90 likes | 108 Views
Secure Retrieve. Brief Profile Proposal for 2014/15 presented to the IT Infrastructure Planning Committee Mauro Zanardini (consorzio Arsenàl.IT). October 9th 2013 , Oak Brook. The problem:. Centralized Access Control system are required in many organizational and legal context:
E N D
Secure Retrieve Brief Profile Proposal for 2014/15 presented to the IT Infrastructure Planning Committee Mauro Zanardini (consorzio Arsenàl.IT) October9th 2013, OakBrook
The problem: • Centralized Access Control system are required in many organizational and legal context: • When access NEEDS to be regulated by actors that stores clinical data and not by the Consumer of that data (like in a BPPC approach) • When Policies and Consent documents published are not known (or cannot be accessed) to each node of the system. • When it is needed an “upgrade” of an XDS Environment already deployed without a strong regulation of accesses.
XDS specialization of the problem: In XDS environment the central role of the Registry and the need to obscure even the existence of entries that cannot be accessed make this Actor the pivot for Access Control systems: GOAL: Create a federated system for data access with a clear split of responsibilities: • The Policy Manager is responsible to filter accesses (so it manages a complex set of data: users infos, relation between user and patients, roles, contexts, workflow participants… ) • XDS Repositories has only to store Docs and give access to them without knowledge related to the user/role/consents/policies etc… Actors that stores clinical data NEED to trust a previous decision made by the Policy Manager.
Requirements • The proposal does not want to address Policy Manager functionalities • The proposal does not want to affect XDS infrastructure and does not want to affect basic functionalities of XDS. The idea is to allow the sharing, between actors involved in a XDS environment, the certification that the policy manager has granted (at this time) to an user the access to a specific resource. • This proposal would like to solve the problem with an efficient solution with lower impact (and lower integration burden) if adopted in a already deployed XDS environment.
Proposed Standards & Systems • XML Digital Signature • SAML 2.0
Profile Structure • This profile can be structured as an option for XDS Profile. This option should be supported by XDS Document Registry, XDS Document Consumer and XDS Document Repository actors. • Or (less desirable) a new profile with an approach similar to XUA. In this case we have to introduce 3 new actors and 2 new transactions.
Effort Estimation • The technical approach proposed could be used for other transactions. This should be take in consideration before drafting the profile. The problem could be addressed with a profile general purpose. • After choosing the approach to you for drafting the profile: • Small or Medium work effort. • Is there someone who is willing to act as profile editor? • Mauro Zanardini (Arsenàl.IT), Arianna Cocchiglia (Arsenàl.IT), …