Policy-Based Access Control

Full Title or Meme

Policy-Based Access Control or PBAC is any system where Access is mediated by Access Tokens that are evaluated by a digital policy language and policy control engine.

Context

• The most common Attribute-Based Access Control language XACML expanded their scope in version 3.0 to include the description Policy-Based Access Control although policy statement was defined in earlier versions.

Existing Languages

XACML

• XACML 3.0 core spec.
• This spec is written in XML with no regard of size of the message. It can easily be converted to json and this a a spec that describe the process.
• While it is oriented to an overly complex structure using monolithic designs, it has well-thought out elements that should remain useful.

Drools

• Supposedly this is open, which apparently apples to the java code implementation which is at the follow site.
• Drools documentation.
• "Drools is Rule Engine or a Production Rule System that uses the rule-based approach to implement and Expert System. Expert Systems are knowledge-based systems that use knowledge representation to process acquired knowledge into a knowledge base that can be used for reasoning."
• The rules supported by Drools look a lot like a domain specific programming language, not a business rules language.

HL7 CQL

• Clinical Quality Language (CQL) is a high-level, domain-specific language focused on clinical quality and targeted at measure and decision support artifact authors.
• In addition, this specification describes a machine-readable canonical representation called Expression Logical Model (ELM) targeted at implementations and designed to enable sharing of clinical knowledge.

Solution

References

Other Material

• For policy applied at the web page origin see the wiki page on Content Security Policy.