Security Working Group Meeting

Back to Security Main Page

Attendees

• Tabitha Albertson
• Mike Davis Security Co-chair
• Suzanne Gonzales-Webb CBCC Co-chair
• Michelle Johnston
• Vannak Kann
• Pat Pyette
• David Staggs
• Cliff Thompson
• Serafina Versaggi scribe
• Tony Weida
• Craig Winter

Agenda

1. (05 min) Roll Call, Accept Minutes August 10th Security Work Group, Call for additional agenda items & Accept Agenda
2. (05 min) Pat Pyette - PASS Audit Update
3. (50 min) Security and Privacy Ontology project
   • Tony Weida to present draft model in Protégé

Minutes

1. Action Items

• During next week's Security WG meeting, there will be a 10 minute overview of the following sources for this Ontology:
  • Suzanne: Will present Neumann and Strembeck
  • Mike: Will present ASTM 1986-09 and ISO 22600-2, both of which address functional and structural roles
  • Ed Coyne: Will present term definitions from ANSI/INCITS 359-2004
• Tony: Verify that the relationship between constraint and permission in the draft ontology are in alignment with ANSI/INCITS 359-2004

2. Resolutions

See "Decisions" below

3. Updates/Discussion

Administrivia

• Motion by Pat Pyette to approve minutes of 10 August; seconded by Suzanne Gonzales-Webb
• Agenda accepted
• The post-ballot reconciliation version of the Composite Security and Privacy Domain Analysis Model has been generated and is posted along with the final consolidated ballot reconciliation comment spreadsheet on GForge.

PASS Audit Update

• The PASS Healthcare Audit Control Services – Patient Privacy Capabilities ballot is now open for comment through September 27.
  • You must sign up to vote on this ballot by September 20
• No meeting was held this week, but we will reconvene next Monday to complete the Security Risk Assessment for the PASS Audit project
• The week after next will focus on next steps for PASS

Security and Privacy Ontology Project

• The Ontology project is now underway in earnest
  • We’ll be looking at developing the ontology for the Role class based on the Composite Security and Privacy Information Model (DAM)
  • Model the HL7 material for the Permission Catalog which was balloted as a basis for functional roles
  • As an example, we will put in the ASTM 1986-09 structural roles which have been mapped to SNOMED-CT
• During next week's meeting, there will be a brief overview of the following documents that were used background for the HL7 Permissions Catalog. These documents will also be used to inform this ontology, along with the Composite Security and Privacy Domain Analysis Model that was balloted in May 2010.
  • G. Neumann and M. Strembeck: A Scenario-driven Role Engineering Process for Functional RBAC Roles
    • Describes the relationships between actions, objects, constraints and roles
  • ANSI-INCITS 359-2004 – Role Based Access Control (RBAC)
    • This standard defines the basic RBAC elements (users, roles, permissions, operations and objects) and their relationships, including role hierarchies and aspects of constraints. It also includes a specification that describes the features required of an RBAC system.
  • HL7 Role Engineering Process
• This background material supports the core concepts and relationships between the things that will be in the ontology
• To date, we’ve had several calls that are tutorial in nature where we’ve talked about what we might be doing. Now we’re going to firm up what we’re doing.
• The process we’ll use is to go through the classes of the Composite Security and Privacy Domain Analysis Model that was balloted in May and examine them for contributions to this ontology
  • We’ll start with the Role class
• Serafina raised a question about using the term “Role” considering that during ballot reconciliation for the Composite DAM, the group decided to rename the Role class to SecurityRole (where FunctionalRole and StructuralRole are specializations of SecurityRole). The questions was raised because we’re referring to other materials/standards where the term Role is considered to be “equivalent” to the DAM’s SecurityRole.
  • Mike: vocabulary is important, but the concepts are more important
  • Decision: Whenever the DAM is referring to SecurityRole we can agree that we are referring to the concept of Role – as defined by ANSI/INCITS 359-2004.
    • The concept of Role is often overloaded. The HL7 Permission Catalog is a subset of the concept of “SecurityRole”, although it uses the term Role.
  • Let’s choose to be compliant with the relevant standards.
    • If we’re talking about the class from the DAM, we’ll use the term SecurityRole.
    • If we’re talking about the definitions of things inside of other standards, for instance, the HL7 Permission Catalog uses the term Role from ANSI/INCITS 359-2004.
    • Or we can figure out how to reconcile these differences. We can point them out specifically where they occur, or ask Tony to weigh in on other options
• Tony: In some representation systems, there is a separate between the concepts and the names used to refer to those concepts. OWL doesn’t allow you to associate multiple terms with the same concept which would allow us to say that SecurityRole and Role are two ways of naming the same thing.
  • What you can do in OWL is to define one concept to be equivalent to a second concept, so this might be one way to get at the association, although cumbersome
  • Another thing is to add annotations, including comments to document our work. We could indicate that these two terms are referring to the same concept
• Tony brought up the fact that in some contexts, a distinction is made in RBAC between the concept of StructuralRoles and FunctionalRoles
  • If we choose to refer to Roles more precisely as SecurityRoles, that brings up the question as to whether there are “StructuralSecurityRoles” and “FunctionalSecurityRoles”
    • The DAM indicates that FunctionlRole and StructuralRole are specializations of SecurityRole
    • This would make things consistent between the terms Role and SecurityRole
    • In the class hierarchy, we can arrange the FunctionalRole and StructuralRole classes under the SecurityRole class, if the decision is to use SecurityRole as the generic class (instead of Role)
• Mike agreed that this would be preferred since we’re building the ontology off the DAM, so the ontology should reflect SecurityRole
  • Decision: Use the class names defined in the DAM for the Ontology. The HL7 vocabulary can be used to describe instances of FunctionalRoles while the ASTM 1986-09 vocabulary as an example of a StructuralRole set.
  • Decision: We will make use of the Protégé/OWL tool which allows us to annotate various elements of the ontology (including references to standards) and will make it clear that the concepts of Role and SecurityRole are equivalent
• Tony presented the draft Ontology as it currently stands in Protégé 4.1. As background, Tony mentioned that based on discussions that took place yesterday with Mike and a few others present on today’s call, that there will be some changes to the organization of the ontology which will lead to several changes in terms of names, additions of classes, etc., so this is a work in progress.
  • There are several different ways of making a pass through the classes and visualizing how they fit together. One example is a Protégé plug-in tool (OWLViz) that allows you to look at the relationships as they are modeled in the ontology
• Tony proceeded to display the draft ontology to the group. Some of the notable comments and questions captured below:
  • Permission involves exactly one operation and exactly one object
  • A Permission Catalog (which wasn’t previously in the draft Ontology) is a collection of permissions
    • Because one of the functions of ontologies is to provide a common vocabulary for talking about these things, some of the classes and instances of things may play a direct role in decision making about granting access requests.
    • Other things such as Permission Catalog apply to organization
  • Is it correct to say that we want to define Function Roles as a collection of Permissions?
    • Mike: That’s true, but the concept applies to security roles in general. Even for structural roles, you can define an operation on the object. If it is participate in workflow. At the structural role level, you participate, workflow is the object. Anything that we call a SecurityRole would have a permission. If you look at the DAM (Figure 1.1.1) , you’ll see the relationship to Permission from the SecurityRole class. It is inherent in the model itself.
    • Tony will make a change to the model offline based on this clarification.
• Mike: Just to clarify my previous statement about structural roles. In structural roles, the permissions are at such a high level, they are accepted as inherent to the role itself. For these very high-level roles, the presence of the permission is assumed without making a deal about it, whereas with Functional Roles, we do make a big deal of it. Conceptually it applies equally to everything.
  • Tony: I note that sometimes one refers to Structural Role and other times to Organizational Role. Is there a preference between these two terms?
    • Mike: The Structural Role is a security role used to control access to stuff – its’ part of the security system. An Organizational Role identifies a person’s place in the organization according to the type of job they do; it doesn’t necessarily imply a security aspect explicitly. So we wouldn’t necessarily see an Organizational Role in a security catalog of roles, but we would see it listed administratively in the organization. There is overloading of terms where these roles are used for different purposes. That’s not to say that you can’t take an Organizational role and apply it to a security case, but I think in that case, we call it a structural role.
    • Tony: So we don’t need to include Organization Role in the hierarchy in this ontology?
    • Mike: We don’t have to make a decision here. Instead we should look at ISO 22600-2 – PMAC to confirm.
• Constraints determine how permissions may be applied, and these are reflected in the Constraint Catalog
• The line between constraint and permission needs to be validated against the Neumann and Stremback and ANSI/INCITS 359-2004 to determine if the way it is currently being modeled in the draft ontology is correct.
  • Action Item: Tony will verify the relationship between constraint and permission and adjust as necessary
  • Decision:We will indicate the standards choices we used to establish the relationships (and definitions) by annotating the elements in the ontology
• David Staggs raised a question about the term RoleSet: I don’t see the concept of Roleset anywhere in the Domain Analysis Model.
  • Mike: We discussed the concept of RoleSet yesterday. Roleset is a collection of functional roles within an organization. There is no standardized collection of functional roles however. This is a term of art that we’ve penned for now, and there is nothing more formal than that. But this is what we are referring to by the term Roleset.
• The OWLViz visualization tool was used to show the draft ontology model
• Mike asked whether there is a way to show the ontology to people who don’t have OWL or Protégé? Screen shots for instance?
  • Tony: There are a number of free tools that can be used. Protégé v.4.1 is what the ontology is being built in because it supports many of the features of the OWL 2.0 language. There are other tools unders development as well including an OWL client server set up that would allow you to host a Protégé server that allows people to connect to it using their own Protégé clients.
    • We can also publish the ontology in a web browser, but not right at this moment with current versions of OWL 2.0 and version 4 of the plug-in for Protégé 4.1. So right now, periodic screen shots are the simplest mechanism to widely distribute this information.
    • We could also export the files so that people could load them on their own machines.
• Color coding in the diagram distinguishes between fully-defined concepts in OWL (orange) and others which are only partially defined using description logic.
  • Mike said that he noted this is not using 509-compliant color coding. Are there options beside the use of colors to distinguish these things?
    • Tony, not with the current Protégé plug-ins, but I can investigate. If we really want to do that, we might have convert this ourselves into an input format that a 509-compliant render can read.
    • Mike: So there is no easy way to know whether something is just an example, or really part of the model.
    • Tony: Not in the OWLViz view, but from the classes view, if you hover over a class, it gives you a name of the ontology it’s in (a URI).
    • Ontograph is another viewer
• Pat Pyette asked whether a copy of the work in progress could be published on a semi-regular basis so that people who have Protégé installed can walk through the model to review prior to these meetings so they can be better prepared to comment.
  • Tony will publish as soon as the re-organization is complete. He will send links to the model along with a summary of the changes via the Security and CBCC list servers. The model will likely be posted on the Security and Privacy Ontology wiki page.
• Next Week: A 10 minute overview of the references discussed in the beginning of the presentation will take place during the first part of next week’s hour. This overview is to define the terms and concepts that we will be using from these references in the ontology.
  • Action Item: Suzanne will present Neumann and Strembeck
  • Action Item: Mike will present ASTM 1986-09 and ISO 22600-2, both of which address functional and structural roles
  • Action Item: Ed Coyne will present term definitions from ANSI/INCITS 359-2004
• Tony suggested that we also establish a strict order for the preference for choosing names of things in the case of conflict between the sources. This will also be a topic for discussion in next week’s meeting.

The meeting was adjourned at 2:10 PM EDT

Back to Security Main Page