Presentation is loading. Please wait.

Presentation is loading. Please wait.

James Cabral, David Webber, Farrukh Najmi, July 2012.

Published byLizbeth Rich Modified over 9 years ago

Similar presentations

Presentation on theme: "James Cabral, David Webber, Farrukh Najmi, July 2012."— Presentation transcript:

1 James Cabral, David Webber, Farrukh Najmi, July 2012

2 Managing information privacy and access policies has become a critical need and technical challenge. The desired solution should be ubiquitous, syntax neutral but a simple and lightweight approach that meets the legal policy requirements though the application of clear, consistent and obvious assertions. Today we have low-level tools that developers know how to implement with, and we have legal documents created by lawyers, but then there is a chasm between these two worlds. 2

3 The RuleML community has long understood this and developed and is developing new and improved methods and solutions. The challenge is in taking these approaches and being able to apply these to NIEM XML based information sources in a high level conceptual way that is accessible to information analysts and general NIEM practitioners, rather than the provence of specialized XML-programmers only. Then we also need these techniques to be broadly applicable, using existing open public software standards and tools so we can enable the widest possible adoption within the NIEM community. 3

4 The solution we are introducing will:  Provide a clear declarative assertions based method, founded on policy approaches developed by the rules community,  Leveraging open software standards and tools and  Enabling business information analysts to apply and manage the policy profiles Show illustrative design time and run time examples by:  Visually assigning exchange components and rule assertions  Show applying this to retrieval of documents stored with registry and repository services. 4

5 Electronic Policy Statements 5 Policy Rules Portal User Dashboard 1 1 Apply Policy Rules to Requested Case Content 4 4 Users see only information permitted by their role and policy profile Request Output Templates Information Requests 2 2 Case Management Registry Services Registry Services 3 3 Output Templates Case Documents XML Response Output Templates Requested Information 5 5 User Profiles

6  Part 1  Problem introduction and policy methods overview  Part 2  Design time technical walkthrough of rule assertions example  Part 3  Run time deployment with registry services

7 Policy Methods Overview

8  Three levels of information access  Citizen level reporting - SAR statistics  Local law enforcement officials - case review  State and Federal - case management and coordination  This means three profiles:  Profile 1 - Registry query - statistics results  Profile 2 - Local staff  Profile 3 - Regional staff 8 SAR – Suspicious Activity Report

9 Electronic Policy Statements Coarse- Grained Role-based authorization of subjects. Access granted to coarse-grained data objects. E.g., “Permit law enforcement to access the NCIC Wanted Persons Database.” Fine-Grained Attribute-based authorization of subjects. Access limited to specific data objects based on attributes. E.g., “Permit law enforcement to access criminal history records if the records were created by the requester’s agency.” 9

10  Actions. Electronic Policy Statements 10 Properties of the access rules and environment. Conditions. – Subject. – Resource. – Policy. Obligations.

11  Express policies in a structured language (e.g., XML)  Identify requesters  Compare data collection and release purposes  Enforce retention rules  Notify data owners and subscribers  Verify compliance Privacy and Security Architectures 11

12 Privacy and Security Architectures 12 GFIPM User Metadata NIEM GFIPM Content Metadata XACML Actions Electronic Policy Statements

13  A mechanism to specify policy rules in unambiguous terms  XML Access Control Markup Language (XACML)  Machine-readable  Supports federated and dynamic policies Privacy and Security Architectures 13

14 Privacy and Security Architectures 14 TermDescription PAPPolicy Administration Point - Point which manages policies PDPPolicy Decision Point - Point which evaluates and issues authorization decisions PEPPolicy Enforcement Point - Point which intercepts user's access request to a resource and enforces PDP's decision. PIPPolicy Information Point - Point which can provide external information to a PDP, such as LDAP attribute information. http://en.wikipedia.org/wiki/XACML

15 Privacy and Security Architectures 15 PolicySetsPoliciesRules Obligations Functions Targets Attributes

16 Privacy and Security Architectures 16

17 Design Time Rule Assertions Concepts

18  Traditional NIEM approach focuses on the information exchange data handling  Uses XSD schema to define content structure and metadata  Need is for a bridge between the NIEM schema, the XML information instances and the XACML rule assertion language  Approach is based on visual content structure templates with declarative rule assertions 18

19 D E P L O Y E D XACML Engine XACML Engine Rule Assertions P O L I C I E S Output Templates Exchange Structures Policy Assertion Template 2 2 S C H E M A NIEM IEPD NIEM IEPD 1 1 XACML Generation Tool 3 3 XACML XML Script 4 4 Rules Asserted to Nodes in the Exchange Structure via simple XPath associations 19

20 Rules Assertions associate and control access privacy to specific content areas in the SAR details structure Visual metaphor allows policy analysts to verify directly 20

21 Rule Assertions NIEM data flows XACML Engine XACML Engine Information Exchange 5 5 INTERFACES P O L I C I E S CAM Editor Visual Designer Output Templates Exchange Templates 1 1 Information Exchange 3 3 INTERFACES 4 4 S C H E M A NIEM IEPD NIEM IEPD NIEM XML NIEM XML NIEM XML NIEM XML Generated XACML Rules 2 2 21

22 CAM TOOLKIT + CAMV ENGINE  Open source solutions – designed to support XML and industry vocabularies and components for information exchanges  Implementing the OASIS Content Assembly Mechanism (CAM) public standard  CAMV validation framework and test suite tools  Development sponsored by Oracle CAM Editor resources site: http://www.cameditor.org 22

23 NEXT STEPS  Enhance CAM Editor UI to provide wizards for policy rule assertion entry  Provide XSLT to generate XACML from CAM template  Enhance reporting tools to show policy details in plain English details  Test with sample JPS NIEM exchange schema 23

24 Illustrative deployment with XACML services and application

25 Electronic Policy Statements 25 Policy Rules Portal User Dashboard 1 1 Apply Policy Rules to Requested Case Content (PDP Engine) 4 4 Users see only information permitted by their role and policy profile Request Output Templates Information Requests 2 2 Case Management + PAP Registry Services Registry Services 3 3 Output Templates Case Documents XML Response (PEP) Output Templates Requested Information 5 5 User Profiles XACML XML XACML

26 Privacy and Security Architectures 26 PAP Defines policies. Monitors compliance. PDP Receives requests from the PEP. Identifies policies that match each request. Evaluates request and environment attributes. Directs the PEP. PEP Discloses or redacts the information or denies the request. Logs the request and action. Notifies of the request and action.

27 Privacy and Security Architectures 27

28 Bulk loader will trawl server and folder location for content – e.g. original SAR XML documents Bulk Publish of SAR documents 28

29 SAR Discovery Query (easily extended / tailored without code changes) allows rapid prototyping and verification of content and operations Results returned digest and content retrieval options 29

30 Review

31  Dramatically simpler policies adoption  Can be rapidly developed with existing tools  Can be visually inspected and verified by policy analysts  Enables use of dynamic contextual policies  Supports international standards work 31

32 CONTRIBUTORS  James E. Cabral Jr. – IJIS/OASIS and MTGM LLC  David Webber – Oracle Public Sector NIEM team  Farrukh Najmi – OASIS ebXML RegRep, SunXACML project and Wellfleet Software 32

33 RESOURCES  OASIS CAM and tools project site https://www.oasis-open.org/committees/cam http://cameditor.org (sourceforge.net) https://www.oasis-open.org/committees/cam http://cameditor.org  OASIS XACML and tools project site https://www.oasis-open.org/committees/xacml http://sunxacml.sourceforge.net/ https://www.oasis-open.org/committees/xacml http://sunxacml.sourceforge.net/  OASIS ebXML RegRep and Implementing Registry https://wiki.oasis-open.org/regrep/ http://goo.gl/cEpnC https://wiki.oasis-open.org/regrep/ http://goo.gl/cEpnC 33

Download ppt "James Cabral, David Webber, Farrukh Najmi, July 2012."

Similar presentations

Presented to: By: Date: Federal Aviation Administration Registry/Repository in a SOA Environment SOA Brown Bag #5 SWIM Team March 9, 2011.

Presented to: By: Date: Federal Aviation Administration Registry/Repository in a SOA Environment SOA Brown Bag #5 SWIM Team March 9, 2011.
News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics

News in XACML 3.0 and application to the cloud Erik Rissanen, Axiomatics
Visual Scripting of XML

Visual Scripting of XML
NIEM and Content Policy briefing David Webber - Public Sector NIEM Team, April 2013 NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.

NIEM and Content Policy briefing David Webber - Public Sector NIEM Team, April 2013 NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.
Future of NIEM Tools Delivery Public Sector NIEM Team, July 2012 Futureof NIEM Tools.

Future of NIEM Tools Delivery Public Sector NIEM Team, July 2012 Futureof NIEM Tools.
Crucial Patterns in Service- Oriented Architecture Jaroslav Král, Michal Žemlička Charles University, Prague.

Crucial Patterns in Service- Oriented Architecture Jaroslav Král, Michal Žemlička Charles University, Prague.
IEEE P1622 Meeting, Oct 2011 IEEE P1622 Meeting October 24-25, 2011 Guide to using OASIS EML v7.0 for UOCAVA Implementations David RR Webber Information.

IEEE P1622 Meeting, Oct 2011 IEEE P1622 Meeting October 24-25, 2011 Guide to using OASIS EML v7.0 for UOCAVA Implementations David RR Webber Information.
NIEM, CAM and the 7 “D’s” David Webber - Public Sector NIEM Team, November 2011 NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.

NIEM, CAM and the 7 “D’s” David Webber - Public Sector NIEM Team, November 2011 NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.
Semantics and Information Exchanges Overview – Public Sector NIEM Team, June 2011 CAM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.

Semantics and Information Exchanges Overview – Public Sector NIEM Team, June 2011 CAM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.
David Webber, NIEM Team, Oracle Public Sector NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary Exchange Development Taking a.

David Webber, NIEM Team, Oracle Public Sector NIEM Test Model Data Deploy Requirements Build Exchange Generate Dictionary Exchange Development Taking a.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
Brokering Mathematical Services Through a Web Registry.

Brokering Mathematical Services Through a Web Registry.
Requirements Specification

Requirements Specification
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
XML Exchange Development CAM Technology Tutorial – Public Sector NIEM Team, June 2011 CAM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.

XML Exchange Development CAM Technology Tutorial – Public Sector NIEM Team, June 2011 CAM Test Model Data Deploy Requirements Build Exchange Generate Dictionary.
1 1 Roadmap to an IEPD What do developers need to do?

1 1 Roadmap to an IEPD What do developers need to do?

Similar presentations

Ads by Google