Configuring role-based access control to enforce mandatory and discretionary access control policies
ACM Transactions on Information and System Security (TISSEC)
Rule-Based RBAC with Negative Authorization
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
An Initial Model and a Discussion of Access Control in Patient Controlled Health Records
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Federation proxy for cross domain identity federation
Proceedings of the 5th ACM workshop on Digital identity management
Hi-index | 0.00 |
Access control is a key feature of healthcare systems. Up until recently most healthcare information systems have been local to a healthcare facility and accessible only to clinicians. Currently there is a move towards making health information more accessible to patients. One example is the Personally Controlled Health Record (PCHR) where the patient is in charge of deciding who gets access to the information. In the PCHR the patient is the administrator of access control. While it certainly is possible to create roles representing people most patients would want to share with, like primary physician, it is also likely, and desirable, to afford the patients a high level of control and freedom to be able to create specialized access policies tailored to their personal wishes. We entitle this personalized access control. In this paper we present a semi-formal model for how we believe personalized access control may be realized. The model draws on and combines properties and concepts of both Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) to achieve the desired properties. Throughout the paper we use the PCHR as a motivating example and to explain our reasoning and practical use of the model.