Handling Instruction for A Data Resource
Multiple Obligations from Different Rules/Policies
Summary: When multiple obligations are issued from different rules, it is unclear how obligations could be combined.
- If two policies result in parallel "Permit" decisions, and each includes an obligation, must both obligations be enforced?
- If two policies result in parallel "Permit" decisions, and one of them includes an obligation, does the "Permit" without obligation indicate that the first obligation is unneeded?
There are different use cases that suggest that any single answer to the questions above may be incorrect some of the time. Some examples:
- Permission is granted for clerks or managers. Clerks require manager approval. What happens for a user that holds both "clerk" and "manager" roles?
- A regulatory policy grants access to in-country data. A separate client-specific policy grants access to a subset of clients. For a given open-ended request, each of these policies requires filtering the source data to ensure that all data returned is both in-country and client-approved. How do these separate obligations get combined?
- A regulatory policy grants access to in-country data, and requires that audit records be saved for a specific retention period. A separate client-specific policy grants access based upon clients, without an obligation. Must the audit obligation be enforced for the client-specific data?
There are assumed answers in each of the scenarios above, but the point of the examples is to illustrate that different scenarios may intend that obligations are combined in different ways.
What is the best way to articulate these differences?
Multiple Possible Obligations in a Workflow
Summary: A financial account may have various interested parties: a beneficial owner, a manager, and a custodian. When a user requests access, any of the interested parties may or may not require explicit approval, as a logical precondition and perhaps as a temporal precondition. In the context of a workflow, each workflow step is a protected operation. The step that works with the financial account begins with an access request; this access request may result in a "Permit" with up to three approval obligations.
How are the approvals combined, sequenced, and/or prioritized?