Details how to use policy rule templates to manage content access rules. Avoiding the pitfalls of the ABAC approach. Providing a method for policy analysts to quickly markup content without requiring deep programming knowledge.

1. POLICY CONTROL PROFILES
WITH GRA AND NIEM
James Cabral, David Webber, Farrukh Najmi,
July 2012

2. EXECUTIVE OVERVIEW
Managing information privacy and access policies has
become a critical need and technical challenge. The
desired solution should be ubiquitous, syntax neutral but a
simple and lightweight approach that meets the legal policy
requirements though the application of clear, consistent
and obvious assertions.
Today we have low-level tools that developers know how to
implement with, and we have legal documents created by
lawyers, but then there is a chasm between these two
worlds.
2

3. LEGAL AND RULES TECHNOLOGIES
The RuleML community has long understood this and
developed and is developing new and improved methods and
solutions. The challenge is in taking these approaches and
being able to apply these to NIEM XML based information
sources in a high level conceptual way that is accessible to
information analysts and general NIEM practitioners, rather
than the provence of specialized XML-programmers only.
Then we also need these techniques to be broadly
applicable, using existing open public software standards
and tools so we can enable the widest possible adoption
within the NIEM community.
3

4. APPROACH
The solution we are introducing will:
 Provide a clear declarative assertions based method, founded
on policy approaches developed by the rules community,
 Leveraging open software standards and tools and
 Enabling business information analysts to apply and manage
the policy profiles
Show illustrative design time and run time examples by:
 Visually assigning exchange components and rule assertions
 Show applying this to retrieval of documents stored with
registry and repository services.
4

5. APPLICATION SCENARIO OVERVIEW
Electronic Policy Statements 5
Policy Rules
Portal
User
Dashboard
1
Apply Policy Rules to Requested
Case Content
4
Users see only
information
permitted by
their role and
policy profile
Request
Output
Templates
Output
Templates
Information
Requests
2
Case Management
Registry
Services
3
Output
Templates
Output
Templates
Case
Documents
XML
Response
Output
Templates
Output
Templates
Requested
Information
5
User
Profiles

6. PRESENTATION AGENDA
 Part 1
Problem introduction and policy methods
overview
 Part 2
Design time technical walkthrough of rule
assertions example
 Part 3
Run time deployment with registry services

7. PART 1 – PROBLEM INTRODUCTION
Policy Methods Overview

8. USE CASE – SAR CASE MANAGEMENT
 Three levels of information access
 Citizen level reporting - SAR statistics
 Local law enforcement officials - case review
 State and Federal - case management and
coordination
 This means three profiles:
 Profile 1 - Registry query - statistics results
 Profile 2 - Local staff
 Profile 3 - Regional staff
8
SAR – Suspicious Activity Report

9. POLICY GRANULARITY
Electronic Policy Statements
Coarse-
Grained
Role-based authorization of
subjects.
Access granted to coarse-grained
data objects.
E.g., “Permit law enforcement to
access the NCIC Wanted Persons
Database.”
Fine-Grained
Attribute-based authorization of
subjects.
Access limited to specific data
objects based on attributes.
E.g., “Permit law enforcement to
access criminal history records if
the records were created by the
requester’s agency.”
9

10.  Actions.
RULE AND CONTEXT METADATA
Electronic Policy Statements 10
Properties of the access rules and environment.
• Conditions.
– Subject.
– Resource.
– Policy.
• Obligations.

11.  Express policies in a structured
language (e.g., XML)
 Identify requesters
 Compare data collection and
release purposes
 Enforce retention rules
 Notify data owners and
subscribers
 Verify compliance
PRIVACY AND SECURITY ARCHITECTURES
Privacy and Security Architectures 11

12. MAPPING TO DATA STANDARDS
Privacy and Security Architectures 12
•GFIPMUser
Metadata
•NIEM
•GFIPM
Content
Metadata
•XACMLActions
Electronic
Policy
Statements

13.  A mechanism to
specify policy rules
in unambiguous
terms
 XML Access
Control Markup
Language (XACML)
 Machine-readable
 Supports
federated and
dynamic policies
POLICY AUTHORING LANGUAGE
Privacy and Security Architectures 13

14. XACML ARCHITECTURE
Privacy and Security Architectures 14
Term Description
PAP Policy Administration Point - Point which manages policies
PDP Policy Decision Point - Point which evaluates and issues authorization decisions
PEP Policy Enforcement Point - Point which intercepts user's access request to a resource and enforces PDP's decision.
PIP Policy Information Point - Point which can provide external information to a PDP, such as LDAP attribute information.
http://en.wikipedia.org/wiki/XACML

15. XACML STATEMENTS
Privacy and Security Architectures 15
PolicySets
Policies
Rules •Obligations
•Functions
Targets •Attributes

16. Policy Matrix Rule XACML Statement
Party Subject to Rule
Subject Condition(s) Conditions.
Subject(s) Subject(s).
Subject Information Context Subject(s) attributes.
Rule Action Action(s). Action(s) attributes.
Data Resource Subject to Rule
Target Resource(s) Resource(s).
Other Resource Context Resource(s) attributes.
Other Resource Conditions Conditions.
Circumstances in Which the Rule Applies
General or Action Policy Conditions Purpose(s).
Obligations and Environments If [zero or more [Subject(s) Action(s) and/or Resource(s), and/or
Environment(s) attributes) [Condition(s)] are met] with [zero or more
Obligation(s) to be performed].
Rule Activity
Deny/Permit by Statute/Policy Effect = PERMIT or DENY.
Administrative Information
Precedence PolicyCombiningAlgorithm(s), RuleCombiningAlgorithm(s).
References PolicyID, RuleID.
Linkages PolicyID, RuleID.
Policy Matrix Editors Does not translate to XACML.
ENCODING RULES INTO XACML
Privacy and Security Architectures 16

17. PART 2 – DESIGN TIME WALKTHROUGH
Design Time Rule Assertions Concepts

18. USING POLICY TEMPLATES
 Traditional NIEM approach focuses on the
information exchange data handling
 Uses XSD schema to define content structure
and metadata
 Need is for a bridge between the NIEM
schema, the XML information instances and
the XACML rule assertion language
 Approach is based on visual content structure
templates with declarative rule assertions
18

19. D E P L O Y E D
APPROACH IN A NUTSHELL
XACML
Engine
Rule
Assertions
P O L I C I E S
Output
Templates
Output
Templates
Exchange
Structures
Policy
Assertion
Template
2
S C H E M A
NIEM
IEPD
1
XACML
Generation
Tool
3
XACML
XML
Script
4
Rules Asserted to
Nodes in the Exchange
Structure via simple
XPath associations
19

20. SAR VISUAL TEMPLATE + RULE ASSERTIONS
Rules Assertions
associate and control
access privacy to
specific content areas
in the SAR details
structure
Visual metaphor
allows policy
analysts to verify
directly
20

21. Rule
Assertions
NIEM data flows
NIEM / GRA OPERATIONAL SCENARIO
XACML
Engine
Information Exchange
5
INTERFACES
P O L I C I E S
CAM Editor
Visual Designer
Output
Templates
Output
Templates
Exchange
Templates
1
Information Exchange
3
INTERFACES
4
S C H E M A
NIEM
IEPD
NIEM
XML
NIEM
XML
Generated
XACML
Rules
2
21

22. CAM TOOLKIT + CAMV ENGINE
 Open source solutions – designed to
support XML and industry vocabularies
and components for information
exchanges
 Implementing the OASIS Content
Assembly Mechanism (CAM) public
standard
 CAMV validation framework and test
suite tools
 Development sponsored by Oracle
CAM Editor resources site:
http://www.cameditor.org
22

23. NEXT STEPS
 Enhance CAM Editor UI to provide wizards
for policy rule assertion entry
 Provide XSLT to generate XACML from
CAM template
 Enhance reporting tools to show policy
details in plain English details
 Test with sample JPS NIEM exchange
schema
23

24. PART 3 – DEPLOYMENT WITH REGISTRY
Illustrative deployment with XACML services and application

25. APPLICATION SCENARIO DETAILS
Electronic Policy Statements 25
Policy Rules
Portal
User
Dashboard
1
Apply Policy Rules to
Requested Case Content
(PDP Engine)
4Users see only
information
permitted by
their role and
policy profile
Request
Output
Templates
Output
Templates
Information
Requests
2
Case Management + PAP
Registry
Services
3
Output
Templates
Output
Templates
Case
Documents
XML
Response (PEP)
Output
Templates
Output
Templates
Requested
Information
5
User
Profiles
XMLXMLXML XACML

26. REGISTRY POLICY ENFORCEMENT
Privacy and Security Architectures 26
PAP
•Defines policies.
•Monitors compliance.
PDP
•Receives requests from the PEP.
•Identifies policies that match each request.
•Evaluates request and environment attributes.
•Directs the PEP.
PEP
•Discloses or redacts the information or denies the request.
•Logs the request and action.
•Notifies of the request and action.

27. PRIVACY POLICY TECHNICAL FRAMEWORK
Privacy and Security Architectures 27

28. PUBLISHING CONTENT (BULK IMPORT TOOL)
Bulk loader will
trawl server and
folder location
for content –
e.g. original
SAR XML
documents
Bulk Publish of SAR documents
28

29. SAR DISCOVERY AND RETRIEVAL
SAR Discovery
Query (easily
extended / tailored
without code
changes)
allows rapid
prototyping and
verification of
content and
operations
Results returned
digest and content
retrieval options
29

30. SUMMARY
Review

31. KEY MESSAGES
 Dramatically simpler policies adoption
 Can be rapidly developed with existing tools
 Can be visually inspected and verified by
policy analysts
 Enables use of dynamic contextual policies
 Supports international standards work
31

32. CONTRIBUTORS
 James E. Cabral Jr. – IJIS/OASIS and MTGM LLC
 David Webber – Oracle Public Sector NIEM team
 Farrukh Najmi – OASIS ebXML RegRep, SunXACML
project and Wellfleet Software
32

33. RESOURCES
 OASIS CAM and tools project site
https://www.oasis-open.org/committees/cam
http://cameditor.org (sourceforge.net)
 OASIS XACML and tools project site
https://www.oasis-open.org/committees/xacml
http://sunxacml.sourceforge.net/
 OASIS ebXML RegRep and Implementing Registry
https://wiki.oasis-open.org/regrep/
http://goo.gl/cEpnC
33