Author: anil.saldhana(a)jboss.com
Date: 2009-08-25 12:46:03 -0400 (Tue, 25 Aug 2009)
New Revision: 738
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/META-INF/
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-01-top-level.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02a-CDA.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02b-N.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02c-N-PermCollections.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02d-prog-note.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02e-MA.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02f-emergency.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-04-N-PPS-PRD-004.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/himss-policy.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policyConfig.xml
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/web.xml
Removed:
identity-federation/trunk/jboss-identity-webapps/pdp/resources/
Modified:
identity-federation/trunk/jboss-identity-webapps/idp/pom.xml
identity-federation/trunk/jboss-identity-webapps/pdp/pom.xml
identity-federation/trunk/jboss-identity-webapps/sales-sig/pom.xml
Log:
fix the webapps resources
Modified: identity-federation/trunk/jboss-identity-webapps/idp/pom.xml
===================================================================
--- identity-federation/trunk/jboss-identity-webapps/idp/pom.xml 2009-08-24 16:24:57 UTC
(rev 737)
+++ identity-federation/trunk/jboss-identity-webapps/idp/pom.xml 2009-08-25 16:46:03 UTC
(rev 738)
@@ -30,7 +30,6 @@
<version>2.0.2</version>
<configuration>
<warName>idp</warName>
- <webappDirectory>${basedir}/resources/</webappDirectory>
<warSourceExcludes>WEB-INF/lib/*.jar</warSourceExcludes>
</configuration>
</plugin>
Modified: identity-federation/trunk/jboss-identity-webapps/pdp/pom.xml
===================================================================
--- identity-federation/trunk/jboss-identity-webapps/pdp/pom.xml 2009-08-24 16:24:57 UTC
(rev 737)
+++ identity-federation/trunk/jboss-identity-webapps/pdp/pom.xml 2009-08-25 16:46:03 UTC
(rev 738)
@@ -30,7 +30,6 @@
<version>2.0.2</version>
<configuration>
<warName>pdp</warName>
- <webappDirectory>${basedir}/resources/</webappDirectory>
<warSourceExcludes>WEB-INF/lib/*.jar</warSourceExcludes>
</configuration>
</plugin>
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-01-top-level.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-01-top-level.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-01-top-level.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Top level policy set which combines the CDA and N confidentiality codes.
+ </Description>
+ <Target/>
+ <PolicySet
+
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:emergency"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Target/>
+ <PolicySetIdReference
+
>urn:va:xacml:2.0:interop:rsa8:policysetid:emergency</PolicySetIdReference>
+ </PolicySet>
+ <PolicySet
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:CDA"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >UBA</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId=
+
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <PolicySetIdReference
+ >urn:va:xacml:2.0:interop:rsa8:policysetid:CDA</PolicySetIdReference>
+ </PolicySet>
+ <PolicySet
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:MA"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >MA</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId=
+
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <PolicySetIdReference
+ >urn:va:xacml:2.0:interop:rsa8:policysetid:MA</PolicySetIdReference>
+ <Policy
+ PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:MA:default-to-permit"
+ RuleCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target/>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA"
+ Effect="Permit">
+ <Description>
+ If a Deny was obtained for object above then set Permit by default.
+ </Description>
+ </Rule>
+ </Policy>
+ </PolicySet>
+ <PolicySet
+
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:bus-rule"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId=
+ "urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <PolicySetIdReference
+
>urn:va:xacml:2.0:interop:rsa8:policysetid:progress-note</PolicySetIdReference>
+ </PolicySet>
+ <PolicySet
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:toplevel:N"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+ <Target/>
+ <PolicySetIdReference
+ >urn:va:xacml:2.0:interop:rsa8:policysetid:N</PolicySetIdReference>
+ <PolicySetIdReference
+
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:PermCollections</PolicySetIdReference>
+ </PolicySet>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02a-CDA.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02a-CDA.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02a-CDA.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:CDA"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Policy set for the UBA confidentiality code.
+ </Description>
+ <Target/>
+ <Policy
+ PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:CDA"
+ RuleCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target/>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:CDA:1"
+ Effect="Permit">
+ <Description>
+ If the access subject is NOT one of those users which consent has
+ been removed, then permit.
+ </Description>
+ <Target/>
+ <Condition>
+ <!-- True if hl7:dissented-subject-id NOT EQUAL TO subject:subject-id -->
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <!-- True if hl7:dissented-subject-id EQUAL TO subject:subject-id -->
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+ <Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ <ResourceAttributeDesignator
+ AttributeId=
+
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:dissented-subject-id"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:CDA:2"
+ Effect="Deny">
+ <Description>
+ If a Permit was not obtained above then set Deny by default.
+ </Description>
+ </Rule>
+ <Obligations>
+ <!-- These obligations provide specific instructions to PEP in the response
-->
+ <!-- This obligation instructs the PEP to apply privacy constraints to
-->
+ <!-- user's responsibility for the data.
-->
+ <Obligation
+
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:privacy:constraint"
+ FulfillOn="Deny"/>
+ </Obligations>
+ </Policy>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02b-N.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02b-N.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02b-N.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Policy set for evaluating the subject:role attributes.
+ This implements an RBAC policy. This policy set matches
+ subject roles and refers to permission policy sets.
+ </Description>
+ <Target/>
+ <PolicySet
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:physician"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Target>
+ <Subjects>
+ <Subject>
+ <SubjectMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:role:hl7:physician</AttributeValue>
+ <SubjectAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </SubjectMatch>
+ </Subject>
+ </Subjects>
+ </Target>
+ <PolicySetIdReference
+
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
+ </PolicySet>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02c-N-PermCollections.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02c-N-PermCollections.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02c-N-PermCollections.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:PermCollections"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Policy set for evaluating the subject:hl7:permission attributes.
+ This implements an RBAC policy. This policy set matches
+ subject roles and refers to permission policy sets.
+ </Description>
+ <Target/>
+ <PolicySet
+
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
+ <Target/>
+ <PolicySet
+
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set-0"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Target/>
+ <PolicySetIdReference
+
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
+ </PolicySet>
+ <PolicySet
+
PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:med-rec-perm-set-1"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Target>
+ <Subjects>
+ <Subject>
+ <SubjectMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:hl7:prd-003</AttributeValue>
+ <SubjectAttributeDesignator
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </SubjectMatch>
+ <SubjectMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:hl7:prd-005</AttributeValue>
+ <SubjectAttributeDesignator
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </SubjectMatch>
+ <SubjectMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:hl7:prd-006</AttributeValue>
+ <SubjectAttributeDesignator
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </SubjectMatch>
+ <SubjectMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:hl7:prd-009</AttributeValue>
+ <SubjectAttributeDesignator
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </SubjectMatch>
+ <SubjectMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:hl7:prd-010</AttributeValue>
+ <SubjectAttributeDesignator
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </SubjectMatch>
+ <SubjectMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:hl7:prd-012</AttributeValue>
+ <SubjectAttributeDesignator
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </SubjectMatch>
+ <SubjectMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:hl7:prd-017</AttributeValue>
+ <SubjectAttributeDesignator
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </SubjectMatch>
+ </Subject>
+ </Subjects>
+ </Target>
+ <PolicySetIdReference
+
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole</PolicySetIdReference>
+ </PolicySet>
+ </PolicySet>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02d-prog-note.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02d-prog-note.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02d-prog-note.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:progress-note"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Policy set for the business rule for unsigned progress notes.
+ </Description>
+ <Target/>
+ <Policy
+ PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:progress-note"
+ RuleCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target/>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:sig"
+ Effect="Permit">
+ <Description>
+ If the progress-note is signed allow any user to see it. If not signed
+ then only author may see it.
+ </Description>
+ <Target/>
+ <Condition>
+ <!-- True if resource:hl7:progress-note:signed EQUAL TO True -->
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+ <Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >True</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId=
+
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note:signed"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:author"
+ Effect="Permit">
+ <Description>
+ If a Permit was not obtained then subject must be author.
+ </Description>
+ <Target/>
+ <Condition>
+ <!-- True if hl7:dissented-subject-id EQUAL TO subject:subject-id -->
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+ <Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ <ResourceAttributeDesignator
+ AttributeId=
+
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note:author-subject-id"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:progress-note:deny-sig"
+ Effect="Deny">
+ <Description>
+ If a Permit was not obtained above then set Deny by default.
+ </Description>
+ </Rule>
+ <Obligations>
+ <!-- These obligations provide specific instructions to PEP in the response
-->
+ <!-- This obligation informs the PEP access denied unsigned non-author
-->
+ <Obligation
+
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:deny:unsigned:non-author"
+ FulfillOn="Deny"/>
+ </Obligations>
+ </Policy>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02e-MA.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02e-MA.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02e-MA.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:MA"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Policy set for the MA confidentiality code.
+ </Description>
+ <Target/>
+ <Policy
+ PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:MA"
+ RuleCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Target/>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA:1"
+ Effect="Deny">
+ <Description>
+ If the access subject is NOT one of those users which consent has
+ been removed, then deny.
+ Note: there is reverse logic here because the Obligation that denies
+ access to the user for this object must be issued when the user has
+ obtained a Permit. So, the caller of this policy must know to reverse
+ sense as well.
+ </Description>
+ <Target/>
+ <Condition>
+ <!-- True if hl7:radiology:dissented-subject-id NOTEQUALTO subject:subject-id
-->
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <!-- True if hl7:radiology:dissented-subject-id EQUALTO subject:subject-id
-->
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+ <Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ <ResourceAttributeDesignator
+ AttributeId=
+
"urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology:dissented-subject-id"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:MA:2"
+ Effect="Permit">
+ <Description>
+ If a Deny was not obtained above then set Permit by default.
+ </Description>
+ </Rule>
+ <Obligations>
+ <!-- These obligations provide specific instructions to PEP in the response
-->
+ <!-- This obligation instructs the PEP to apply privacy constraints to
-->
+ <!-- user's responsibility for the data.
-->
+ <Obligation
+ ObligationId=
+
"urn:va:xacml:2.0:interop:rsa8:obligation:ma:privacy:constraint:radiology"
+ FulfillOn="Permit"/>
+ </Obligations>
+ </Policy>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02f-emergency.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02f-emergency.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-02f-emergency.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:emergency"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Policy set to allow emergency access for non-facility subjects.
+ Returns Deny if user not from supported facility AND does not have emergency perm
+ Returns Permit if not from supported facility AND not denied access
+ Returns NotApplicable if plain old user from supported facility
+ </Description>
+ <Target/>
+ <Policy
+ PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:emergency"
+ RuleCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Target/>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:emergency:deny"
+ Effect="Deny">
+ <Description>
+ If the subject is not from a supported facility AND
+. if the subject does not have emergency permission THEN Deny access.
+ </Description>
+ <Target/>
+ <Condition>
+ <!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
+ <!-- AND if hl7:pea-001 NOT EQUAL TO ANYOF subject:hl7:permission -->
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+ <Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId=
+ "urn:oasis:names:tc:xacml:1.0:subject:locality"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ <EnvironmentAttributeDesignator
+ AttributeId=
+ "urn:va:xacml:2.0:interop:rsa8:environment:locality"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Apply>
+ <!-- True if hl7:pea-001 NOT EQUAL TO ANYOF subject:hl7:permission -->
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+ <Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:hl7:pea-001</AttributeValue>
+ <SubjectAttributeDesignator
+ AttributeId=
+ "urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:emergency:permit"
+ Effect="Permit">
+ <Description>
+ If a Deny was not obtained above AND subject not part of a supported
+ facility then subject must have emergency permission.
+ </Description>
+ <Target/>
+ <Condition>
+ <!-- True if subject:locality NOT EQUAL TO ANYOF environment:locality -->
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
+ <Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
+ <SubjectAttributeDesignator
+ AttributeId=
+ "urn:oasis:names:tc:xacml:1.0:subject:locality"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ <EnvironmentAttributeDesignator
+ AttributeId=
+ "urn:va:xacml:2.0:interop:rsa8:environment:locality"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <!-- These obligations provide specific instructions to PEP in the response
-->
+ <!-- This obligation informs the PEP user granted emergency access -->
+ <Obligation
+
ObligationId="urn:va:xacml:2.0:interop:rsa8:obligation:emergency:permit"
+ FulfillOn="Permit"/>
+ </Obligations>
+ </Policy>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-03-N-RPS-virt-med-rec-role.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId=
+ "urn:va:xacml:2.0:interop:rsa8:policysetid:N:RPS:med-rec-vrole"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Policy set that points to the Permission PolicySet for medical record
+ resources and actions.
+ </Description>
+ <Target/>
+ <PolicySetIdReference
+
>urn:va:xacml:2.0:interop:rsa8:policysetid:N:PPS:PRD-004</PolicySetIdReference>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-04-N-PPS-PRD-004.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-04-N-PPS-PRD-004.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/XacmlPolicySet-04-N-PPS-PRD-004.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,180 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<PolicySet
+ xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
+
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:va:xacml:2.0:interop:rsa8:policysetid:N:PPS:PRD-004"
+ PolicyCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>
+ Policy set for the PRD-004 permission. This permission allows
+ access to all medical records.
+ </Description>
+ <Target/>
+ <Policy
+ PolicyId="urn:va:xacml:2.0:interop:rsa8:policyid:N:PPS:PRD-004:1"
+ RuleCombiningAlgId=
+
"urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:demographics</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+ >urn:va:xacml:2.0:interop:rsa8:resource:hl7:chart</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:problemlist</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:procedures</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:laboratory</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:radiology</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:medications</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:vitals</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:progress-note</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ <Resource>
+ <ResourceMatch
+ MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
>urn:va:xacml:2.0:interop:rsa8:resource:hl7:patientsearch</AttributeValue>
+ <ResourceAttributeDesignator
+ AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type"
+
DataType="http://www.w3.org/2001/XMLSchema#string"/>
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:policy:N:PPS:PRD-004:1:rule:1"
+ Effect="Permit">
+ <Condition>
+
+ <!-- Returns true iff the first argument is a subset of the second argument
-->
+ <!-- i.e. the permissions required by the resource must be a
-->
+ <!-- subset of the permissions supplied by the subject
-->
+
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+
+ <!-- 1st argument: returns the values of all Attributes with
-->
+ <!--
DataType="http://www.w3.org/2001/XMLSchema#string" and
-->
+ <!--
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission" -->
+ <ResourceAttributeDesignator
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission"/>
+
+ <!-- 2nd argument: returns the values of all Attributes with
-->
+ <!--
DataType="http://www.w3.org/2001/XMLSchema#string" and
-->
+ <!--
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission" -->
+ <SubjectAttributeDesignator
+
DataType="http://www.w3.org/2001/XMLSchema#string"
+
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission"/>
+
+ </Apply>
+ </Condition>
+ </Rule>
+ <Rule
+ RuleId="urn:va:xacml:2.0:interop:rsa8:rule:N:PPS:PRD-004:1:rule:2"
+ Effect="Deny">
+ <Description>
+ If a Permit was not obtained above then set Deny by default.
+ </Description>
+ </Rule>
+ </Policy>
+</PolicySet>
\ No newline at end of file
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/himss-policy.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/himss-policy.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policies/himss-policy.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,601 @@
+<?xml version="1.0" encoding="utf-8"?>
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-o...
+ PolicySetId="urn:oasis:names:tc:xspa:1.0"
+
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Target />
+ <PolicySet PolicySetId="urn:oasis:names:tc:xspa:1.0:org"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>Contains all organizational policies which are evaluated on all
requests.</Description>
+ <Target />
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:allowed:organizations"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ The organization denies the request if the subject is attempting to access
+ a resource and is not a member of the allowed organizations.
+ </Description>
+ <Target />
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:org:allowed:organizations:deny"
Effect="Deny">
+ <Description>Evaluates the allowed-organizations (if available) against the
subject's locality.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:hoursofoperations"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ The organization denies the request if the subject is attempting to access
+ the resource outside of the alloted time.
+ </Description>
+ <Target />
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:hoursofoperation:deny"
Effect="Deny">
+ <Description>Evaluates the environment time against the hours of operation
start and end.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+ <EnvironmentAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time" />
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start"
DataType="http://www.w3.org/2001/XMLSchema#time" />
+ </Apply>
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+ <EnvironmentAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"
DataType="http://www.w3.org/2001/XMLSchema#time" />
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end"
DataType="http://www.w3.org/2001/XMLSchema#time" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- SUBJECT.STRUCTURED-ROLE NOT IN ORG.REQUIRED-ROLES -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:required:roles"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ The organization denies the request if the subject is attempting to access
+ a resource and they are not a member of the required role(s).
+ </Description>
+ <Target />
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:required:roles:deny"
Effect="Deny">
+ <Description>Evaluates the organization roles (if available) against the
subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <!-- MAY NEED TO SWITCH ~~ Is this a one to many relationship? Are
all roles required or does the subject just need to be included? -->
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- SUBJECT.PERMISSIONS NOT IN ORG.RESOURCE.PERMISSIONS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org.resource.permissions"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ The organization denies the request if the subject does not have adequate
+ permissions to access the resource.
+ </Description>
+ <Target />
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:org:resource.permissions:deny"
Effect="Deny">
+ <Description>Evaluates the required permissions (if available) against the
subject's permissions.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org.catch-all"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Description></Description>
+ <Target />
+ <Rule RuleId="" Effect="Permit"></Rule>
+ </Policy>
+ </PolicySet>
+
+ <PolicySet PolicySetId="urn:oasis:names:tc:xspa:1.0:patient"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>These policies are patient consent directives and are invoked on
medical-record requests.</Description>
+ <Target />
+
+ <!-- (RESOURCE.RESOURCETYPE IN PATIENT.MASKEDOBJECT) AND (SUBJECT.ROLE IN
PATIENT.MA.DISSENTING-ROLES) -->
+ <!-- PROBLEMS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-roles"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for problems from the subject if the NPI is not permitted by
the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-roles:permit"
Effect="Permit">
+ <Description>Evaluates the dissenting-roles for problems (if available)
against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation
ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role"
FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- MEDICATIONS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-roles"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for medications from the subject if the NPI is not permitted
by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-roles:permit"
Effect="Permit">
+ <Description>Evaluates the dissenting-roles for medications (if available)
against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation
ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role"
FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- ALERTS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-roles"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request alerts from the subject if the NPI is not permitted by the
patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-roles:permit"
Effect="Permit">
+ <Description>Evaluates the dissenting-roles for alerts (if available)
against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation
ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role"
FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+
+ <!-- IMMUNIZATIONS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-roles"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for immunizations from the subject if the NPI is not permitted
by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-roles:permit"
Effect="Permit">
+ <Description>Evaluates the dissenting-roles for immunizations (if
available) against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation
ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role"
FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+
+ <!-- (RESOURCE.RESOURCETYPE IN PATIENT.MASKEDOBJECT) AND (SUBJECT.ROLE IN
PATIENT.MA.DISSENTING-ROLES) -->
+ <!-- PROBLEMS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for problems from the subject if the NPI is not permitted by
the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids:permit"
Effect="Permit">
+ <Description>Evaluates the dissenting-subject-id's for problems (if
available) against the subject's NPI.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation
ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id"
FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- MEDICATIONS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-subject-ids"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for medications from the subject if the NPI is not permitted
by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-subject-ids:permit"
Effect="Permit">
+ <Description>Evaluates the dissenting-subject-id's for medications (if
available) against the subject's NPI.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation
ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id"
FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- ALERTS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-subject-ids"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for alerts from the subject if the NPI is not permitted by the
patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-subject-ids:permit"
Effect="Permit">
+ <Description>Evaluates the dissenting-subject-id's for alerts (if
available) against the subject's NPI.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation
ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id"
FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- IMMUNIZATIONS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-subject-ids"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for immunizations from the subject if the NPI is not permitted
by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-subject-ids:permit"
Effect="Permit">
+ <Description>Evaluates the dissenting-subject-id's for immunizations
(if available) against the subject's NPI.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation
ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id"
FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+
+ <!-- SUBJECT.LOCALITY NOT IN PATIENT.ALLOWED-ORGANIZATIONS -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:patient:allowed:organizations"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request from the subject if their locality is not permitted by the
patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:patient:allowed:organizations:deny"
Effect="Deny">
+ <Description>Evaluates the allowed-organizations (if available) against the
subject's locality.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:allowed-organizations"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:allowed-organizations"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- SUBJECT.ROLE IN PATIENT.DISSENTING-ROLES -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting:role"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request from the subject if their role is not permitted by the
patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:patient:dissenting:roles:deny"
Effect="Deny">
+ <Description>Evaluates the dissenting-role (if available) against the
subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- SUBJECT.ID IN PATIENT.DISSENTING-ID -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-ids"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target />
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids:deny"
Effect="Deny">
+ <Description>Evaluates the dissenting-subject-id (if available) against the
subject's NPI.</Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#integer">0</At...
+ </Apply>
+ </Apply>
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- CONFIDENTIALITY -->
+ <Policy
PolicyId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-codes"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request from the subject if the confidentiality code is set to
"Sensitive". This policy
+ is acting as the "Catch-All".
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule
RuleId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code:deny"
Effect="Deny">
+ <Description>Evaluates the HL7 confidentiality-code.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+ <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">S</Att...
+ <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code"
DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+ </PolicySet>
+</PolicySet>
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policyConfig.xml
===================================================================
---
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policyConfig.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/classes/policyConfig.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,11 @@
+<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+ <ns:Policies>
+ <ns:PolicySet>
+ <ns:Location>policies/himss-policy.xml</ns:Location>
+ </ns:PolicySet>
+ </ns:Policies>
+ <ns:Locators>
+ <ns:Locator
Name="org.jboss.security.xacml.locators.JBossPolicySetLocator">
+ </ns:Locator>
+ </ns:Locators>
+</ns:jbosspdp>
Added:
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/web.xml
===================================================================
--- identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/web.xml
(rev 0)
+++
identity-federation/trunk/jboss-identity-webapps/pdp/src/main/webapp/WEB-INF/web.xml 2009-08-25
16:46:03 UTC (rev 738)
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<web-app
xmlns="http://java.sun.com/xml/ns/javaee"
+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+ version="2.5">
+
+ <display-name>PDP Endpoint</display-name>
+ <description>
+ XACML PDP Web Application for the JBoss Identity project
+ </description>
+
+ <context-param>
+ <param-name>debug</param-name>
+ <param-value>false</param-value>
+ </context-param>
+ <servlet>
+ <servlet-name>SOAPServlet</servlet-name>
+
<servlet-class>org.jboss.identity.federation.bindings.servlets.SOAPSAMLXACMLServlet</servlet-class>
+ <!-- Issuer is the string used in the issuer of saml
messages/assertions/statements-->
+ <init-param>
+ <param-name>issuer</param-name>
+ <param-value>redhatPdpEntity</param-value>
+ </init-param>
+ <init-param>
+ <param-name>debug</param-name>
+ <param-value>true</param-value>
+ </init-param>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>SOAPServlet</servlet-name>
+ <url-pattern>/SOAPServlet</url-pattern>
+ </servlet-mapping>
+</web-app>
Modified: identity-federation/trunk/jboss-identity-webapps/sales-sig/pom.xml
===================================================================
--- identity-federation/trunk/jboss-identity-webapps/sales-sig/pom.xml 2009-08-24 16:24:57
UTC (rev 737)
+++ identity-federation/trunk/jboss-identity-webapps/sales-sig/pom.xml 2009-08-25 16:46:03
UTC (rev 738)
@@ -30,7 +30,6 @@
<version>2.0.2</version>
<configuration>
<warName>sales-sig</warName>
- <webappDirectory>${basedir}/resources/</webappDirectory>
<warSourceExcludes>WEB-INF/lib/*.jar</warSourceExcludes>
</configuration>
</plugin>