Defining and Enforcing XACML Role-based Security Policies within an XML Security Framework

Alberto De la Rosa Algarín, Timoteus B. Ziminski, Steven A. Demurjian, Robert Kuykendall, Yaira K. Rivera Sánchez

Abstract

Securing electronic data has evolved into an important requirement in domains such as health care informatics, with the eXtensible Markup Language (XML) utilized to create standards such as the Clinical Document Architecture and the Continuity of Care Record, which have led to a need for approaches to secure XML schemas and documents. In this paper, we present a method for generating eXtensible Access Control Markup Language (XACML) policies that target XML schemas and their instances, allowing instances to be customized for users depending on their roles. To do so, we extend the Unified Modeling Language (UML) with two new diagrams to model XML: the XML Schema Class Diagram (XSCD) to define the structure of an XML document in UML style; and the XML Role-Slice Diagram (XRSD) to define roles and associated privileges at a granular access control level. In the process, we separate the XML schemas of an application from its security definition in XRSD. To demonstrate the enforcement of our approach, we utilize a personal health assistant mobile application for health information management, which allows patients to share personal health data with providers utilizing XACML for security definition.

References

  1. Baumer, D., Earp, J. and Payton, F. 2000. Privacy of medical records: IT implications of HIPAA. ACM SIGCAS Computers and Society, 30, 4, 40-47.
  2. Bertino, E. and Ferrari, E. 2002. Secure and selective dissemination of XML documents. ACM Transactions on Information and System Security (TISSEC), 2002, 5, 290-331.
  3. Bertino, E., Castano, S., Ferrari, E. and Mesiti, M. 2002. Protection and administration of XML data sources. Data & Knowledge Engineering, Elsevier, 2002, 43, 237-260.
  4. Bertino, E., Carminati, B. and Ferrari, E. 2004. Access control for XML documents and data. Information Security Technical Report, Elsevier, 2004, 9, 19-34.
  5. Clark, J. et al. 1999. XSL transformations (xslt) version 1.0. W3C Recommendation, 16, 11, 1999.
  6. Damiani, E., De Capitani di Vimercati, S., Paraboschi, S. and Samarati, P., 2000. Design and implementation of an access control processor for xml documents. Computer Networks, 33, 1, 59-75.
  7. Damiani, E., Fansi, M., Gabillon, A. and Marrara, S. 2008. A general approach to securely querying xml. Computer Standards & Interfaces, 30, 6, 379-389.
  8. De la Rosa Algarín, A., Demurjian, S., Berhe, S., PavlichMariscal, J. 2012. A Security Framework for XML schemas and Documents for Healthcare. Proceedings of 2012 International Workshop on Biomedical and Health Informatics (BHI 2012), 782-789.
  9. Dolin, R.H., Alschuler, L., Boyer, S., Beebe, C., Behlen, F.M., Biron, P.V. and Shvo, A.S. 2006. HL7 clinical document architecture, release 2. Journal of the American Medical Informatics Association, 13, 1, 30- 39.
  10. Estrin, D., and Sim, I. 2010. Open mHealth architecture: an engine for health care innovation. Science (Washington), 330 (6005), 759-760.
  11. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R. and Chandramouli, R. 2001. Proposed nist standard for role-based access control. ACM Transactions on Information and System Security (TISSEC), 4, 3, 224- 274.
  12. Kuper, G., Massacci, F. and Rassadko, N. 2005. Generalized XML security views. Proceedings of the tenth ACM symposium on Access control models and technologies, 2005, 77-84.
  13. Leonardi, E., Bhowmick, S. and Iwaihara, M. 2010. Efficient database-driven evaluation of security clearance for federated access control of dynamic XML documents. Database Systems for Advanced Applications, 2010, 299-306.
  14. Müldner, T., Leighton, G. and Miziolek, J. 2009. Parameterized Role-Based Access Control Policies for XML Documents. Information Security Journal: A Global Perspective, Taylor & Francis, 2009, 18, 282- 296.
  15. Pavlich-Mariscal, J., Demurjian, S. and Michel, L. 2008. A framework of composable access control definition, enforcement and assurance. SCCC'08. International Conference of the IEEE, 2008, 13-22.
Download


Paper Citation


in Harvard Style

De la Rosa Algarín A., B. Ziminski T., A. Demurjian S., Kuykendall R. and K. Rivera Sánchez Y. (2013). Defining and Enforcing XACML Role-based Security Policies within an XML Security Framework . In Proceedings of the 9th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST, ISBN 978-989-8565-54-9, pages 16-25. DOI: 10.5220/0004366200160025


in Bibtex Style

@conference{webist13,
author={Alberto De la Rosa Algarín and Timoteus B. Ziminski and Steven A. Demurjian and Robert Kuykendall and Yaira K. Rivera Sánchez},
title={Defining and Enforcing XACML Role-based Security Policies within an XML Security Framework},
booktitle={Proceedings of the 9th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,},
year={2013},
pages={16-25},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004366200160025},
isbn={978-989-8565-54-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 9th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,
TI - Defining and Enforcing XACML Role-based Security Policies within an XML Security Framework
SN - 978-989-8565-54-9
AU - De la Rosa Algarín A.
AU - B. Ziminski T.
AU - A. Demurjian S.
AU - Kuykendall R.
AU - K. Rivera Sánchez Y.
PY - 2013
SP - 16
EP - 25
DO - 10.5220/0004366200160025