This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "May 11th, 2010 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(11 intermediate revisions by the same user not shown)
Line 44: Line 44:
 
#*Meeting ID: 803-352-145
 
#*Meeting ID: 803-352-145
 
====Security and Privacy Ontology Project====
 
====Security and Privacy Ontology Project====
Steve reviewed two additional [http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology#Use_Cases use cases] posted to the S&P Ontology project wiki.  These use cases are based on [http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=18199 ISO 10181-3] - Security frameworks for open systems: Access control framework
+
----
#[http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Enable_Design_of_Access_Control_System Enable Design of Access Control System]
+
The focus of today's discussion was on the purpose of use cases in the process of defining an ontology for Security & Privacy
#[http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Facilitate_an_Automated_Decision_Function Facilitate an Automated Decision Function]
+
----
 +
Steve reviewed two additional [http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology#Use_Cases use cases] posted to the S&P Ontology project wiki.  These use cases are based on [http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=18199 ''ISO 10181-3''] ''- Security frameworks for open systems: Access control framework''
 +
*''Use Case #1: '' [http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Enable_Design_of_Access_Control_System Enable Design of Access Control System]
 +
*''Use Case #2: ''[http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Facilitate_an_Automated_Decision_Function Facilitate an Automated Decision Function]
 
*ISO 10181 refers to a process that states a Security Policy is written in natural language and it uses broad terminology to express.  It goes through a process in which a Security Domain Administrator (SDA) takes the policy and interprets that policy into rules that are then entered into an access control system.
 
*ISO 10181 refers to a process that states a Security Policy is written in natural language and it uses broad terminology to express.  It goes through a process in which a Security Domain Administrator (SDA) takes the policy and interprets that policy into rules that are then entered into an access control system.
*This use case is a manual process – an SDA takes the security policy and converts it into rules that can be entered into the access control decision function.
+
*''Use case #1'' is a manual process – an SDA takes the security policy and converts it into rules that can be entered into the access control decision function.
*This use case illustrates how an ontology would be used by that security administrator to assist in that activity.
+
**The use case is designed to illustrate how an ontology would be used by that security administrator to assist in that activity.
*Assumption is that the administrator is not a clinical documents subject matter expert.  The focus is to provide a categorization scheme that is aligned with the security policy so the administrator can (1) easily find the object they are interested in and (2) can apply the appropriate security rules to that to be entered into the access control system.
+
**There is an assumption that the SDA is not a clinical documents subject matter expert so the purpose is to provide a categorization scheme that is aligned with the security policy so the administrator can  
*This does not meant the categorization scheme is entered into the Access Control Decision function.  It enables the manual process.
+
#easily find the object(s) they are interested in so they can
*The Basic Scenario – the objects are divided into two categories: clinical documents and administrative objects.  The security policy is very simple. It distinguishes between clinical and administrative objects. *The alternative scenario: the only an alphabetical categorization is used. That provides a base level, minimum requirement.  We assume that the list of objects (say, 1000 objects), browsing through that list is difficult by categorizing them alphabetically; yet it fulfills the requirements by decreasing the size of the list (alphabetically), and aids the administrator to find the object, but it does not provide any information that are the security requirements for the object.  This is applied by the security administrator.
+
#(manually) apply the appropriate security rules to that to be entered into the access control system.
**Politically speaking, the alternative scenario is probably the least disruptive because everyone can agree on an alphabetical scheme, but it does not provide information regarding the security value of those objects.
+
#*The purpose of this use case is to enable the manual process of finding the objects.  It is not meant to imply that the categorization scheme is entered into the Access Control Decision function.
**So the value here is that the ontology supports decreasing the size of the list and aiding in the discovery of the objects.
+
#*The Basic Scenario – the objects are divided into two categories: clinical documents and administrative objects.  The security policy is very simple. It distinguishes between clinical and administrative objects.  
*In ISO 10181, the process which is taken to get to an automated use case, you have to go through the manual use case.  The next use case, #[http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Facilitate_an_Automated_Decision_Function Facilitate an Automated Decision Function], is the automated use case, but a pre-condition is to go through the manual use case.
+
#*The alternative scenario: the only an alphabetical categorization is used. That provides a base level, minimum requirement.  We assume that the list of objects (say, 1000 objects), browsing through that list is difficult by categorizing them alphabetically; yet it fulfills the requirements by decreasing the size of the list (alphabetically), and aids the administrator to find the object, but it does not provide any information that are the security requirements for the object.  This is applied by the security administrator.
 +
#**The alternative scenario is probably the least disruptive because everyone can agree on an alphabetical scheme, but it does not provide information regarding the security value of those objects.
 +
#**The value of use case #1 is to decrease the size of the list of objects to aide the SDA to discover the objects.
 +
*''Use Case #2:'' The [http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology_Use_Cases#Facilitate_an_Automated_Decision_Function Facilitate an Automated Decision Function] is the automated use case based on ISO 10181. A pre-condition of this use case is the manual use case (''use case #1'').
 +
----
 +
Buid-time versus Run-time use cases
 +
----
 
*Last week, Tony described two different kinds of use cases: build-time versus run-time.  Enable Design of Access Control System is an example of a build-time use case; the second, Facilitate an Automated Decision Function is an example of a run-time use case (operational mode).
 
*Last week, Tony described two different kinds of use cases: build-time versus run-time.  Enable Design of Access Control System is an example of a build-time use case; the second, Facilitate an Automated Decision Function is an example of a run-time use case (operational mode).
*This use case does not use the terminology used in ISO 10181, but for all intents and purposes, it is the access control decision function (ADF) which is referred to in ISO 10181.
+
*Use case #2 does not use the terminology specified in ISO 10181, but for all intents and purposes, it is the access control decision function (ADF) which is referred to in ISO 10181.
 
*After the targets and information requestors have been categorized and the rules applied to the ADF, this use case describes how the ADF responds when an information request is received by the system.
 
*After the targets and information requestors have been categorized and the rules applied to the ADF, this use case describes how the ADF responds when an information request is received by the system.
**Basic Scenario: A MD makes a request to see a patient’s clinical data, and the ADF evaluates that against the rules already populated in the system.  Does the request conform to a rule or not. Yes, access is permitted,  
+
**Basic Scenario: An MD makes a request to see a patient’s clinical data, and the ADF evaluates that against the rules already populated in the system.  Does the request conform to a rule or not? If yes, access is permitted,  
 
**Alternative Scenario, request does not conform to the rules and access is denied.  
 
**Alternative Scenario, request does not conform to the rules and access is denied.  
*Although these use cases are simplistic, the belief is that the use cases point out a couple of disagreements as to what the ontology is expected to provide.
+
*Although these use cases are simplistic, the point is that the use cases are supposed to describe what the ontology is expected to provide.
*The two use cases describe functions and how are we going to use the use cases; how are they going to be used by the systemUse Case #1 – minimum requirement – simply used by the SDA to set up the access control system.  To continue, use case #2 – the ontology becomes part of the ADF.  The rules in the ADF rely on the ontology to make a decision
+
*The two use cases describe functions and how the use cases are going to be used by the system.
 +
#Use Case #1 – the minimum requirement – simply used by the SDA to set up the access control system.   
 +
#Use case #2 – the ontology becomes part of the ADF.  The rules in the ADF rely on the ontology to make a decision.
 
*Pat: Is the expectation that the ADF goes out to an ontology service or a terminology service to evaluate the rules?  I have a hard time understanding real-time reliance on an ontology other than in a very abstract way.
 
*Pat: Is the expectation that the ADF goes out to an ontology service or a terminology service to evaluate the rules?  I have a hard time understanding real-time reliance on an ontology other than in a very abstract way.
 
*Mike: Reiterated the work that OASIS is currently undertaking – where they are investigating the use of an ontology to extend XACML.  There is a proposal to create an ontology decision point as part of the XAML specification.  Turns out various produces in this space already implement ontologies as their internal structure.  But these are proprietary, not standard-based.  These are used to more efficiently process rules and are offered as a competitive advantage.  Providing a health care ontology facilitates the industry’s efforts to do this.  
 
*Mike: Reiterated the work that OASIS is currently undertaking – where they are investigating the use of an ontology to extend XACML.  There is a proposal to create an ontology decision point as part of the XAML specification.  Turns out various produces in this space already implement ontologies as their internal structure.  But these are proprietary, not standard-based.  These are used to more efficiently process rules and are offered as a competitive advantage.  Providing a health care ontology facilitates the industry’s efforts to do this.  
*Pat: But how does this use case help us to build an ontology and to know when we’re done or that we’ve met a particular business requirement?  How we use the ontology downstream (the OASIS work for instance) is out of scope for our project.  How do we use these use cases to drive the content of the ontology, or if that’s not the intent of these use cases, I misunderstood.
+
----
*Steve:  This is exactly the intent of these use cases.  What is sufficient for the ontology. Is an alphabetical categorization sufficient? Or on the other end of he spectrum, an ontology that would be used in an ADF in which we can establish rules, that would be part of the ADF.
+
Discussion about the purpose for the use cases as well as the purpose for the Security & Privacy Ontology Project
Rob Horn: My understanding is that the ontology would not be part of the ADF.  I though the use of the use cases would be to be sure that with the ontology we can say the statement that need to be said.   
+
----
**In the use case, you need to make statements such as Dr. Bob makes a request to read Sam’s encounter data.  Can I say that using the terms and relationships of the ontology.
+
*Pat: But how do these use cases help us to build an ontology and to know when we’re done, or that we’ve met a particular business requirement?   
*Steve: Dr. Bob is making the request to the EHR inside of which is the Access Control System inside of which is the ADF. 
+
**I would think that how we use the ontology downstream (the OASIS work for instance) is out of scope for our project.   
*Mike: The OASIS example, the XACML committee produces an architecture and a way of expressing security policy.  XACML architecture has mechanical components like a policy information point that stores policy attributes.  Different business domains provide the vocabulary that would be attributes that go into a policy information point.   
+
**How do these use cases drive the content of the ontology?  If that isn't the intent of these use cases, I don't understand.
**This ontology will provide a hierarchy of health care specific information that an engine would use – it is the gas for the engine.  This use case is pointing out how an ontology would benefit the policy decision point, the components of a 10183-3 ISO solution and providing an instance of that.  What we’ve done so far has not specified anything about conformance.   
+
*Steve:  The intent for the use cases is to build the ontolog(ies).  What is sufficient for the ontology? Is an alphabetical categorization sufficient? Or on the other end of the spectrum, what is sufficient for an ontology that would be used in an ADF so we can establish rules that would be part of the ADF?
**Start with flat terms, then we put an ontology in place to describe the relationship between the terms.   
+
*Rob Horn: My understanding is that the ontology would not be part of the ADF.  I thought the use of the use cases would be to be sure that with the ontology we can say the statement that need to be said.   
 +
**In the use case, you need to make statements such as Dr. Bob makes a request to read Sam’s encounter data.  Can I say that using the terms and relationships of the ontology?
 +
*Mike: Take the OASIS example, the XACML committee produces an architecture and a way of expressing security policy.   
 +
**XACML architecture has mechanical components like a Policy Information Point (PIP) that stores policy attributes.  Different business domains provide the vocabulary that are the attributes that go into a PIP.   
 +
**This ontology will provide a hierarchy of ''health care specific'' information that an engine would use – it is the gas for the engine.   
 +
**This use case is describing how an ontology would benefit the Policy Decision Point (PDP), the components of a 10183-3 ISO solution, and provides an instance of that.   
 +
**But in terms of what we’ve done so far, we've not specified anything about conformance.   
 +
**We've started with flat terms, now we're attempting put an ontology in place to describe relationships between the terms.   
 
*Rob Horn:  How do you know the ontology work is finished?  I thought that when we’re able to express the things that are happening in the use case using the ontology, then we’re finished.
 
*Rob Horn:  How do you know the ontology work is finished?  I thought that when we’re able to express the things that are happening in the use case using the ontology, then we’re finished.
*Pat: I understand that we want to use an ontology to make access control decisions.  I just didn’t think that was the work of this project.  That’s the OASIS work.  How do we make sure our ontology is correct, that those concepts and terms and relationships are correct. I assumed that we would use those use cases to collect the concepts, terms and relationships from those use cases and make sure there is an equivalent in the ontology.  Rather than identifying use cases saying this is how we’re going to use the ontology.
+
*Pat: I understand that we want to use an ontology to make access control decisions.  I just didn’t think that was the work of this project.  That’s the OASIS work.   
*Mike:  It sounds like we’re re-inventing the wheel from your description.  I think Steve’s use case is raising things up a level.  It is providing a framework for the utility.  Bu I don’t think we need to go back to raw use case development to define the terms.  We have an information model.  In terms of an access control system we know all the components.
+
**How do we make sure our ontology is correct, that those concepts and terms and relationships are correct? I assumed that we would create use cases to collect the concepts, terms and relationships and from those use cases, make sure there is an equivalent in the ontology.   
*Pat disagrees.  The initial concept of the ontology was based on the fact that when we started to put the Privacy DAM with the Security DAM that we would end up with impedance mismatch.  Disclosure, for instance, that’s a privacy term.  What does it mean from a security perspective. We don’t have a mapping for that.  I thought that is what the ontology was supposed to do – to correct the impedance mismatch between the domain analysis models as opposed to how will we use the ontology once it’s finished.
+
**I didn't think that we were identifying use cases that say, this is how we’re going to use the ontology.
*Steve: We specified that we would focus on access control in the near term.
+
*Mike:  It sounds like we’re re-inventing the wheel from your description.  I think Steve’s use case is raising things up a level.  It is providing a framework.  Bu I don’t think we need to go back to raw use case development to define the terms.  We have an information model.  In terms of an access control system we know all the components.
*Mike: I don’t think we specified in the scope statement that the purpose was to do some reconciliation between privacy and security.  That may be something that happens, but the scope statement says that we would create an ontology that would be useful for systems making access control decisions.  We have a vocabulary through the HL7 Permission Catalog supposed RBAC and we would start with something like that to create an ontology of the permission catalog which has been something specifically brought up before this group.
+
----
*Pat: The impression I was under is that is where we were going to start, but not where we were going to end.  It sounds like the discussion is that it is access control based on RBAC and the permission catalog and end of story.  I could be getting the wrong impression...
+
Security & Privacy Ontology Scope Statement
*Mike: Can you accept that the use case that Steve is presenting is a use case for access control, an investigation into the vocabularies and the creation of an ontology for that use case. That high-level use case is a way of bounding a problem view.  That helps us to determine when we’re done.  By working through real-world use cases, we go back to our Information Model and apply it to one of these use cases.  We conduct investigations of the use cases, so the use cases are the things that we’re interested in doing and the scope is whatever is in the use cases.  Hopefully these will be informative and we use the information model as the defined source of the vocabularies if they exist.
+
----
*Pat: That explanation clarifies the situation
+
*Pat disagreed.  The initial concept for the ontology was based on the fact that when we started to harmonize the Privacy DAM with the Security DAM we thought we would end up with impedance mismatch.  Disclosure, for instance, is a Privacy term.  What does it mean from a Security perspective?  
*Definition of the use cases should establish when we’re done (relatively speaking).  We don’t have a specific goal at this point, for example to cover every concept in the information model.
+
**We don’t have a mapping for that.  I thought the ontology was supposed to correct the impedance mismatch between the domain analysis models as opposed to how the ontology would be used once it’s finished.
*Steve: The first five use cases on the wiki were written with the idea that they would be used by an ADF.  We create an ontology of actions, an ontology of objects, an ontology of roles.  These would be in the access control system and used to make access control decisions.  After having written those, I realize that I may have been jumping the gun by assuming these ontologies would be used inside the access control system.  There is obviously other places where ontologies could be used as well.  So that’s why I went back to write the final use cases to set the operating framework.  I realize this is confusing, but I think there is another situation that Mike referred to blast week, where the ontologies are used to write policy.  So that’s not a use case that I have incorporated here, but that could be valuable.
+
*Steve: The project scope statement specified that we would focus on access control in the near term.
*Richard: That seems to me to be the most useful use case.  The kinds of choices people want to make.  
+
*Mike: I don’t think the scope statement specified that the purpose was to reconcile Privacy and Security.  That may be something that happens, but the scope statement says that we will create an ontology useful for systems making access control decisions.  We have a vocabulary through the HL7 Permission Catalog supporting RBAC. We discussed using the Permission Catalog to get started as we create this ontology.  
*Don: I checked the project scope statement, and that is actually #1 to be covered by the ontology.
+
*Pat: The impression I has was that we were going to start there, but that is not where we were going to end.   
*Mike: I agree, we need to flesh out in addition to the use cases to enforce the policy, we need to create use cases to express the policy.
+
**From this discussion, it sounds like it is access control based on RBAC and the Permission Catalog and that's the end of the story.  I could be getting the wrong impression...
*John:  In what way is this ontology similar or different than the security DAM and why are we not starting with the same use cases?   
+
*Mike: The use cases Steve presents are use cases for access control - an investigation into the vocabularies and the creation of an ontology for those use cases?  
*Mike:  That’s a good point.  It gets back to the fact that we should not be creating use cases from scratch.  We should be using use cases that are derived from the RBAC work and the Security DAM work.   
+
**That high-level use case is a way of bounding a problem view.  This helps us to determine when we’re done.   
**I’m viewing the use cases that Steve is presenting here more from setting the work areas that we’re interested in.  We have one that cover the notion of an ontology as the means to perform access control decision function.  We need one that provides an ontology that would be useful for describing privacy policy.  We want to take out of the IM the things that would be useful for policy purposes and putting those concepts into an ontological framework.  The use case for that is describing the need to do that to create a consent directive for example.
+
**By working through real-world use cases, we can go back to our Information Model (IM) and apply the IM to one of these use cases.   
*Steve:  I assume that the use case for the harmonized DAM are included and that my intention is that these extend those use cases.  Last week when I discussed the multiple role value use case, you said that’s already in the harmonized DAM; if it is represented that I agree, that use case is superfluous.  There is no intent to duplicate the use cases that are included in the DAM.   
+
**The use cases are the things that we’re interested in doing and the scope is whatever is in the use cases.  Hopefully these will be informative and we use the Information Model as the source for the vocabularies, if they exist.
*Action Item for the team: please review the use cases posted on the Security & Privacy Ontology wiki site.  Come prepared to provide your input as to which use cases in scope and out of scope so that we can take a vote on this during an up coming meeting.
+
*Pat: That explanation clarifies it.
 +
*We don’t have a specific goal at this point, for example to cover every concept in the information model. But the definition of the use cases should establish when we’re done (relatively speaking). 
 +
*Steve: The first [http://wiki.hl7.org/index.php?title=Security_and_Privacy_Ontology#Use_Cases five use cases] on the wiki were written with the idea that they would be used by an ADF.   
 +
**We create an ontology of actions, an ontology of objects, an ontology of roles that would be used by the access control system to make access control decisions.  **After having written those first five use cases, I realize I may have been jumping the gun by assuming these ontologies would be used ''inside'' the access control system.  There are obviously other places where ontologies could be used as well.   
 +
**That’s why I went back to write these final two use cases so as to set the operating framework.  I realize this may be confusing
 +
**I think there is another situation that Mike referred to last week, where the ontologies are used to write policy.  I haven't yet incorporated a use case for that purpose here, but this is one that could be valuable.
 +
*Richard: This seems to me to be the most important use case - covering the kinds of choices people want to make.  
 +
*Don: The [http://gforge.hl7.org/gf/download/docmanfileversion/5530/7043/HL7ProjectScopeStatementv2010MarSecurityandPrivacyOntology20100320JMD.doc project scope statement] indicates that is the first item to be covered by the ontology.
 +
*Mike: I agree, we need create use cases to express the policy in addition to fleshing out the use cases to enforce the policy.
 +
*John:  In what way is this ontology similar or different than the Harmonized Security DAM, and why are we not starting with the same use cases?   
 +
*Mike:  That’s a good point.  We should be using use cases that are derived from the RBAC work and the Security DAM work.   
 +
**I’m viewing the use cases that Steve is presenting here more from setting the work areas that we’re interested in.   
 +
**We have one to cover the notion of an ontology as the means for performing the access control decision function.   
 +
**We also need one that provides an ontology that would be useful for describing privacy policy.   
 +
**We want to take things from the Information Model that would be useful for policy purposes and put those concepts into an ontological framework.   
 +
**For example, a use case describing the creation of a consent directive.
 +
*Steve:  I assumed that the use cases for the Harmonized Security & Privacy DAM are included in this analysis.  The intent of these addition use cases is to extend those use cases.   
 +
**Last week when I discussed the multiple role value use case, it was brought up that this functionality is already expressed in the harmonized DAM.  I haven't validated this, but if it is true, I agree, that use case would be superfluous.   
 +
**There is no intent to duplicate use cases that are already included in the DAM.   
 +
----
 +
The Ontology project discussion continued in the following CBCC WG hour. A number of issues discussed in this hour were elaborated upon and provide additional commentary on the scope of the project.
 +
----
  
 
Meeting was adjourned at 2:00 PM EDT
 
Meeting was adjourned at 2:00 PM EDT
  
Ontology project discussion continued during the following CBCC WG hour
+
 
  
  
 
[[Security|Back to Security Main Page]]
 
[[Security|Back to Security Main Page]]

Latest revision as of 13:55, 17 May 2010

Security Working Group Meeting

Back to Security Main Page

Attendees

Agenda

  1. (05 min) Roll Call, Approve minutes 4 May 2010, Call for additional agenda items & Accept Agenda
  2. (55 min) Security and Privacy Ontology Project
  • New Use Case Review and Acceptance

Minutes

1. Action Items

  • Team: please review the use cases posted on the Security & Privacy Ontology wiki site. Come prepared to provide your input as to which use cases in scope and out of scope so that we can take a vote on this during an up coming meeting.

2. Resolutions - none

3. Updates/Discussion

Rio Working Group Meeting Announcement

  • Ballot reconciliation will commence at the Rio WGM – Tues Q3, starting at 12:45 PM EDT.
    • A GoToMeeting Link has been established for those who wish to dial in:
  1. Please join my meeting.
  2. Join the conference call:
    • Meeting ID: 803-352-145

Security and Privacy Ontology Project


The focus of today's discussion was on the purpose of use cases in the process of defining an ontology for Security & Privacy


Steve reviewed two additional use cases posted to the S&P Ontology project wiki. These use cases are based on ISO 10181-3 - Security frameworks for open systems: Access control framework

  • Use Case #1: Enable Design of Access Control System
  • Use Case #2: Facilitate an Automated Decision Function
  • ISO 10181 refers to a process that states a Security Policy is written in natural language and it uses broad terminology to express. It goes through a process in which a Security Domain Administrator (SDA) takes the policy and interprets that policy into rules that are then entered into an access control system.
  • Use case #1 is a manual process – an SDA takes the security policy and converts it into rules that can be entered into the access control decision function.
    • The use case is designed to illustrate how an ontology would be used by that security administrator to assist in that activity.
    • There is an assumption that the SDA is not a clinical documents subject matter expert so the purpose is to provide a categorization scheme that is aligned with the security policy so the administrator can
  1. easily find the object(s) they are interested in so they can
  2. (manually) apply the appropriate security rules to that to be entered into the access control system.
    • The purpose of this use case is to enable the manual process of finding the objects. It is not meant to imply that the categorization scheme is entered into the Access Control Decision function.
    • The Basic Scenario – the objects are divided into two categories: clinical documents and administrative objects. The security policy is very simple. It distinguishes between clinical and administrative objects.
    • The alternative scenario: the only an alphabetical categorization is used. That provides a base level, minimum requirement. We assume that the list of objects (say, 1000 objects), browsing through that list is difficult by categorizing them alphabetically; yet it fulfills the requirements by decreasing the size of the list (alphabetically), and aids the administrator to find the object, but it does not provide any information that are the security requirements for the object. This is applied by the security administrator.
      • The alternative scenario is probably the least disruptive because everyone can agree on an alphabetical scheme, but it does not provide information regarding the security value of those objects.
      • The value of use case #1 is to decrease the size of the list of objects to aide the SDA to discover the objects.

Buid-time versus Run-time use cases


  • Last week, Tony described two different kinds of use cases: build-time versus run-time. Enable Design of Access Control System is an example of a build-time use case; the second, Facilitate an Automated Decision Function is an example of a run-time use case (operational mode).
  • Use case #2 does not use the terminology specified in ISO 10181, but for all intents and purposes, it is the access control decision function (ADF) which is referred to in ISO 10181.
  • After the targets and information requestors have been categorized and the rules applied to the ADF, this use case describes how the ADF responds when an information request is received by the system.
    • Basic Scenario: An MD makes a request to see a patient’s clinical data, and the ADF evaluates that against the rules already populated in the system. Does the request conform to a rule or not? If yes, access is permitted,
    • Alternative Scenario, request does not conform to the rules and access is denied.
  • Although these use cases are simplistic, the point is that the use cases are supposed to describe what the ontology is expected to provide.
  • The two use cases describe functions and how the use cases are going to be used by the system.
  1. Use Case #1 – the minimum requirement – simply used by the SDA to set up the access control system.
  2. Use case #2 – the ontology becomes part of the ADF. The rules in the ADF rely on the ontology to make a decision.
  • Pat: Is the expectation that the ADF goes out to an ontology service or a terminology service to evaluate the rules? I have a hard time understanding real-time reliance on an ontology other than in a very abstract way.
  • Mike: Reiterated the work that OASIS is currently undertaking – where they are investigating the use of an ontology to extend XACML. There is a proposal to create an ontology decision point as part of the XAML specification. Turns out various produces in this space already implement ontologies as their internal structure. But these are proprietary, not standard-based. These are used to more efficiently process rules and are offered as a competitive advantage. Providing a health care ontology facilitates the industry’s efforts to do this.

Discussion about the purpose for the use cases as well as the purpose for the Security & Privacy Ontology Project


  • Pat: But how do these use cases help us to build an ontology and to know when we’re done, or that we’ve met a particular business requirement?
    • I would think that how we use the ontology downstream (the OASIS work for instance) is out of scope for our project.
    • How do these use cases drive the content of the ontology? If that isn't the intent of these use cases, I don't understand.
  • Steve: The intent for the use cases is to build the ontolog(ies). What is sufficient for the ontology? Is an alphabetical categorization sufficient? Or on the other end of the spectrum, what is sufficient for an ontology that would be used in an ADF so we can establish rules that would be part of the ADF?
  • Rob Horn: My understanding is that the ontology would not be part of the ADF. I thought the use of the use cases would be to be sure that with the ontology we can say the statement that need to be said.
    • In the use case, you need to make statements such as Dr. Bob makes a request to read Sam’s encounter data. Can I say that using the terms and relationships of the ontology?
  • Mike: Take the OASIS example, the XACML committee produces an architecture and a way of expressing security policy.
    • XACML architecture has mechanical components like a Policy Information Point (PIP) that stores policy attributes. Different business domains provide the vocabulary that are the attributes that go into a PIP.
    • This ontology will provide a hierarchy of health care specific information that an engine would use – it is the gas for the engine.
    • This use case is describing how an ontology would benefit the Policy Decision Point (PDP), the components of a 10183-3 ISO solution, and provides an instance of that.
    • But in terms of what we’ve done so far, we've not specified anything about conformance.
    • We've started with flat terms, now we're attempting put an ontology in place to describe relationships between the terms.
  • Rob Horn: How do you know the ontology work is finished? I thought that when we’re able to express the things that are happening in the use case using the ontology, then we’re finished.
  • Pat: I understand that we want to use an ontology to make access control decisions. I just didn’t think that was the work of this project. That’s the OASIS work.
    • How do we make sure our ontology is correct, that those concepts and terms and relationships are correct? I assumed that we would create use cases to collect the concepts, terms and relationships and from those use cases, make sure there is an equivalent in the ontology.
    • I didn't think that we were identifying use cases that say, this is how we’re going to use the ontology.
  • Mike: It sounds like we’re re-inventing the wheel from your description. I think Steve’s use case is raising things up a level. It is providing a framework. Bu I don’t think we need to go back to raw use case development to define the terms. We have an information model. In terms of an access control system we know all the components.

Security & Privacy Ontology Scope Statement


  • Pat disagreed. The initial concept for the ontology was based on the fact that when we started to harmonize the Privacy DAM with the Security DAM we thought we would end up with impedance mismatch. Disclosure, for instance, is a Privacy term. What does it mean from a Security perspective?
    • We don’t have a mapping for that. I thought the ontology was supposed to correct the impedance mismatch between the domain analysis models as opposed to how the ontology would be used once it’s finished.
  • Steve: The project scope statement specified that we would focus on access control in the near term.
  • Mike: I don’t think the scope statement specified that the purpose was to reconcile Privacy and Security. That may be something that happens, but the scope statement says that we will create an ontology useful for systems making access control decisions. We have a vocabulary through the HL7 Permission Catalog supporting RBAC. We discussed using the Permission Catalog to get started as we create this ontology.
  • Pat: The impression I has was that we were going to start there, but that is not where we were going to end.
    • From this discussion, it sounds like it is access control based on RBAC and the Permission Catalog and that's the end of the story. I could be getting the wrong impression...
  • Mike: The use cases Steve presents are use cases for access control - an investigation into the vocabularies and the creation of an ontology for those use cases?
    • That high-level use case is a way of bounding a problem view. This helps us to determine when we’re done.
    • By working through real-world use cases, we can go back to our Information Model (IM) and apply the IM to one of these use cases.
    • The use cases are the things that we’re interested in doing and the scope is whatever is in the use cases. Hopefully these will be informative and we use the Information Model as the source for the vocabularies, if they exist.
  • Pat: That explanation clarifies it.
  • We don’t have a specific goal at this point, for example to cover every concept in the information model. But the definition of the use cases should establish when we’re done (relatively speaking).
  • Steve: The first five use cases on the wiki were written with the idea that they would be used by an ADF.
    • We create an ontology of actions, an ontology of objects, an ontology of roles that would be used by the access control system to make access control decisions. **After having written those first five use cases, I realize I may have been jumping the gun by assuming these ontologies would be used inside the access control system. There are obviously other places where ontologies could be used as well.
    • That’s why I went back to write these final two use cases so as to set the operating framework. I realize this may be confusing.
    • I think there is another situation that Mike referred to last week, where the ontologies are used to write policy. I haven't yet incorporated a use case for that purpose here, but this is one that could be valuable.
  • Richard: This seems to me to be the most important use case - covering the kinds of choices people want to make.
  • Don: The project scope statement indicates that is the first item to be covered by the ontology.
  • Mike: I agree, we need create use cases to express the policy in addition to fleshing out the use cases to enforce the policy.
  • John: In what way is this ontology similar or different than the Harmonized Security DAM, and why are we not starting with the same use cases?
  • Mike: That’s a good point. We should be using use cases that are derived from the RBAC work and the Security DAM work.
    • I’m viewing the use cases that Steve is presenting here more from setting the work areas that we’re interested in.
    • We have one to cover the notion of an ontology as the means for performing the access control decision function.
    • We also need one that provides an ontology that would be useful for describing privacy policy.
    • We want to take things from the Information Model that would be useful for policy purposes and put those concepts into an ontological framework.
    • For example, a use case describing the creation of a consent directive.
  • Steve: I assumed that the use cases for the Harmonized Security & Privacy DAM are included in this analysis. The intent of these addition use cases is to extend those use cases.
    • Last week when I discussed the multiple role value use case, it was brought up that this functionality is already expressed in the harmonized DAM. I haven't validated this, but if it is true, I agree, that use case would be superfluous.
    • There is no intent to duplicate use cases that are already included in the DAM.

The Ontology project discussion continued in the following CBCC WG hour. A number of issues discussed in this hour were elaborated upon and provide additional commentary on the scope of the project.


Meeting was adjourned at 2:00 PM EDT



Back to Security Main Page