role based access control update
DESCRIPTION
Role Based Access Control Update. Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information Standards. HL7 Working Group Meeting San Diego, CA - January 2007. Agenda. Constraints Emergency Access RBAC Quarterly Newsletter HL7 RBAC Documentation RBAC Website Q&A. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/1.jpg)
Role Based Access Control Update
HL7 Working Group Meeting San Diego, CA - January 2007
Presented by:
Suzanne Gonzales-Webb, CPhTVHA Office of Information
Standards
![Page 2: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/2.jpg)
2
Agenda
Constraints
Emergency Access
RBAC Quarterly Newsletter
HL7 RBAC Documentation
RBAC Website
Q&A
![Page 3: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/3.jpg)
3
Constraint Catalog
Constraints are restrictions that are enforced upon access permissions.
Supporting the central ideas of constraints on an RBAC model will allow for higher flexibility. -Neumann Strembeck
![Page 4: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/4.jpg)
4
Constraint Types
Cardinality - Occurs when there is a limit of a certain number
of users (persons, roles) who may be holding the permission at any one time.
![Page 5: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/5.jpg)
5
Constraint Types cont’d.
Separation of duties -Occurs when the same user cannot hold tworelated permissions at the same time:
A user may be in one role, but not in another mutually exclusive.
Prevents a person from submitting and approving his or her own request.
![Page 6: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/6.jpg)
6
Constraint Catalog
Separation of duties - (continued)
Sensitive combination duties are partitioned between different individual in order to prevent the violation of business rules
![Page 7: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/7.jpg)
7
Constraint Types cont’d.
Time-dependency -
Creates a time of day/time dependence on the person/role holding the permission.
![Page 8: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/8.jpg)
8
Constraint Types cont’d.
Location -Creates a location requirement for the person
holding the permission.
![Page 9: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/9.jpg)
9
.
.
![Page 10: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/10.jpg)
10
Constraint Catalog - Process
STEP 1 Review each permission and identify applicable obstacle or constraint(s). Note that not all permissions will have an applicable constraint.
STEP 2 For each permission, record the associated constraint(s) if applicable (verify ‘constraint’ vs ‘business rule’, constraint conditions and brief description) include factors which make it differ from a business rule.
STEP 3 Identify Constraint Type (cardinality, separation of duty, time, location).
STEP 4 Assign a Constraint ID.
![Page 11: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/11.jpg)
11
Constraint Table
ID (xy-nnn) Legend:x = P (permission)y = C (constraint identifier)nnn = Sequential number starting at
001
Unique Permission ID - refers to the identifier assigned to the abstract permission name
Unique Permission-Constraint ID – refers to the identifier assigned to the permission constraint
Constraint Type – refers to the constraint definition as described in Table 1
![Page 12: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/12.jpg)
12
Constraint Table - Example
UniquePermission
Constraint ID
Permission ConstraintDescription
ConstraintType
PermissionID Permission Name
PC-002 (incomplete Permission_ID, Names)
A Resident may operate in ERas an Attending
Location POE-005 New/Renew Outpatient PrescriptionOrder
POE-006 Change/Discontinue/Refill OutpatientPrescription Order
POE-017 New Verbal and Telephone Order
PC-006 Only one (1) physician may beacting as Chief of Medical Recordsat any given time
Cardinality POE-028 Release Orders
PC-007 In the event that a Hospital orClinic Pharmacy does not have 24 hour service. A Charge Nursemay have access to some of thepharmacy override privileges. (i.e.verify orders) During regular pharmacy hours, the ChargeNurse would normally not havethese permission (s)
Time-Dependency
POE-005 New/Renew Outpatient PrescriptionOrder
POE-006 Change/Discontinue/Refill OutpatientPrescription Order
POE-007 New Inpatient Medication Order
POE-008 Change/Discontinue InpatientMedication Order
POE-028 Release Orders
![Page 13: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/13.jpg)
13
Emergency Access
Granting of user rights and authorizations to permit access to Protected Health Information (PHI) and application in emergency conditions.
![Page 14: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/14.jpg)
14
Emergency Access*
Security Environment
Primary need is to address a lack of sufficientauthorization for legitimate care providerswhere the situation requires immediatedelegation.
*There are no established standards for emergency access.
![Page 15: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/15.jpg)
15
Emergency Access
Enforce security constraints which: Audit (at each step, indicate use of Emergency Access) Notification of local and work security officers User review
Be cautious of (tight) security constraints which lead to:
Ineffective use of the Healthcare Information system Risk to patient health, treatment, safety
![Page 16: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/16.jpg)
16
RBAC Newsletter
Abstract reviews of Role Based AccessControl documentation from around the world. Released Quarterly. Includes Security/RBAC related meeting updates and RBAC Task Force meeting briefs.
http://www.va.gov/RBAC/newsletters.asp
![Page 17: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/17.jpg)
17
HL7 RBAC Documentation
Latest Versions of: HL7 RBAC Healthcare Permission Catalog HL7 RBAC Role Engineering Process HL7 RBAC Role Engineering Process –
Applied Example HL7 RBAC Healthcare Scenarios HL7 Healthcare Scenario Roadmap
![Page 18: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/18.jpg)
18
RBAC Website
The RBAC Website provides authoritativedocumentation on: RBAC Engineering Processes RBAC Task Force Artifacts RBAC Newsletters HL7 RBAC Collaborative and Balloted Documentation Archived RBAC Presentations Other SDO, VHA RBAC Collaborative Papers and Links
http://www.va.gov/RBAC/index.asp
![Page 19: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/19.jpg)
Role Based Access Control (RBAC)
Q & A
![Page 20: Role Based Access Control Update](https://reader033.vdocuments.mx/reader033/viewer/2022051402/56815cd0550346895dcae0e1/html5/thumbnails/20.jpg)
20
Constraint
Other constraints Neumann-Strembeck:
X1 X2 X3
Ahn-Shin
Crampton…?