200 likes | 403 Views
Role Based Access Control Update. Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information Standards. HL7 Working Group Meeting San Diego, CA - January 2007. Agenda. Constraints Emergency Access RBAC Quarterly Newsletter HL7 RBAC Documentation RBAC Website Q&A.
E N D
Role Based Access Control Update Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information Standards HL7 Working Group Meeting San Diego, CA - January 2007
Agenda • Constraints • Emergency Access • RBAC Quarterly Newsletter • HL7 RBAC Documentation • RBAC Website • Q&A
Constraint Catalog Constraints are restrictions that are enforced upon access permissions. Supporting the central ideas of constraints on an RBAC model will allow for higher flexibility. -Neumann Strembeck
Constraint Types Cardinality - Occurs when there is a limit of a certain number of users (persons, roles) who may be holding the permission at any one time.
Constraint Types cont’d. Separation of duties - Occurs when the same user cannot hold two related permissions at the same time: • A user may be in one role, but not in another mutually exclusive. • Prevents a person from submitting and approving his or her own request.
Constraint Catalog • Separation of duties - (continued) Sensitive combination duties are partitioned between different individual in order to prevent the violation of business rules
Constraint Types cont’d. Time-dependency - Creates a time of day/time dependence on the person/role holding the permission.
Constraint Types cont’d. Location - Creates a location requirement for the person holding the permission.
. • .
Constraint Catalog - Process STEP 1 Review each permission and identify applicable obstacle or constraint(s). Note that not all permissions will have an applicable constraint. STEP 2 For each permission, record the associated constraint(s) if applicable (verify ‘constraint’ vs ‘business rule’, constraint conditions and brief description) include factors which make it differ from a business rule. STEP 3 Identify Constraint Type (cardinality, separation of duty, time, location). STEP 4 Assign a Constraint ID.
Constraint Table • ID (xy-nnn) Legend: x = P (permission) y = C (constraint identifier) nnn = Sequential number starting at 001 • Unique Permission ID - refers to the identifier assigned to the abstract permission name • Unique Permission-Constraint ID – refers to the identifier assigned to the permission constraint • Constraint Type – refers to the constraint definition as described in Table 1
Emergency Access Granting of user rights and authorizations to permit access to Protected Health Information (PHI) and application in emergency conditions.
Emergency Access* Security Environment Primary need is to address a lack of sufficientauthorization for legitimate care providerswhere the situation requires immediatedelegation. *There are no established standards for emergency access.
Emergency Access Enforce security constraints which: • Audit (at each step, indicate use of Emergency Access) • Notification of local and work security officers • User review Be cautious of (tight) security constraints which lead to: • Ineffective use of the Healthcare Information system • Risk to patient health, treatment, safety
RBAC Newsletter Abstract reviews of Role Based Access Control documentation from around the world. Released Quarterly. Includes Security/RBAC related meeting updates and RBAC Task Force meeting briefs. http://www.va.gov/RBAC/newsletters.asp
HL7 RBAC Documentation Latest Versions of: • HL7 RBAC Healthcare Permission Catalog • HL7 RBAC Role Engineering Process • HL7 RBAC Role Engineering Process – Applied Example • HL7 RBAC Healthcare Scenarios • HL7 Healthcare Scenario Roadmap
RBAC Website The RBAC Website provides authoritativedocumentation on: • RBAC Engineering Processes • RBAC Task Force Artifacts • RBAC Newsletters • HL7 RBAC Collaborative and Balloted Documentation • Archived RBAC Presentations • Other SDO, VHA RBAC Collaborative Papers and Links http://www.va.gov/RBAC/index.asp
Constraint • Other constraints • Neumann-Strembeck: • X1 • X2 • X3 • Ahn-Shin • Crampton…?