Defining and Enforcing XACML Role-based Security Policies within an XML Security Framework

Securing electronic data has evolved into an important requirement in domains such as health care informatics, with the eXtensible Markup Language (XML) utilized to create standards such as the Clinical Document Architecture and the Continuity of Care Record, which have led to a need for approaches to secure XML schemas and documents. In this paper, we present a method for generating eXtensible Access Control Markup Language (XACML) policies that target XML schemas and their instances, allowing instances to be customized for users depending on their roles. To do so, we extend the Unified Modeling Language (UML) with two new diagrams to model XML: the XML Schema Class Diagram (XSCD) to define the structure of an XML document in UML style; and the XML Role-Slice Diagram (XRSD) to define roles and associated privileges at a granular access control level. In the process, we separate the XML schemas of an application from its security definition in XSRD. To demonstrate the enforcement of our approach, we utilize a personal health assistant mobile application for health information management, which allows patients to share personal health data with providers utilizing XACML for security definition.