Context and Role Based Hybrid Access Control for Collaborative Environments

Role-based mechanisms usually provide a sufficient way to establish access control in most information systems. Passive security permission assignment cannot however support efficiently the dynamic aspects of many modern information systems. Health Care information systems provide a good example of such an environment. In dynamically changing clinical workflow environments there is a need for active security permission activation. In order to address this problem we propose to utilize the concept of a clinical task, together with a number of factors that characterize clinical activities for particular patient cases. The specific values of those factors form a context that could identify particular clinical tasks. In every clinical task a number of users might be involved that collaborate for taking care of a particular patient. However, the assignment of a number of different contexts to each one user usually causes a significant administrative overhead. This could be eliminated by using the team concept in a similar way as roles. The participation of particular users in teams is based on their assigned roles already defined. The role-based permission set of a particular user is a combination of the permissions of all the roles activated by the users participating in the same team. The final permission set of the user is derived by applying the team context in order to filter the role-based permission set and let only the tuples of particular patients to be accessed during the execution of his task. Our approach is implemented as an extension to our existing eMEDAC security policy we have developed and implemented already for use in health care environments.