Role-Based Access Control Models
Computer
Managing access control policies using access control spaces
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
A role-based delegation framework for healthcare information systems
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
The tees confidentiality model: an authorisation model for identities and roles
Proceedings of the eighth ACM symposium on Access control models and technologies
Policy management using access control spaces
ACM Transactions on Information and System Security (TISSEC)
An integrated approach to engineer and enforce context constraints in RBAC environments
ACM Transactions on Information and System Security (TISSEC)
Extending access control models with break-glass
Proceedings of the 14th ACM symposium on Access control models and technologies
Role based access control for a medical database
SEA '07 Proceedings of the 11th IASTED International Conference on Software Engineering and Applications
A novel use of RBAC to protect privacy in distributed health care information systems
ACISP'03 Proceedings of the 8th Australasian conference on Information security and privacy
A calculus for the qualitative risk assessment of policy override authorization
Proceedings of the 3rd international conference on Security of information and networks
An approach to modular and testable security models of real-world health-care applications
Proceedings of the 16th ACM symposium on Access control models and technologies
Hi-index | 0.00 |
A UML model of Authorisation is described, which was developed for an Electronic Medical Records application in collaboration with the UK NHS Information Authority. The model is an enhancement of the UK Healthcare Model (HcM), in that it provides extra classes for use with HcM classes. It provides powerful confidentiality specification capabilities, which can also be used in other applications.A Role (actually called AgentActivityType for consistency with the HcM) may be directly associated with an Accountability. An Accountability is an agreement where one Party commissions a second Party to undertake Activities under the authority of that Accountability.Four types of Confidentiality Permission are defined which allow access to data items (SubjectPhenomena), or to data items with specific types (SubjectPhenomenonType). Access can be granted to individual Agents, or to AuthorizedAgents acting in specified Roles. A model of override allows the Confidentiality Permissions to be overridden in a strictly controlled way. Override facilities are granted to Agents by establishing appropriate Accountabilities, and any use of override is logged.Access to data can be granted to groups of Agents, and to group of Roles. Establishing access rights for a group involves defining a set of Confidentiality Permissions for the group.The Authorisation Model is illustrated throughout the paper by examples from healthcare. In particular a demanding scenario (child abuse) is presented. In this scenario complex restrictions must be placed on the data, which might result in inappropriate actions if clinicians and other professionals are denied access to the data.