Role-Based Access Control Requirements Model with Purpose Extension

Role-Based Access Control (RBAC) is increasingly used for ensuring security and privacy in complex organizations such as healthcare institutions. In RBAC, access permissions are granted to an individual based on her defined roles. Much work has been done on the specification of RBAC models for enforcing access control; however, in order to arrive at appropriate choices of access control for particular roles and individuals in an organization, we need models at the requirements level to support elicitation and analysis. Crook et al. [3] have provided a requirements level model for RBAC, defining access to an information asset based on role, responsibility, operation, and context. We extend the Crook model to include a purpose hierarchy in order to meet the needs of privacy requirements. Access to health records is used as the example domain.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[3]  Seng-Phil Hong,et al.  Access control in collaborative systems , 2005, CSUR.

[4]  A. Finkelstein,et al.  A comedy of errors: the London Ambulance Service case study , 1996, Proceedings of the 8th International Workshop on Software Specification and Design.

[5]  Bashar Nuseibeh,et al.  Modelling access policies using roles in requirements engineering , 2003, Inf. Softw. Technol..

[6]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[7]  Ravi S. Sandhu,et al.  Conceptual foundations for a model of task-based authorizations , 1994, Proceedings The Computer Security Foundations Workshop VII.

[8]  Patrick C. K. Hung,et al.  Health Insurance Portability and Accountability Act (HIPPA) Compliant Access Control Model for Web Services , 2006, Int. J. Heal. Inf. Syst. Informatics.

[9]  Jonathan D. Moffett,et al.  Control principles and role hierarchies , 1998, RBAC '98.

[10]  Michelle Watson Mobile healthcare applications: a study of access control , 2006, PST.

[11]  R. Califf,et al.  Health Insurance Portability and Accountability Act (HIPAA): must there be a trade-off between privacy and quality of health care, or can we advance both? , 2003, Circulation.

[12]  Roshan K. Thomas,et al.  Flexible team-based access control using contexts , 2001, SACMAT '01.