- From: Wilson, MD \(Michael\) <m.d.wilson@rl.ac.uk>
- Date: Sun, 13 Jan 2008 03:31:00 -0000
- To: <public-pling@w3.org>
All, I work in a government science laboratory where we provide large national facilities in the order of 100's of millions of dollars. Researchers from universities use our large experimental facilities to analyse samples of stuff. They produce large data files which we store, and they may use our large compute facilities to further analyse. The resulting data is stored on our 5 Petabyte data store. People then want access to the raw or analysed data. The national funding body who has paid for the research has a data policy which states that the funded researchers, staff in the funding body and their reviewers should have access to the data for 3 years, but nobody else. The researchers work in a university who have a data access policy that all researchers in the university should retain IPR on their data and not allow others access to it for 5 years. All researchers in the university have access to the data of all other researchers in the university in order to facilitate interdisciplinary research. The pharmaceutical company who co-sponsor the research have a policy that although others can have access to the data, they are the only ones who can use the data for commercial purposes. One researcher on the project is submitting part of the work to her university to acquire a PhD, and does not want any body else, even in the university, to see it. Our own facilities organisation has a policy that our staff can have access to the data produced on our facilities for administration and for use in developing the facilities. These policies need to be encoded in a policy language that a PEP can enforce, and conflicts and priorities can be resolved by a PDP. I've not tried to define the roles precisely in an ontological manner since they arise from different bodies who have not agreed on compatible definitions. The durations are defined precisely because lawyers are accustomed to these. The data sets themselves are not defined precisely in the agreements since they are too technical to be well understood by the lawyers, or too poorly defined by the researchers. The legal agreements include this style of authorisation limitation, and sometimes also include penalty clauses defining actions to be taken in breach of these conditions which go beyond the XACML or SAML descriptions - e.g. if x tries to access data sets to which they are not authorised then they will lose their authorisation on all data sets. We provide a Web Service interface to a data portal for users, funders, commercial sponsors, administrators etc.., to access the data. How do we represent these various policies given the legal text in English, identify conflicts between them, priorities the policies where conflicts exist (ok, that's out of scope) and enforce the right policy in the PEP? Michael Wilson STFC Rutherford Appleton Laboratory, UK http://www.e-science.stfc.ac.uk/organisation/staff/michael_wilson/
Received on Sunday, 13 January 2008 03:31:26 UTC