[Previous entry: "New Movies"] [Next entry: "Update"]

08/11/2006: "Privacy and Access Control Policies"

I read the XACML privacy profile recently and I was surprised to see how close it is to the work we do here on the GOLD project. In GOLD we always supported the view that the owner of a resource should both be identified by the system and in addition he should be allowed to express security requriemetns related to his resource. I notice that latest XACML privacy profile draft, proposed just what GOLD has always been saying. The Profile standardizes as one can guess the way policies include information about the onwer or custodian of a resource as well as purpose of collection of a resource and action. The spec also proposes an additional step during the assessment phase of a request, which includes the matching of a purpose (of the request) to the purpose for which the resource was collected in the first place. In a nutshell this new spec gives teh power to the owner or custodians to express how they would want their resource to be handled prior to commiting it.

The problems that arise are of course related to the way policies are expressed since by giving such powers to owners we move from a role based view of the policies to a resource view. This has implications on the ways policies are expressed, privilages are collected and consequently distributed amongst roles. This the exact problem the GOLD team is working on right now. :-) more soon.