ABSTRACT
We present a model of authorisation that is more powerful than Role Based Access Control (RBAC), and is suitable for complex web applications in addition to computer systems administration. It achieves its functionality by combining Identity Based Access Control (IBAC) and RBAC in novel ways. A particular feature of the model is a rigorous definition of override, for granting access to data and resources in exceptional circumstances. Despite its power, the model can be implemented by a single algorithm, as an extension to RBAC. The basis of the model is a new concept of permission, which we call Confidentiality Permission. There are five types of confidentiality permission, for granting access rights for identities and roles; also negative confidentiality permissions, for denying access to data and resources, exist. A single concept of Collection is used for structuring roles, identities, resource and resource type, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions may be defined to inherit within collections, thereby providing a mechanism for confidentiality permission assignment; however confidentiality permissions may be assigned in other ways that do not depend on collections. We use a demanding scenario from Electronic Health Records to illustrate the power of the model. We have produced several demonstrators, one of which utilises the model to control data retrieval from commercial GP and Social Services systems.
- J J Longstaff, MG Thick, G Capper, MA Lockyer, Eliciting and recording eHR/ePR Patient Consent in the context of the Tees Confidentiality Model, HC2002 Conference, Harrogate, England, March 2002.Google Scholar
- D F Ferraiolo, R Sandhu, S Gavrila, D R Kuhn, R Chandramouli, Proposed NIST Standard for Role-Based Acess Control, ACM Transactions on Information System Security, Vol 4, No 3, August 2001. Google ScholarDigital Library
- www.nhsia.nhs.uk/confidentiality/pages/consultation/Google Scholar
- J J Longstaff, MG Thick, G Capper, MA Lockyer, A Model of Accountability, Confidentiality and Override for Healthcare and other Applications, Fifth ACM Workshop in Role-Based Access Control, Berlin, July 2000, ACM ISBN 1-58113-259-X Google ScholarDigital Library
- J J Longstaff, MG Thick, G Capper, MA Lockyer, eHR and EPR Confidentiality based on Accountability and Consent:Tools for the Caldicott Guardian, Health Informatics Journal, Vol 6 / No 1 March 2000, ISSN 1460-4582Google Scholar
- M G Thick, J J Longstaff, G Capper, M A Lockyer, An Authorisation Model Based on Accountability and Consent, Proceedings of TEPR 2001 Conference, Boston, USA, May 2001, Medical Records InstituteGoogle Scholar
- S Oh, R Sandhu, A Model for Role Administration Using Organization Structure, SACMAT 2002, June 2002. Google ScholarDigital Library
- M M Swift et al, Improving the Granularity of Access Control for Windows 2000, ACM TISSEC, vol 5 no 4, November 2002. Google ScholarDigital Library
- Health Record Infrastructure, version 1.3, NHS Information Authority, 15 October 2002Google Scholar
- www.nhsia.nhs.uk/erdip . (Search on 'Tees', "Confidentiality and Consent", etc).Google Scholar
- J S Park and R Sandhu G Ahn, Role-Based Access Control on the Web, ACM Transactions on Information and System Security, Vol. 4, No. 1, February 2001, Pages 37--71. Google ScholarDigital Library
Index Terms
- The tees confidentiality model: an authorisation model for identities and roles
Recommendations
A model of accountability, confidentiality and override for healthcare and other applications
RBAC '00: Proceedings of the fifth ACM workshop on Role-based access controlA UML model of Authorisation is described, which was developed for an Electronic Medical Records application in collaboration with the UK NHS Information Authority. The model is an enhancement of the UK Healthcare Model (HcM), in that it provides extra ...
A delegation model for extended RBAC
In the field of access control, delegation is an important aspect that is considered part of the administration mechanism. Thus, a comprehensive access control model must provide a flexible administration model to manage delegation and revocation. ...
Comments