220 likes | 350 Views
In the name of God. Distributed Medical Environment Database Access control (DIMEDAC). By M. Gharib H. Salemi F. Khodadadi. Introduction to DIMEDAC DIMEDAC components Determining user authorization Algorithms Static Dynamic. Out Lines.
E N D
In the name of God Distributed Medical Environment Database Access control(DIMEDAC) By M. Gharib H. Salemi F. Khodadadi
Introduction to DIMEDAC • DIMEDAC components • Determining user authorization • Algorithms • Static • Dynamic OutLines
The DIMEDAC security policy provides a Role-based authorization mechanism for accessing data depending on the particular values of the user location. • Protection of the privacy of the patients in distributed medical databases. DIMEDAC
It combines the advantages of both the DAC and MACpolicies. • Protection of global objects from accessing by global subjects is achieved with the use of location control concept. • The access control mechanisms used in DIMEDAC are the hyper node hierarchies DIMEDAC
A Hyper Node Hierarchy (HNH) is a group of hyper nodes. Each hyper node is connected to another hyper node by a branch or a link. • A branch is used to connect a node with its ancestor in the above level. • Links are connections that are used between nodes of the same level. Hyper Node Hierarchies
User Role Hierarchy (URH) • Data Set Hierarchy (DSH) • User Location Hierarchy (ULH) Hyper Node Hierarchies…
Determining UserAuthorizations Three Dimension Access-Matrix (3DAM)
Static algorithm • Dynamic algorithm Algorithms
Insert {UR , UL , DS , ACCESS} • Step 1 : If the specific data set DS has descendants in the DSH, then for each one descendant a new entry is automatically inserted (if there isn’t one already) having the same UR, UL and AM. • Step 2 :If the specific user location UL has descendants in the ULH, then for each one descendant all the above entries are automatically inserted (if there isn’t one already) having the same UR, DS and AM. • Step 3 : If the specific user role UR has ancestors in the URH, then for each one ancestor all the above entries are automatically inserted (if there isn’t one already) having the same UL, DS and AM. Static Algorithm
Insert : {D, C12111, HE, Select} Step 3: {D, S121111, HE, Select} {D, S121111, HEC, Select} {D, S121111, HEL, Select} {D, S121111, HEX, Select} {M, S121111, HE, Select} {M, S121111, HEC, Select} {M, S121111, HEL, Select} {M, S121111, HEX, Select} {D, S121112, HE, Select} {D, S121112, HEC, Select} {D, S121112, HEL, Select} {D, S121112, HEX, Select} {M, S121112, HE, Select} {M, S121112, HEC, Select} {M, S121112, HEL, Select} {M, S121112, HEX, Select} Step 1: {D, C12111, HEC, Select} {D, C12111, HEL, Select} {D, C12111, HEX, Select} Step 2: {M, C12111, HE, Select} {M, C12111, HEC, Select} {M, C12111, HEL, Select} {M, C12111, HEX, Select} Example
Step 1: For every descendant UR' of the user role UR (including the UR itself) a search for all relevant quadruples (having the same UR') in 3DAM is performed. If no quadruples are found then the access request is denied. If in the result set there is an entry {UR', UL', DS', AM'} where UL'=UL, DS'=DS and AM'=AM then the access request is permitted. Otherwise, for each quadruple found the following step is performed. • Step 2: For every ancestor UL'' of the user location UL' (including the UL' itself) of the quadruple found, a search for all relevant quadruples (having the same UR' and UL'') in 3DAM is performed. If no quadruples are found then the access request is denied. If in the result set there is an entry {UR', UL'', DS'', AM''} where DS''=DS and AM''=AM then the access request is permitted. Otherwise, for each quadruple found the following step is performed. Dynamic Algorithm
Step 3: For every ancestor DS''' of the data set DS'' (including the DS'' itself) of the quadruple found, a search for all relevant quadruples (having the same UR', UL'' and DS''') in 3DAM is performed. If no quadruples are found then the access request is denied. If in the result set there is an entry {UR', UL'', DS''', AM'''} where AM'''=AM then the access request is permitted. Otherwise, the access request is denied. Dynamic Algorithm…
Mavridis, I., Pangalos, G., Khair, M. and Bozios, L., 1999, Defining Access Control Mechanisms for Privacy Protection in Distributed Medical Databases, Proceedings of IFIP Working Conference on User Identification and Privacy Protection, Sweden. • Mavridis I. And Pangalos G., “Determining User Authorizations in Distributed Database Systems”, in Proceedings of the 8th Conference on Informatics, Volume 1, Nicosia, Cyprus, November 2001, ISBN 960-14-0459-7. References
Thanks ?