8

How have folks used an approach when running reports or even just selecting multiple records from a DB?

For instance, if you have a policy that states:

Doctors can only view patients in their hospital

Obviously the efficient way to implement this is to include a filter in your query (where hospital = XXX), but this seems to break with the principal of ABAC as it bakes the rule into the SQL itself.

I know Axiomatics offers a reverse query mechanism that apparently generates filters for you based on rules-- but my system has a lot of complex sql that would have to be refactored quite a bit to work with this.

How have other folks handle this problem?

David Brossard
  • 13,584
  • 6
  • 55
  • 88
jbd
  • 413
  • 5
  • 14

1 Answers1

3

There are essentially three ways to address this:

  1. Via a reverse query mechanism as you alluded to. This is indeed only supported by Axiomatics at the moment. The idea behind a reverse query is that instead of specifying a full-blown question e.g. "Can Alice view document #123?", you can specify an open-ended question e.g. "Which documents can Alice view?".
  2. Via the the Multiple Decision Profile of XACML 3.0 which allows you to ask multiple questions in one go e.g. "Can Alice view Doc #1, #2, #3?". The MDP is practical for hundreds of items at most. You could combine it with a pagination strategy. You can read more on MDP here.
  3. Via the use of obligations. You could write a policy that says that as a whole a doctor has the right to view medical records + obligation to execute a filter SQL statement. The issue with this approach is that it puts authorization semantics inside the obligation rather than inside the policy. Also, what if multiple obligations are triggered?
David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • Thanks David. I've been reading a lot of your comments/posts over the past week and was hoping you'd see this. – jbd Apr 27 '16 at 16:18
  • I feel like this is an inherent problem with authorization in general. I'm considering an approach, where the point of interception occurs before actually running the query. Eg, Determine if Alice can view docs at hospital X. If so, allow query to run. Essentially, the query itself becomes the resource that the subject wants to run. Any feedback on that approach? I'm sure others have done this. – jbd Apr 27 '16 at 16:25
  • I've added a new approach to the answer. You are right that there are 2 levels of access control: the functional one (you have the right to retrieve medical records as a whole) and the data level one (you can only view records in your department) – David Brossard Apr 28 '16 at 15:19