1 Definition 9

4.2 Usage in Policy 9

4.3 Instantiation 9

4.4 Post-Processing 9

4.5 Execution 9

5 Obligation Definition 10

5.1 The Structure 10

5.2 General Information 10

5.3 Obligation List 10

5.4 Obligation Classes 11

5.4.1 Sequential Classes 11

5.4.1.1 Operational Semantics 12

5.4.2 Override Classes 12

5.4.2.1 Operational Semantics 12

6 Common Attributes 13

6.1 Obligation’s Assignee 13

6.1.1 Syntax 13

6.1.2 Operational Semantics 14

6.2 Execution Order w.r.t the Action 14

6.2.1 Syntax 15

6.2.2 Operational Semantics 15

6.3 Execution Order w.r.t the Other Obligations 15

6.3.1 Syntax 15

6.3.2 Operational Semantics 16

6.4 Transactional Requirements 16

6.4.1 Syntax 16

6.4.2 Operational Semantics 16

6.5 Other Constraints 16

6.5.1 Syntax 17

6.5.2 Operational Semantics 17

7 Obligation Identifiers 18

7.1 Human Approval 18

7.2 Anonymize-Record 18

7.3 Pseudonymize-Field 18

7.4 Redact 19

7.5 Mask-Field 19

7.6 Encrypt-Field 20

7.7 Encrypt-Record 20

7.8 Abstract-Field 21

7.9 Aggregate-Field 22

7.10 Version-Range 23

7.11 Audit-Trail 23

7.12 Delete after Use 23

7.13 Delete 24

7.14 No-Redisclosure 24

7.15 Enforce Policy 24

7.15.1 Operational Semantics 25

8 Combining Algorithms 26

8.1.1 Syntax 26

8.2 Policy-Specific Obligation Definition Reference 26

8.2.1 Syntax 27

9 Walk-Through Example 28

9.1 Use Case 28

9.2 Schema 28

9.3 Policy 29

9.3.1 Organizational Policy 30

9.3.2 Patient Consent 31

9.4 Event Flow 32

9.4.1 Request 33

9.4.2 Evaluation and Initial Response 33

9.4.3 Post-Processing 34

9.4.4 Processing at the Local PEP 36

10 Conformance 39

Appendix A. Acknowledgments 40

Appendix B. Revision History 43

xspa-obl-v1.0-wd01 Working Draft 01 13 February 2013

1 Introduction

{non-normative}

This profile defines the obligations used in exchange of health records among organizations. The concepts defined in this profile are applicable to both XACML version 2.0 and 3.0, although the examples are based on the version 2.0. The main topics covered include:

· A vocabulary of standard obligation identifiers.

· A set of standard obligation attributes including the attribute identifiers and legitimate attribute values that define the properties of obligations.

· A mechanism to define static characteristics of obligations and the relations among them in the form of an obligation definition.

· A set of standard rule- and policy-combining parameters that define the behavior of the PDP with respect to combining obligations resulting from different policies.

The main use-cases motivating this profile are in the context of exchanging health records between different organizations as discussed in Section 3. Nonetheless, some of the concepts are broad enough to be used in other application domains with similar use-cases.

1.1 Glossary

Obligation Assignee

The party to which the obligation is assigned and is responsible for its execution.

Obligation Instance

An obligation that appears in a XACML response to be executed by the PEP with specific parameter values.

Obligation definition

A configuration document residing at the PDP that defines obligations, their static attributes, and their relations.

Obligation Specification

The definition of an obligation and its static attributes.

1.2 Terminology

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [RFC2119].

1.3 Normative References

[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels”, BCP 14, RFC 2119, March 1997. http://www.ietf.org/rfc/rfc2119.txt.

[XACMLv3] eXtensible Access Control Markup Language (XACML) Version 3.0, 10 January 2013. OASIS Standard. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc

[XACMLv2] eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard. 1 Feb 2005. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf

1.4 Non-Normative References

[XACML-GEN] XACML v3.0 Improved Generality. 17 March 2005. Committee Working Draft 03. http://www.oasis-open.org/committees/download.php/11929/access_control-xacml-3.0-generalization-spec-wd-03.doc

[XACML-OBL] XACML v3.0 Obligation Families Version 1.0, 17 February 2008. OASIS Committee Working Draft 3. https://www.oasis-open.org/committees/download.php/27230/xacml-3.0-obligation-v1-wd-03.zip

[XACML-XSPA] Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML v2.0 for Healthcare Version 1.0. 1 November 2009. OASIS Standard. http://docs.oasis-open.org/xacml/xspa/v1.0/xacml-xspa-1.0-os.doc

2 Application Context

The application context for the use-cases that drive this profile is the exchange of health records. Figure 1 depicts an example of this scenario with two parties involved. The medical records residing at the provider system at site B, are requested to be transferred to the consumer system at site A.

This scenario can be extended to a multi-party exchange, in which more than two parties are involved. For example, in presence of a cloud storage system, the data may be transferred to the storage system, thereby to the consumer system, and thereby to an end user client such as a terminal used by a physician at a clinic. Routing via intermediate parties is another example of multi-party exchange.

Each of the systems involved in such record exchange scenarios has its own PDP and PEP, and shall process and enforce the policies applicable at that particular point.

Figure 1. The interaction in an example of a health record exchange scenario with two parties.

3 Prefixes

For the purpose of brevity and readability, the following prefixes are defined to be used throughout this document:

[HOP] / urn:oasis:names:tc:xspa:1.0:obligation
[XML] / http://www.w3.org/2001/XMLSchema
[XACML2] / urn:oasis:names:tc:xacml:2.0
[XACML1] / urn:oasis:names:tc:xacml:1.0

4 Lifecycle of an Obligation

{non-normative}

This section gives an overview of the lifecycle of an obligation. This shows what steps need to be taken for using obligations in a policy and how they need to be processed until the point of execution.

4.1 Definition

The lifecycle of an obligation starts with its inclusion in the obligation definition of a PDP. The obligation definition is an XML document that defines the obligation, its static attributes, and its relations with other obligations, such as sequencing. Static attributes of an obligation are inherent characteristics that are the same in all its instances and do not change. For example, the order of an obligation with respect to the action, i.e. whether it must be executed before or after the action, is usually an inherent property that does not change in different instances of an obligation, and hence is a static attribute. The static attributes are automatically inherited by each instance of the obligation.

4.2 Usage in Policy

Once an obligation is defined in the schema of the system, it can be used by the policies within the PDP. The PDP will generate an error if it encounters an obligation that is not defined in the obligation definition[1]. A usage of an obligation may specify additional attributes that are not static and decided for a particular instance. For example, the particular input parameters to an obligation can change at every usage.

4.3 Instantiation

An obligation is instantiated when it appears in the response to an XACML request. The PDP must follow a combining algorithm to collect all the obligations corresponding to a request. For every matching obligation, the PDP extracts the values for the attributes specified in the particular usage.

4.4 Post-Processing

Once evaluation of a request is over, the PDP needs to run a post-processing step in which it augments the obligation instances by adding static attributes defined in the schema and other required attribute, for example, to specify the ordering of obligations. The post-processing step also ensures that the final list of obligations is a consistent and clean of conflicts and repetitive obligations.

4.5 Execution

Once the obligation instances are received by the PEP, they must be executed. The local obligations assigned to the local PEP are executed locally, while those assigned to remote parties are encoded and transferred with the data. Once received by the receiving party, the accompanying policies will be added to the remote PDP. Processing any obligation in such policies will recursively follow the above steps.

5 Obligation Definition

This section discusses the structure and format of the obligation definition document. This is a separate document from the XACML policy and defines the obligation and their static characteristics. Static characteristic of an obligation are general characteristics that hold true across all instances of an obligation. An obligation instance, on the other hand, may have some instance-specific characteristics that will be discussed later.

The obligation definition document shares some concerns with the obligation families [XACML-OBL]. This profile covers most of the features of the said draft with respect to obligation classes.

Defining the obligation definition provides a dictionary of obligations for the PDP together with the metadata that facilitates their processing of obligations. It can also be used as an agreement between PEP and PDP to ensure both are aware of the list of possible obligations, and shared with the PDP in other related domain to coordinate handling of inter-domain obligations. Using this metadata, and in a post-processing stage, the PDP, produces a consistent list of obligation in the response context.

Several obligation definitions may exist in a single PDP for different groups of policies. A Policy or PolicySet can specify the reference schema. The PDP should have default schema to use when the policy does not specify one explicitly.

5.1 The Structure

An obligation definition contains three parts: an introduction section to containing the general information about the schema, a declaration of all obligation identifiers and their static attributes, and finally, a set of obligation class declarations to specify relations among the obligations.

5.2 General Information

The general information includes an identifier for the obligation definition as well as an optional description element to provide a textual description. The identifier is used to distinguish different schemas in case there is more than one of them in a PDP.

5.3 Obligation List

The lists of all obligations that may appear in the policies, as well as their static attributes, and an optional textual description are provided in this part. The obligation identifiers are discussed in Section 9 and the attributes can be any of the attributes listed in Section 8 or any other custom attribute.

5.4 Obligation Classes

Obligation classes are groups of obligations with specific relations. These groups are defined in this section. This part of the schema may contain a number of declarations for sequential classes, and override classes which are discussed below.

5.4.1 Sequential Classes

A sequential class specifies a pair of obligations that must be executed sequentially. An example of a sequential set is that redact-field which removes a field from the record must happen before sign-record. Or sign-record must happen before encrypt-record.

A sequential class accepts an optional condition; the sequentiality will be enforced only if the condition holds true. For example redact-field must precede encrypt-record only if they are executed on the same record. Or, redact-field must precede encrypt-record only when the field that is being redacted is part of the record begin encrypted.