Skip to content

Constraint injection

Jump to bottom Edit New page
ericprud edited this page Sep 8, 2012 · 1 revision

Constraint injection is a use of query rewriting which capitolizes on OPTIONALs to create a virtual graph tailored to the requestor's credentials. RDF rules systems of sufficient expressivity can record policy associated with access to a graph pattern. Imagine a degenerate case where the graph pattern is access to a simple predicate, obs:medication. Per the Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of XACML, meta-information about a patient's prescriptions is described under the HL7 category medication. A query service may share a graph which looks like: 

{ ?p   obs:medication ?med .
  ?med rdfs:label     ?takes . }

The access control policy, backed by some graph associating requestors with particular entitlements, looks like: 

{ ?acl acls:entitles  ?_requester .
  ?acl acls:includes  hl7:medication }

A deduction rule (in SPARQL) which captures this: 

CONSTRUCT {
  ?p   obs:patientId ?id .
  ?p   obs:medication ?med .
  ?med rdfs:label     ?takes .
} WHERE {
  ?p   hosp:ID       ?id .
  OPTIONAL {
    ?p     encounters:prescription ?presc .
    ?presc medications:salesName   ?takes .
    ?acl   acls:entitles  ?_requester .
    ?acl   acls:includes  hl7:medication }
  }
}
allows the system to project the medication information only if the requestor has sufficient privilege. Such a requestor can send a request for privileged information along with some credentials via e.g. HTTP authentication or a known client-side SSL certificate. A requester querying for patients prescribed buproprion (perhaps seeking subjects for a clinical trial), which includes a secured portion of the graph: 
SSL client 12345678 sends
SELECT ?p {
  ?p   obs:patientId ?id .
  ?p   obs:medication  med:buproprion.
}
The rewrite embeds that constraint and with the portion of the graph referencing obs:medication: 
SELECT ?p {
  ?p     encounters:prescription ?presc .
  ?presc medications:salesName   med:buproprion .
  ?acl   acls:entitles           12345678 .
  ?acl   acls:includes           hl7:medication .
}
Which ends up in the lap of the SQL engine: 
SELECT CONCAT("http://hosp.example/db/", p_ID)
  FROM Encounters AS p
       INNER JOIN Medications AS presc ON presc.ID=p.prescription
       INNER JOIN Acls AS acl ON acl.entitles="12345678"
                             AND acl.includes="hl7_med"

Advantages

This approach allows one to push the enforcement downstream arbitrarily, as far as the relational database in the above example. There is effectively no performance penalty as query transformation is trivial compared to query execution on any interesting query. The expressivity of constraints seems to be appropriate for maintenance as the constraints are adjacent to the query patterns they enable.

Disadvantages

This does not leverage any existing technology (e.g. XACML) to enforce the policy.

Add a custom footer
Add a custom sidebar
Clone this wiki locally