role based access control update
DESCRIPTION
Role Based Access Control Update. Presented by: Suzanne Gonzales-Webb, CPhT VHA Office of Information Standards. HL7 Working Group Meeting San Diego, CA - January 2007. Agenda. Constraints Emergency Access RBAC Quarterly Newsletter HL7 RBAC Documentation RBAC Website Q&A. - PowerPoint PPT PresentationTRANSCRIPT
Role Based Access Control Update
HL7 Working Group Meeting San Diego, CA - January 2007
Presented by:
Suzanne Gonzales-Webb, CPhTVHA Office of Information
Standards
2
Agenda
Constraints
Emergency Access
RBAC Quarterly Newsletter
HL7 RBAC Documentation
RBAC Website
Q&A
3
Constraint Catalog
Constraints are restrictions that are enforced upon access permissions.
Supporting the central ideas of constraints on an RBAC model will allow for higher flexibility. -Neumann Strembeck
4
Constraint Types
Cardinality -
Occurs when there is a limit of a certain number of users (persons, roles) who may be holding the permission at any one time.
5
Constraint Types cont’d.
Separation of duties -
Occurs when the same user cannot hold tworelated permissions at the same time:
A user may be in one role, but not in another mutually exclusive.
Prevents a person from submitting and approving his or her own request.
6
Constraint Catalog
Separation of duties - (continued)
Sensitive combination duties are partitioned between different individual in order to prevent the violation of business rules
7
Constraint Types cont’d.
Time-dependency -
Creates a time of day/time dependence on the person/role holding the permission.
8
Constraint Types cont’d.
Location -
Creates a location requirement for the person holding the permission.
9
.
.
10
Constraint Catalog - Process
STEP 1 Review each permission and identify applicable obstacle or constraint(s). Note that not all permissions will have an applicable constraint.
STEP 2 For each permission, record the associated constraint(s) if applicable (verify ‘constraint’ vs ‘business rule’, constraint conditions and brief description) include factors which make it differ from a business rule.
STEP 3 Identify Constraint Type (cardinality, separation of duty, time, location).
STEP 4 Assign a Constraint ID.
11
Constraint Table
ID (xy-nnn) Legend:x = P (permission)y = C (constraint identifier)nnn = Sequential number starting at
001
Unique Permission ID - refers to the identifier assigned to the abstract permission name
Unique Permission-Constraint ID – refers to the identifier assigned to the permission constraint
Constraint Type – refers to the constraint definition as described in Table 1
12
Constraint Table - Example
UniquePermission
Constraint ID
Permission ConstraintDescription
ConstraintType
PermissionID Permission Name
PC-002 (incomplete Permission_ID, Names)
A Resident may operate in ERas an Attending
Location POE-005 New/Renew Outpatient PrescriptionOrder
POE-006 Change/Discontinue/Refill OutpatientPrescription Order
POE-017 New Verbal and Telephone Order
PC-006 Only one (1) physician may beacting as Chief of Medical Recordsat any given time
Cardinality POE-028 Release Orders
PC-007 In the event that a Hospital orClinic Pharmacy does not have 24 hour service. A Charge Nursemay have access to some of thepharmacy override privileges. (i.e.verify orders) During regular pharmacy hours, the ChargeNurse would normally not havethese permission (s)
Time-Dependency
POE-005 New/Renew Outpatient PrescriptionOrder
POE-006 Change/Discontinue/Refill OutpatientPrescription Order
POE-007 New Inpatient Medication Order
POE-008 Change/Discontinue InpatientMedication Order
POE-028 Release Orders
13
Emergency Access
Granting of user rights and authorizations to permit access to Protected Health Information (PHI) and application in emergency conditions.
14
Emergency Access*
Security Environment
Primary need is to address a lack of sufficientauthorization for legitimate care providerswhere the situation requires immediatedelegation.
*There are no established standards for emergency access.
15
Emergency Access
Enforce security constraints which: Audit (at each step, indicate use of Emergency Access) Notification of local and work security officers User review
Be cautious of (tight) security constraints which lead to:
Ineffective use of the Healthcare Information system Risk to patient health, treatment, safety
16
RBAC Newsletter
Abstract reviews of Role Based Access
Control documentation from around the
world. Released Quarterly. Includes
Security/RBAC related meeting updates and
RBAC Task Force meeting briefs.
http://www.va.gov/RBAC/newsletters.asp
17
HL7 RBAC Documentation
Latest Versions of:
HL7 RBAC Healthcare Permission Catalog HL7 RBAC Role Engineering Process HL7 RBAC Role Engineering Process –
Applied Example HL7 RBAC Healthcare Scenarios HL7 Healthcare Scenario Roadmap
18
RBAC Website
The RBAC Website provides authoritativedocumentation on:
RBAC Engineering Processes RBAC Task Force Artifacts RBAC Newsletters HL7 RBAC Collaborative and Balloted Documentation Archived RBAC Presentations Other SDO, VHA RBAC Collaborative Papers and Links
http://www.va.gov/RBAC/index.asp
Role Based Access Control (RBAC)
Q & A
20
Constraint
Other constraints Neumann-Strembeck:
X1 X2 X3
Ahn-Shin
Crampton…?