1 / 20

Role Based Access Control Update

Role Based Access Control Update. Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information Standards. HL7 Working Group Meeting San Diego, CA - January 2007. Agenda. Constraints Emergency Access RBAC Quarterly Newsletter HL7 RBAC Documentation RBAC Website Q&A.

fay
Download Presentation

Role Based Access Control Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Role Based Access Control Update Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information Standards HL7 Working Group Meeting San Diego, CA - January 2007

  2. Agenda • Constraints • Emergency Access • RBAC Quarterly Newsletter • HL7 RBAC Documentation • RBAC Website • Q&A

  3. Constraint Catalog Constraints are restrictions that are enforced upon access permissions. Supporting the central ideas of constraints on an RBAC model will allow for higher flexibility. -Neumann Strembeck

  4. Constraint Types Cardinality - Occurs when there is a limit of a certain number of users (persons, roles) who may be holding the permission at any one time.

  5. Constraint Types cont’d. Separation of duties - Occurs when the same user cannot hold two related permissions at the same time: • A user may be in one role, but not in another mutually exclusive. • Prevents a person from submitting and approving his or her own request.

  6. Constraint Catalog • Separation of duties - (continued) Sensitive combination duties are partitioned between different individual in order to prevent the violation of business rules

  7. Constraint Types cont’d. Time-dependency - Creates a time of day/time dependence on the person/role holding the permission.

  8. Constraint Types cont’d. Location - Creates a location requirement for the person holding the permission.

  9. . • .

  10. Constraint Catalog - Process STEP 1 Review each permission and identify applicable obstacle or constraint(s). Note that not all permissions will have an applicable constraint. STEP 2 For each permission, record the associated constraint(s) if applicable (verify ‘constraint’ vs ‘business rule’, constraint conditions and brief description) include factors which make it differ from a business rule. STEP 3 Identify Constraint Type (cardinality, separation of duty, time, location). STEP 4 Assign a Constraint ID.

  11. Constraint Table • ID (xy-nnn) Legend: x = P (permission) y = C (constraint identifier) nnn = Sequential number starting at 001 • Unique Permission ID - refers to the identifier assigned to the abstract permission name • Unique Permission-Constraint ID – refers to the identifier assigned to the permission constraint • Constraint Type – refers to the constraint definition as described in Table 1

  12. Constraint Table - Example

  13. Emergency Access Granting of user rights and authorizations to permit access to Protected Health Information (PHI) and application in emergency conditions.

  14. Emergency Access* Security Environment Primary need is to address a lack of sufficientauthorization for legitimate care providerswhere the situation requires immediatedelegation. *There are no established standards for emergency access.

  15. Emergency Access Enforce security constraints which: • Audit (at each step, indicate use of Emergency Access) • Notification of local and work security officers • User review Be cautious of (tight) security constraints which lead to: • Ineffective use of the Healthcare Information system • Risk to patient health, treatment, safety

  16. RBAC Newsletter Abstract reviews of Role Based Access Control documentation from around the world. Released Quarterly. Includes Security/RBAC related meeting updates and RBAC Task Force meeting briefs. http://www.va.gov/RBAC/newsletters.asp

  17. HL7 RBAC Documentation Latest Versions of: • HL7 RBAC Healthcare Permission Catalog • HL7 RBAC Role Engineering Process • HL7 RBAC Role Engineering Process – Applied Example • HL7 RBAC Healthcare Scenarios • HL7 Healthcare Scenario Roadmap

  18. RBAC Website The RBAC Website provides authoritativedocumentation on: • RBAC Engineering Processes • RBAC Task Force Artifacts • RBAC Newsletters • HL7 RBAC Collaborative and Balloted Documentation • Archived RBAC Presentations • Other SDO, VHA RBAC Collaborative Papers and Links http://www.va.gov/RBAC/index.asp

  19. Role Based Access Control (RBAC) Q & A

  20. Constraint • Other constraints • Neumann-Strembeck: • X1 • X2 • X3 • Ahn-Shin • Crampton…?

More Related