W3C home > Mailing lists > Public > public-pling@w3.org > January 2008

Policy use case

From: Wilson, MD \(Michael\) <m.d.wilson@rl.ac.uk>
Date: Sun, 13 Jan 2008 03:31:00 -0000
Message-ID: <677CE4DD24B12C4B9FA138534E29FB1D02A3868B@exchange11.fed.cclrc.ac.uk>
To: <public-pling@w3.org>


I work in a government science laboratory where we provide large
national facilities in the order of 100's of millions of dollars.
Researchers from universities use our large experimental facilities to
analyse samples of stuff. They produce large data files which we store,
and they may use our large compute facilities to further analyse. The
resulting data is stored on our 5 Petabyte data store. People then want
access to the raw or analysed data.

The national funding body who has paid for the research has a data
policy which states that the funded researchers, staff in the funding
body and their reviewers should have access to the data for 3 years, but
nobody else.

The researchers work in a university who have a data access policy that
all researchers in the university should retain IPR on their data and
not allow others access to it for 5 years. All researchers in the
university have access to the data of all other researchers in the
university in order to facilitate interdisciplinary research.

The pharmaceutical company who co-sponsor the research have a policy
that although others can have access to the data, they are the only ones
who can use the data for commercial purposes.

One researcher on the project is submitting part of the work to her
university to acquire a PhD, and does not want any body else, even in
the university, to see it.

Our own facilities organisation has a policy that our staff can have
access to the data produced on our facilities for administration and for
use in developing the facilities.

These policies need to be encoded in a policy language that a PEP can
enforce, and conflicts and priorities can be resolved by a PDP.

I've not tried to define the roles precisely in an ontological manner
since they arise from different bodies who have not agreed on compatible
definitions. The durations are defined precisely because lawyers are
accustomed to these. The data sets themselves are not defined precisely
in the agreements since they are too technical to be well understood by
the lawyers, or too poorly defined by the researchers.

The legal agreements include this style of authorisation limitation, and
sometimes also include penalty clauses defining actions to be taken in
breach of these conditions which go beyond the XACML or SAML
descriptions - e.g. if x tries to access data sets to which they are not
authorised then they will lose their authorisation on all data sets.

We provide a Web Service interface to a data portal for users, funders,
commercial sponsors, administrators etc.., to access the data. How do we
represent these various policies given the legal text in English,
identify conflicts between them, priorities the policies where conflicts
exist (ok, that's out of scope) and enforce the right policy in the PEP?

Michael Wilson
STFC Rutherford Appleton Laboratory, UK
Received on Sunday, 13 January 2008 03:31:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:46:19 UTC