ABSTRACT
This paper describes an application of authorization and access control based on the Role Based Access Control (RBAC) method and integrated in a comprehensive trust infrastructure of a health care application. The method is applied to a health care business process that involves multiple actors accessing data and resources needed for performing clinical and logistics tasks in the application. The notion of trust constituency is introduced as a concept for describing the context of authorisation. In addition, the applied RBAC covers time constraints, hierarchies and multi-level authorization rules for coping with the multi-actor nature and the complexity of the application domain. The DRIVE RBAC model clearly distinguishes between static role assignment to users and dynamic allocation of roles at session time. The paper, while focusing on the authorization and access control approach, also describes how the RBAC functions have been integrated in a trust infrastructure including smart cards.
- Baker, Dixie. "PCASSO: A model for Safe Use of the Internet in healthcare". Journal of American Health Information Management Association (AHIMA), March 2000.Google Scholar
- Bertino E., Bonatti P., Ferrari E. "TRBAC: A Temporal Role-based Access Control Model". ACM Transactions on Information and System Security, 4(3), 2001. Google ScholarDigital Library
- Clauss S., Kohntopp M. "Identity management and its support of multilateral security". In Computer Networks 37 (2001) 205--219, Elsevier Science B.V. Google ScholarDigital Library
- Common Criteria for Information Technology Security Evaluation. CC version 2.1, August 1999. (aligned with ISO 15408:1999). Common Criteria project Sponsoring Organisations.Google Scholar
- Ferraiolo, Cugini, Kuhn "Role Based Access Control: Features and Motivations". Computer Security Applications Conference, 1995.Google Scholar
- Ferraiolo D. F., Sandhu R., Gavrila S., Kuhn D. R., Chandramouli R.: "A proposed standard for Role-Based Access Control" December 18, 2000. Google ScholarDigital Library
- Health Informatics: Public Key Infrastructure: Part 1: Framework and overview. ISO/TC 215 N188, Draft Technical Specification ISO/DTS 17090-1.Google Scholar
- ISO TC 215/WG2: Healthcare Informatics - Trusted End-to-End Information flows. Technical report, 1 November 2000.Google Scholar
- Jones S., Wilikens M., Morris P., Masera M. "Trust requirements in e-Business", Communications of the ACM (Association for Computing), Vol. 43, No 12, December 2000. Google ScholarDigital Library
- Mavridis I., Georgiadis C., Pangalis G., Khair M.: "Access Control based on Atrribute Certificates for Medical Intranet Applications". Journal of Medical Internet Research (JMIR) 2001:3(1):e9.Google Scholar
- OASIS: Organization for the Advancement of Structured Information Standards. eXtensible Access Control Markup Language (XACML). SeeGoogle Scholar
- Sandhu R, Coyne E.J., Feinstein H.L., Youman C.E. Role-based access control models. IEEE Computer, 29 (2), February 1996. Google ScholarDigital Library
Index Terms
- A context-related authorization and access control method based on RBAC:
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Parametric RBAC Maintenance via Max-SAT
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and TechnologiesIn the past decade, many organizations have adopted a Role-Based Access Control model (RBAC) to reduce their administration costs and increase security. The migration to RBAC requires a role engineering phase aimed at generating "good" initial roles ...
Role-Based Access Control for Grid Database Services Using the Community Authorization Service
In this paper, we propose a role-based access control (RBAC) method for Grid database services in Open Grid Services Architecture-Data Access and Integration (OGSA-DAI). OGSA-DAI is an efficient Grid-enabled middleware implementation of interfaces and ...
Comments