Role Based Access Control Update

1
Role Based Access Control Update
Presented by Suzanne Gonzales-Webb, CPhT VHA
Office of Information Standards
HL7 Working Group Meeting San Diego, CA - January
2007
2
Agenda

• Constraints
• Emergency Access
• RBAC Quarterly Newsletter
• HL7 RBAC Documentation
• RBAC Website
• QA

3
Constraint Catalog

• Constraints are restrictions that are enforced
  upon access permissions.
• Supporting the central ideas of constraints on an
  RBAC model will allow for higher flexibility.
  -Neumann Strembeck

4
Constraint Types

• Cardinality -
• Occurs when there is a limit of a certain number
  of users (persons, roles) who may be holding the
  permission at any one time.

5
Constraint Types contd.

• Separation of duties -
• Occurs when the same user cannot hold two
• related permissions at the same time
• A user may be in one role, but not in another
  mutually exclusive.
• Prevents a person from submitting and approving
  his or her own request.

6
Constraint Catalog

• Separation of duties - (continued)
• Sensitive combination duties are partitioned
  between different individual in order to prevent
  the violation of business rules.

7
Constraint Types contd.

• Time-dependency -
• Creates a time of day/time dependence on the
  person/role holding the permission.

8
Constraint Types contd.

• Location -
• Creates a location requirement for the person
  holding the permission.

9
Constraint Catalog - Process

• STEP 1 ? Review each permission and identify
  applicable obstacle or constraint(s). Note that
  not all permissions will have an applicable
  constraint.
• STEP 2 ? For each permission, record the
  associated constraint(s) if applicable (verify
  constraint vs business rule, constraint
  conditions and brief description) and include
  factors which make it differ from a business
  rule.
• STEP 3 ? Identify Constraint Type (cardinality,
  separation of duty, time, location).
• STEP 4 ? Assign a Constraint ID.

10
Constraint Table

• ID (xy-nnn) Legend
• x P (permission)
• y C (constraint identifier)
• nnn Sequential number starting at 001
• Unique Permission ID - refers to the identifier
  assigned to the abstract permission name
• Unique Permission-Constraint ID refers to the
  identifier assigned to the permission constraint
• Constraint Type refers to the constraint
  definition as described in Table 1

11
Constraint Table - Example
12
Emergency Access

• Granting of user rights and authorizations to
  permit access to Protected Health Information
  (PHI) and application in emergency conditions.

13
Emergency Access

• Security Environment
• Primary need is to address a lack of
  sufficientauthorization for legitimate care
  providerswhere the situation requires
  immediatedelegation.
• There are no established standards for emergency
  access.

14
Emergency Access

• Enforce security constraints which involve
• Audit (at each step, indicate use of Emergency
  Access)
• Notification of local and work security officers
• User review
• Be cautious of (tight) security constraints which
  lead to
• Ineffective use of the Healthcare Information
  system
• Risk to patient health, treatment, safety

15
RBAC Newsletter

• Abstract reviews of Role Based Access
• Control documentation from around the
• world. Released Quarterly. Includes
• Security/RBAC related meeting updates and
• RBAC Task Force meeting briefs.
• http//www.va.gov/RBAC/newsletters.asp

16
HL7 RBAC Documentation

• Latest Versions of
• HL7 RBAC Healthcare Permission Catalog
• HL7 RBAC Role Engineering Process
• HL7 RBAC Role Engineering Process Applied
  Example
• HL7 RBAC Healthcare Scenarios
• HL7 Healthcare Scenario Roadmap

17
RBAC Website

• The RBAC Website provides authoritativedocumentat
  ion on
• RBAC Engineering Processes
• RBAC Task Force Artifacts
• RBAC Newsletters
• HL7 RBAC Collaborative and Balloted Documentation
  
• Archived RBAC Presentations
• Other SDO, VHA RBAC Collaborative Papers and
  Links
• http//www.va.gov/RBAC/index.asp

18
Role Based Access Control (RBAC)

• Q A