SecurityAndPrivacy
Class AuthorizationPolicy

Authorization Policy is a specialization of a Basic Policy and is used to describe an authorization policy that may be exchanged across domains. An instance of Authorization Policy specifies permitted actions per ISO 22600-2. A positive (or negative) Authorization Policy defines the actions (Operation Type) that a subject is permitted (or forbidden) to perform on a target. Actions encoded using the Operation Type class represents the operations defined in the interface of a target object. [HL7 DAM]
This class is derived from ISO 22600-2 and HL7 DAM.

Attributes
«IVL_TS» Period allowableAccessTime allowableAccessTime

An access may be allowed only during specific time periods of the day (e.g., 9 am to 5 pm).

«CS» Code authorizationPolicyType authorizationPolicyType
Boolean enablesAuthorization enablesAuthorization

This attribute is used to specify if the policy enables or declines an authorization. If this attribute is set to 'true' the policy authorizes the actions and conditions pertaining to the resources referenced by the policy. Otherwise the authorization is declined.

Integer levelOfAssurance levelOfAssurance

Level of Assurance (LoA) refers to the degree of certainty that (1) a resource owner has that a person's physical self has been adequately verified before credentials are issued by a registration authority, and (2) a user indeed owns the credentials they are subsequently presenting to access the resource. The requirements for the level of certainty at both ends of that set of transactions should be driven by a risk assessment based on the value of the resources being protected. LoA is relevant to authentication, authorization, and access control in an SOA environment. Relevant references: 'InCommon Credential Assessment Profile r0.3', 'NIST 800-63: Electronic Authentication Guideline', and 'NIST 800-53: Recommended Security Controls for Federal Information Systems'. Access may only be granted when authentication mechanisms of at least a given strength are used. That is indicated using the Level of Assurance.

String route route

This attribute specifies whether access to protected information may only be granted for a specified route of access. For example, access may be restricted to remote users using a Virtual Private Network (VPN). The route is a context qualifier as specified by ISO/IEC 10164-9.

Attributes inherited from FHIM::SecurityAndPrivacy::AtomicPolicy FHIM::SecurityAndPrivacy::AtomicPolicy
ruleText ruleText, implementableRule implementableRule, securityContext securityContext

Attributes inherited from FHIM::SecurityAndPrivacy::Policy FHIM::SecurityAndPrivacy::Policy
authority authority, description description, effectiveTime effectiveTime, identifier identifier, mimeType mimeType, name name, securityRole securityRole, status status, uri uri

Properties:

Alias
Classifier Behavior
Is Abstractfalse
Is Activefalse
Is Leaffalse
Keywords
NameAuthorizationPolicy
Name Expression
NamespaceSecurityAndPrivacy
Owned Template Signature
OwnerSecurityAndPrivacy
Owning Template Parameter
PackageSecurityAndPrivacy
Qualified NameFHIM::SecurityAndPrivacy::AuthorizationPolicy
Representation
Stereotype
Template Parameter
VisibilityPublic

Attribute Details

 allowableAccessTime
Public «IVL_TS» Period allowableAccessTime

An access may be allowed only during specific time periods of the day (e.g., 9 am to 5 pm).

Constraints:
Properties:

AggregationNone
Alias
Association
Association End
ClassAuthorizationPolicy
Datatype
Default
Default Value
Is Compositefalse
Is Derivedfalse
Is Derived Unionfalse
Is Leaffalse
Is Orderedfalse
Is Read Onlyfalse
Is Staticfalse
Is Uniquetrue
Keywords
Lower0
Lower Value(0)
Multiplicity*
NameallowableAccessTime
Name Expression
NamespaceAuthorizationPolicy
Opposite
OwnerAuthorizationPolicy
Owning Association
Owning Template Parameter
Qualified NameFHIM::SecurityAndPrivacy::AuthorizationPolicy::allowableAccessTime
Stereotype
Template Parameter
Type«IVL_TS» Period
Upper*
Upper Value(*)
VisibilityPublic


 authorizationPolicyType
Public «CS» Code authorizationPolicyType
Constraints:
Properties:

AggregationNone
Alias
Association
Association End
ClassAuthorizationPolicy
Datatype
Default
Default Value
Is Compositefalse
Is Derivedfalse
Is Derived Unionfalse
Is Leaffalse
Is Orderedfalse
Is Read Onlyfalse
Is Staticfalse
Is Uniquetrue
Keywords
Lower0
Lower Value(0)
Multiplicity0..1
NameauthorizationPolicyType
Name Expression
NamespaceAuthorizationPolicy
Opposite
OwnerAuthorizationPolicy
Owning Association
Owning Template Parameter
Qualified NameFHIM::SecurityAndPrivacy::AuthorizationPolicy::authorizationPolicyType
Stereotype
Template Parameter
Type«CS» Code
Upper1
Upper Value(1)
VisibilityPublic


 enablesAuthorization
Public Boolean enablesAuthorization

This attribute is used to specify if the policy enables or declines an authorization. If this attribute is set to 'true' the policy authorizes the actions and conditions pertaining to the resources referenced by the policy. Otherwise the authorization is declined.

Constraints:
Properties:

AggregationNone
Alias
Association
Association End
ClassAuthorizationPolicy
Datatype
Default
Default Value
Is Compositefalse
Is Derivedfalse
Is Derived Unionfalse
Is Leaffalse
Is Orderedfalse
Is Read Onlyfalse
Is Staticfalse
Is Uniquetrue
Keywords
Lower1
Lower Value(1)
Multiplicity1
NameenablesAuthorization
Name Expression
NamespaceAuthorizationPolicy
Opposite
OwnerAuthorizationPolicy
Owning Association
Owning Template Parameter
Qualified NameFHIM::SecurityAndPrivacy::AuthorizationPolicy::enablesAuthorization
Stereotype
Template Parameter
TypeBoolean
Upper1
Upper Value(1)
VisibilityPublic


 levelOfAssurance
Public Integer levelOfAssurance

Level of Assurance (LoA) refers to the degree of certainty that (1) a resource owner has that a person's physical self has been adequately verified before credentials are issued by a registration authority, and (2) a user indeed owns the credentials they are subsequently presenting to access the resource. The requirements for the level of certainty at both ends of that set of transactions should be driven by a risk assessment based on the value of the resources being protected. LoA is relevant to authentication, authorization, and access control in an SOA environment. Relevant references: 'InCommon Credential Assessment Profile r0.3', 'NIST 800-63: Electronic Authentication Guideline', and 'NIST 800-53: Recommended Security Controls for Federal Information Systems'. Access may only be granted when authentication mechanisms of at least a given strength are used. That is indicated using the Level of Assurance.

Constraints:
Properties:

AggregationNone
Alias
Association
Association End
ClassAuthorizationPolicy
Datatype
Default
Default Value
Is Compositefalse
Is Derivedfalse
Is Derived Unionfalse
Is Leaffalse
Is Orderedfalse
Is Read Onlyfalse
Is Staticfalse
Is Uniquetrue
Keywords
Lower1
Lower Value(1)
Multiplicity1
NamelevelOfAssurance
Name Expression
NamespaceAuthorizationPolicy
Opposite
OwnerAuthorizationPolicy
Owning Association
Owning Template Parameter
Qualified NameFHIM::SecurityAndPrivacy::AuthorizationPolicy::levelOfAssurance
Stereotype
Template Parameter
TypeInteger
Upper1
Upper Value(1)
VisibilityPublic


 route
Public String route

This attribute specifies whether access to protected information may only be granted for a specified route of access. For example, access may be restricted to remote users using a Virtual Private Network (VPN). The route is a context qualifier as specified by ISO/IEC 10164-9.

Constraints:
Properties:

AggregationNone
Alias
Association
Association End
ClassAuthorizationPolicy
Datatype
Default
Default Value
Is Compositefalse
Is Derivedfalse
Is Derived Unionfalse
Is Leaffalse
Is Orderedfalse
Is Read Onlyfalse
Is Staticfalse
Is Uniquetrue
Keywords
Lower1
Lower Value(1)
Multiplicity1
Nameroute
Name Expression
NamespaceAuthorizationPolicy
Opposite
OwnerAuthorizationPolicy
Owning Association
Owning Template Parameter
Qualified NameFHIM::SecurityAndPrivacy::AuthorizationPolicy::route
Stereotype
Template Parameter
TypeString
Upper1
Upper Value(1)
VisibilityPublic