This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "February 8, 2011 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
Line 26: Line 26:
 
#''(15 min)'' '''Demonstration of recent updates to the Security-Privacy ontology''' Tony Weida
 
#''(15 min)'' '''Demonstration of recent updates to the Security-Privacy ontology''' Tony Weida
 
#''(15 min)'' '''Ontology - Discussion of next steps''' Tony Weida, Mike Davis
 
#''(15 min)'' '''Ontology - Discussion of next steps''' Tony Weida, Mike Davis
#''(5 min)'' '''Other Business'''
+
 
 +
Discussion notes are below.  Links to documents referenced are as follows:
 +
[http://gforge.hl7.org/gf/download/docmanfileversion/6159/8051/DMAG-UPCHL7Comments2discussed2011Feb08mtg.docx DMAG UPC HL7 Comments]
 +
 
 +
[http://gforge.hl7.org/gf/download/docmanfileversion/6158/8050/DMAG-UPCHL7Comments2withresponsesfromTWeida.docx Comments2 responses from Tony]
 +
 
 +
[http://gforge.hl7.org/gf/download/docmanfileversion/6115/7983/DMAGContributiontoHL7SPOntologydiscussed2011Jan18mtg.pdf DMAG Contribution to HL7 Security and Privacy Ontology], discussed and 2011 Jan 18 meeting
 +
 
 +
Jaime– If you are convinced that this is the right solution then we are okay with this
 +
Tony – this is my personal opinion; if the group wishes to go in a different direction we will go with that.
 +
 
 +
Number 2. On the Class restrictions to model assignment of users to roles
 +
Relates nurse nightingales to nurse roles; the description of; part of the description is the fact (not sure if this is mine or Jaime’s) the point is there is a class restriction on the role that there is some NP functional role which is being assigned without naming it specifically where as when we assign the user as part of the assignment we give a name (nurse nightingales) this goes back to a discussion from a previous role.  The position of Spain was we were to include more individuals in the examples in order to instantiate more of the exams; in this case in terms of OWL representation. In the end I agree to add the individual; object property restrictions have local implication for object proper assertions. If I’m understanding this turning to a specific example when we define this assignment we give it a logical restriction ‘so-called a some restriction; “assignsRole some NursePractitionerFunctional Role; that instance of NursePractionerRole; even if we don’t’ create the practitioner; the reason knows the practitioner is there; referred to in own as an anonymous individual;  It’s not that there isn’t an individual; where it was previously represented it was anonymous because we hadn’t assigned it a ‘name’ (it wasn’t as clear as it could’ve been; particularly for those not used to subtleties of using OWL; i.e. people who read the ballot) having exclusively named individuals may help them to understand better.  Furthermore there are other advantages in naming individual as we can take advantage of roles; rules languages have limitations of their own and work better when they have named individuals.
 +
 
 +
Jamie – I understand you are going to provide more examples for this?  It will be a big help to have written direction on assigned position so that we can further discuss on this.
 +
 
 +
Tony – this will certainly involve presenting the example (text) for readers 9for future consideration of ballot; should we consider modeling the ontology for awhile and for long; should we be writing a document of readers; we can develop the document in parallel;
 +
 
 +
Jaime – working during the development would be better; I think this would be the best way.  When you need to change the documentation during the implementation would be very useful.
 +
 
 +
Tony – we can do this sooner and periodically we can add the examples where the readers can see and …
 +
 
 +
THE 3RD section was about clarification on the assignment of user to role in MVCO would correspond to role in our ontology in RBAC.  Collective and role are different ideas would definitely be the best choice in corresponding to role;
 +
 
 +
Section 4 – Being able to model the activation/deactivation of role (important in RBAC); introduce a concept of “session” there is a class in session (there always have been this in the ontology)
 +
 
 +
Jaime – how is this discusses in the assignment; it does not seem to be related in the assignment or maybe the examples are incomplete. 
 +
 
 +
Tony – there may have not been an instance of
 +
0.05
 +
Turning to some of the examples; this is the representation of protégé (demo-local security ontology
 +
demoLocalSecuryandPrivac (http://www.apelong.com/ontologies/DemoLocalSecurityAndPrivacy.owl)
 +
 
 +
the activations (which are tied directly to the session) in this representation
 +
 
 +
slideshow: this captures many of the hierarchy; this helps me see how the classes fit together; just as a reminder there are organizations that have policies that have role sets and user assignment sets; which connect user identities ; a user can participate in a session; as part of being in that session they can have an activation in a security role or multiple security roles and as time goes on; they can perform an access on a certain objet; that access can only be allowed ….(5:35)
 +
 
 +
from presentation slides: from of the individuals would be persistent ….
 +
Hospital has an individual constraint catalog; individual roles sets;
 +
What Tony is highlighting is an individual role; appending the suffix ‘singleton'; I’m only intending to create one instance of this role; modeling decision; when modeling for hospital; I am only creating gone instance of 'AllopathFunctionalRole Singleton'; when activating the role they will be activate the same instance of the role; it does have a connection to AllopathFunctionalRole as well as
 +
 
 +
Per Russ Hamm – there is no… penalty to have more than one informational ballot in succession; this allows us to get feedback; which we will continue unless the HL7 would object.  The naming conventions that we’ve chosen, etc.  We could get early feedback for the ontology before we flesh out the privacy portion of the ontology.
 +
 
  
 
==Action Items==
 
==Action Items==
  
 
[[Security|Back to Security Main Page]]
 
[[Security|Back to Security Main Page]]

Revision as of 16:59, 15 February 2011

Security Working Group Meeting

Back to Security Main Page



Attendees

Back to Security Main Page

Agenda

  1. (05 min) Roll Call, Approve Minutes & Accept Agenda
  2. (15 min) Responses to DMAG-UPC HL7 Comments2.docx Jaime Delgado, Tony Weida
  3. (15 min) Demonstration of recent updates to the Security-Privacy ontology Tony Weida
  4. (15 min) Ontology - Discussion of next steps Tony Weida, Mike Davis

Discussion notes are below. Links to documents referenced are as follows: DMAG UPC HL7 Comments

Comments2 responses from Tony

DMAG Contribution to HL7 Security and Privacy Ontology, discussed and 2011 Jan 18 meeting

Jaime– If you are convinced that this is the right solution then we are okay with this Tony – this is my personal opinion; if the group wishes to go in a different direction we will go with that.

Number 2. On the Class restrictions to model assignment of users to roles Relates nurse nightingales to nurse roles; the description of; part of the description is the fact (not sure if this is mine or Jaime’s) the point is there is a class restriction on the role that there is some NP functional role which is being assigned without naming it specifically where as when we assign the user as part of the assignment we give a name (nurse nightingales) this goes back to a discussion from a previous role. The position of Spain was we were to include more individuals in the examples in order to instantiate more of the exams; in this case in terms of OWL representation. In the end I agree to add the individual; object property restrictions have local implication for object proper assertions. If I’m understanding this turning to a specific example when we define this assignment we give it a logical restriction ‘so-called a some restriction; “assignsRole some NursePractitionerFunctional Role; that instance of NursePractionerRole; even if we don’t’ create the practitioner; the reason knows the practitioner is there; referred to in own as an anonymous individual; It’s not that there isn’t an individual; where it was previously represented it was anonymous because we hadn’t assigned it a ‘name’ (it wasn’t as clear as it could’ve been; particularly for those not used to subtleties of using OWL; i.e. people who read the ballot) having exclusively named individuals may help them to understand better. Furthermore there are other advantages in naming individual as we can take advantage of roles; rules languages have limitations of their own and work better when they have named individuals.

Jamie – I understand you are going to provide more examples for this? It will be a big help to have written direction on assigned position so that we can further discuss on this.

Tony – this will certainly involve presenting the example (text) for readers 9for future consideration of ballot; should we consider modeling the ontology for awhile and for long; should we be writing a document of readers; we can develop the document in parallel;

Jaime – working during the development would be better; I think this would be the best way. When you need to change the documentation during the implementation would be very useful.

Tony – we can do this sooner and periodically we can add the examples where the readers can see and …

THE 3RD section was about clarification on the assignment of user to role in MVCO would correspond to role in our ontology in RBAC. Collective and role are different ideas would definitely be the best choice in corresponding to role;

Section 4 – Being able to model the activation/deactivation of role (important in RBAC); introduce a concept of “session” there is a class in session (there always have been this in the ontology)

Jaime – how is this discusses in the assignment; it does not seem to be related in the assignment or maybe the examples are incomplete.

Tony – there may have not been an instance of 0.05 Turning to some of the examples; this is the representation of protégé (demo-local security ontology demoLocalSecuryandPrivac (http://www.apelong.com/ontologies/DemoLocalSecurityAndPrivacy.owl)

the activations (which are tied directly to the session) in this representation

slideshow: this captures many of the hierarchy; this helps me see how the classes fit together; just as a reminder there are organizations that have policies that have role sets and user assignment sets; which connect user identities ; a user can participate in a session; as part of being in that session they can have an activation in a security role or multiple security roles and as time goes on; they can perform an access on a certain objet; that access can only be allowed ….(5:35)

from presentation slides: from of the individuals would be persistent …. Hospital has an individual constraint catalog; individual roles sets; What Tony is highlighting is an individual role; appending the suffix ‘singleton'; I’m only intending to create one instance of this role; modeling decision; when modeling for hospital; I am only creating gone instance of 'AllopathFunctionalRole Singleton'; when activating the role they will be activate the same instance of the role; it does have a connection to AllopathFunctionalRole as well as

Per Russ Hamm – there is no… penalty to have more than one informational ballot in succession; this allows us to get feedback; which we will continue unless the HL7 would object. The naming conventions that we’ve chosen, etc. We could get early feedback for the ontology before we flesh out the privacy portion of the ontology.


Action Items

Back to Security Main Page