distributed medical environment database access control (dimedac)

Distributed Medical Environment Database

Access control(DIMEDAC)

By

M. Gharib

H. Salemi

F. Khodadadi

In the name of God

2

OutLines

Introduction to DIMEDAC

DIMEDAC components

Determining user authorization

Algorithms◦Static

◦Dynamic

3

DIMEDAC The DIMEDAC security policy provides a

Role-based authorization mechanism for accessing data depending on the particular values of the user location.

Protection of the privacy of the patients in distributed medical databases.

4

DIMEDACIt combines the advantages of both the DAC

and MAC policies.

Protection of global objects from accessing by global subjects is achieved with the use of location control concept.

The access control mechanisms used in DIMEDAC are the hyper node hierarchies

5

Hyper Node HierarchiesA Hyper Node Hierarchy (HNH) is a

group of hyper nodes. Each hyper node is connected to another hyper node by a branch or a link.

A branch is used to connect a node with its ancestor in the above level.

Links are connections that are used between nodes of the same level.

6

Hyper Node Hierarchies…User Role Hierarchy (URH)

Data Set Hierarchy (DSH)

User Location Hierarchy (ULH)

7

8

Determining User Authorizations

Three Dimension Access-Matrix (3DAM)

9

AlgorithmsStatic algorithmDynamic algorithm

10

Static AlgorithmInsert {UR , UL , DS , ACCESS}

Step 1 : If the specific data set DS has descendants in the DSH, then for each one descendant a new entry is automatically inserted (if there isn’t one already) having the same UR, UL and AM.

Step 2 : If the specific user location UL has descendants in the ULH, then for each one descendant all the above entries are automatically inserted (if there isn’t one already) having the same UR, DS and AM.

Step 3 : If the specific user role UR has ancestors in the URH, then for each one ancestor all the above entries are automatically inserted (if there isn’t one already) having the same UL, DS and AM.

11

ExampleInsert : {D, C12111, HE, Select}

Step 1: {D, C12111, HEC, Select} {D, C12111, HEL, Select} {D, C12111, HEX, Select}

Step 2: {M, C12111, HE, Select} {M, C12111, HEC, Select} {M, C12111, HEL, Select} {M, C12111, HEX, Select}

Step 3: {D, S121111, HE, Select} {D, S121111, HEC, Select} {D, S121111, HEL, Select} {D, S121111, HEX, Select} {M, S121111, HE, Select} {M, S121111, HEC, Select} {M, S121111, HEL, Select} {M, S121111, HEX, Select} {D, S121112, HE, Select} {D, S121112, HEC, Select} {D, S121112, HEL, Select} {D, S121112, HEX, Select} {M, S121112, HE, Select} {M, S121112, HEC, Select} {M, S121112, HEL, Select} {M, S121112, HEX, Select}

12

Dynamic Algorithm Step 1: For every descendant UR' of the user role UR (including

the UR itself) a search for all relevant quadruples (having the same UR') in 3DAM is performed. If no quadruples are found then the access request is denied. If in the result set there is an entry {UR', UL', DS', AM'} where UL'=UL, DS'=DS and AM'=AM then the access request is permitted. Otherwise, for each quadruple found the following step is performed.

Step 2: For every ancestor UL'' of the user location UL' (including the UL' itself) of the quadruple found, a search for all relevant quadruples (having the same UR' and UL'') in 3DAM is performed. If no quadruples are found then the access request is denied. If in the result set there is an entry {UR', UL'', DS'', AM''} where DS''=DS and AM''=AM then the access request is permitted. Otherwise, for each quadruple found the following step is performed.

13

Dynamic Algorithm…Step 3: For every ancestor DS''' of the data set

DS'' (including the DS'' itself) of the quadruple found, a search for all relevant quadruples (having the same UR', UL'' and DS''') in 3DAM is performed. If no quadruples are found then the access request is denied. If in the result set there is an entry {UR', UL'', DS''', AM'''} where AM'''=AM then the access request is permitted. Otherwise, the access request is denied.

14

Request : { N, D2111 , HEX, Select }

15

16

Request : { {N|NO|NH|NT}, D2111 , HEX, Select }

17

18

Request : {{N|NO|NH|NT} , {D2111|H211} , HEX, Select }

19

20

Request : {{N|NO|NH|NT} , {D2111|H211} , {HEX|HE}, Select }

21

ReferencesMavridis, I., Pangalos, G., Khair, M. and Bozios, L.,

1999, Defining Access Control Mechanisms for Privacy Protection in Distributed Medical Databases, Proceedings of IFIP Working Conference on User Identification and Privacy Protection, Sweden.

Mavridis I. And Pangalos G., “Determining User Authorizations in Distributed Database Systems”, in Proceedings of the 8th Conference on Informatics, Volume 1, Nicosia, Cyprus, November 2001, ISBN 960-14-0459-7.

22

Thanks

?