A medical database case study for reflective database access control

Authors:
Lars E. Olson;Carl A. Gunter;Sarah Peterson Olson
Affiliations:
University of Illinois at Urbana-Champaign, Urbana, IL, USA;University of Illinois at Urbana-Champaign, Urbana, IL, USA;University of Nebraska Medical Center, Omaha, NE, USA
Venue:
Proceedings of the first ACM workshop on Security and privacy in medical and home-care systems
Year:
2009

Citing 7
Cited 1

An amateur's introduction to recursive query processing strategies

SIGMOD '86 Proceedings of the 1986 ACM SIGMOD international conference on Management of data
A security policy model for clinical information systems

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
On Safety in Discretionary Access Control

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Audit-Based Access Control for Electronic Health Records

Electronic Notes in Theoretical Computer Science (ENTCS)
A posteriori compliance control

Proceedings of the 12th ACM symposium on Access control models and technologies
A formal framework for reflective database access control policies

Proceedings of the 15th ACM conference on Computer and communications security
Specifying and Analyzing Workflows for Automated Identification and Data Capture

HICSS '09 Proceedings of the 42nd Hawaii International Conference on System Sciences

Declarative privacy policy: finite models and attribute-based encryption

Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium

Quantified Score

Hi-index	0.00

Visualization

Abstract

Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies, enabling enforcement at the database level rather than at the application level. This in turn facilitates the creation of new applications without the need for duplicating security enforcement in each application. Past work has proposed the use of the Transaction Datalog (TD) language as a theoretical basis for RDBAC. We present a case study for a medical database using TD. This case study includes a wide range of access patterns for which RDBAC provides a simple method for formulating policies, demonstrating the flexibility of RDBAC as well as the practicality and scalability of using such a system in real-world applications that require non-trivial policy definitions on large data sets.