An Event-Based, Role-Based Authorization Model for Healthcare Workflow Systems

Authorization and access control is of primary importance to workflow healthcare environments. Although task dependencies in the workflow give rise to the need for a specific ordering of task executions, it is authorization that determines who can execute the various tasks that comprise the workflow and what information can be accessed during task executions. Furthermore, a challenge of workflow security is to enforce the least privilege principle (i.e. users must be allowed to receive the least possible permissions required to perform a task) throughout workflow execution in order to reduce the risk of compromising information integrity during task executions. However, adherence to the least privilege principle often requires the enforcement of dynamic, contextual constraints so that authorizations for access to data during task executions are granted to and revoked from users dynamically. This paper discusses an event-based, role-based workflow authorization model and mechanism that addresses this issue. In particular, the model augments the capabilities of traditional role-based access control (RBAC) models by allowing user roles to change dynamically during workflow execution based on the occurrence of specific events, in order to prevent users from acquiring unnecessary privileges during workflow task executions and, hence, synchronizing authorization flow with the progression of the workflow.

[1]  Vijayalakshmi Atluri,et al.  Security for Workflow Systems , 2001, Inf. Secur. Tech. Rep..

[2]  D. Salber,et al.  The Context Toolkit : Aiding the Development of Context-Aware Applications , 2000 .

[3]  Jan H. P. Eloff,et al.  A framework for access control in workflow systems , 2001, Inf. Manag. Comput. Secur..

[4]  Silvana Castano,et al.  Managing Workflow Authorization Constraints through Active Database Technology , 2001, Inf. Syst. Frontiers.

[5]  Fangfang Liu,et al.  Design of Role-Based Security Access Control Model in the Workflow , 2009, 2009 First International Conference on Information Science and Engineering.

[6]  Gregory D. Abowd,et al.  The context toolkit: aiding the development of context-enabled applications , 1999, CHI '99.

[7]  Hui Zhao,et al.  An Improved Role-Based Workflow Access Control Model , 2008, Fifth International Conference on Information Technology: New Generations (itng 2008).

[8]  Annette Mills,et al.  IT support for business processes in SMEs , 2011, Bus. Process. Manag. J..

[9]  Flora Malamateniou,et al.  A workflow-based approach to virtual patient record security , 1998, IEEE Transactions on Information Technology in Biomedicine.

[10]  Xiangning Zhou,et al.  An Access Control Model of Workflow System Integrating RBAC and TBAC , 2007, I3E.

[11]  Angela Goh,et al.  ECA rule-based support for workflows , 2001, Artif. Intell. Eng..

[12]  Manfred Reichert,et al.  IT Support for Healthcare Processes , 2005, Business Process Management.