Search results

An electronic health record (EHR) enables clinicians to access and share patient information electronically and has the ultimate goal of improving the delivery of healthcare. However, this can create security and privacy risks to patient information. This paper aims to present a model for securing the EHR based on role-based access control (RBAC), attribute-based access control (ABAC) and the Clark-Wilson model.

A systematic literature review was conducted which resulted in the collection of secondary data that was used as the content analysis sample. Using the MAXQDA software program, the secondary data was analysed quantitatively using content analysis, resulting in 2,856 tags, which informed the discussion. An expert review was conducted to evaluate the proposed model using an evaluation framework.

The study found that a combination of RBAC, ABAC and the Clark-Wilson model may be used to secure the EHR. While RBAC is applicable to healthcare, as roles are linked to an organisation’s structure, its lack of dynamic authorisation is addressed by ABAC. Additionally, key concepts of the Clark-Wilson model such as well-formed transactions, authentication, separation of duties and auditing can be used to secure the EHR.

Although previous studies have been based on a combination of RBAC and ABAC, this study also uses key concepts of the Clark-Wilson model for securing the EHR. Countries implementing the EHR can use the model proposed by this study to help secure the EHR while also providing EHR access in a medical emergency.

Proposes an object‐oriented role‐based access control (ORBAC) model to efficiently represent the real world. Though ORBAC is a good model, administration of ORBAC, including creating and maintaining an access control security policy, still remains a challenging problem. Presents a practical method that can be employed in an enterprise environment to manage security policies using eXtensible Markup Language (XML). Based on ORBAC security policy expressed in XML, a role assignment algorithm is presented. The computation complexity of the algorithms is O(N) where n is the number of position roles in a user’s assigned position role scope.

Information flow analysis is a necessary step to determine the information security for a given system. In this paper, we introduce an object oriented role‐based access control model (ORBAC) and illustrate that the confinement problem may occur on the ORBAC based system. In order to deal with the problem, a technique called information flow analysis is proposed. Moreover, under the principle of mandatory access control (MAC) security policy, a role set assignment method is developed and proved to solve the confinement problem on ORBAC.

The goal of this paper is to propose a data access control framework that is used for editing MARC‐based bibliographic databases. In cases where the bibliographic record editing activities carried out in libraries are complex and involve many people with different skills and expertise, a way of managing the workflow and data quality is needed. Enforcing access control can contribute to these goals.

The proposed solution for data access control enforcement is based on the well‐studied standard role‐based access control (RBAC) model. The bibliographic data, for the purpose of this system, is represented using the XML language. The software architecture of the access control system is modelled using the Unified Modelling Language (UML).

The access control framework presented in this paper represents a successful application of concepts of role‐based access control to bibliographic databases. The use of XML language for bibliographic data representation provides the means to integrate this solution into many different library information systems, facilitates data exchange and simplifies the software implementation because of the abundance of available XML tools. The solution presented is not dependent on any particular XML schema for bibliographic records and may be used in different library environments. Its flexibility stems from the fact that access control rules can be defined at different levels of granularity and for different XML schemas.

This access control framework is designed to handle XML documents. Library systems that utilise bibliographic databases in other formats not easily convertible to XML would hardly integrate the framework into their environment.

The use of an access control enforcement framework in a bibliographic database can significantly improve the quality of data in organisations where record editing is performed by a large number of people with different skills. The examples of access control enforcement presented in this paper are extracted from the actual workflow for editing bibliographic records in the Belgrade City Library, the largest public city library in Serbia. The software implementation of the proposed framework and its integration in the BISIS library information system prove the practical usability of the framework. BISIS is currently deployed in over 40 university, public, and specialized libraries in Serbia.

A proposal for enforcing access control in bibliographic databases is given, and a software implementation and its integration in a library information system are presented. The proposed framework can be used in library information systems that use MARC‐based cataloguing.

The majority of medium‐to‐large international organizations have adopted enterprise resource planning systems (ERPs) of which SAP R/3 is the current market leader. This paper proposes a framework for the separation of duties in SAP R/3. Separation of duties is viewed as a critical component of an organization’s internal control structure aimed primarily at reducing opportunities for fraudulent activities. R/3 assigns profiles consisting of authorizations to users. Accordingly, R/3 facilitates the implementation of “role‐based access control”, where these profiles may be designed consistent with organizational roles and assigned to users performing these roles. This paper proposes a framework for adequate separation of duties using a role‐based approach in the financial accounting (FI) module of the R/3 system. Case studies were undertaken to refine the framework and to explore its application in a practical environment. This empirical research provided support for the adequacy of the proposed framework.

The purpose of this paper is to consider the secure publishing of XML documents, where a single copy of an XML document is disseminated and a stated role‐based access control policy (RBACP) is enforced via selective encryption. It describes a more efficient solution over previously proposed approaches, in which both policy specification and key generation are performed once, at the schema‐level. In lieu of the commonly used super‐encryption technique, in which nodes residing in the intersection of multiple roles are encrypted with multiple keys, it describes a new approach called multi‐encryption that guarantees each node is encrypted at most once.

This paper describes two alternative algorithms for key generation and single‐pass algorithms for multi‐encrypting and decrypting a document. The solution typically results in a smaller number of keys being distributed to each user.

The paper proves the correctness of the presented algorithms, and provides experimental results indicating the superiority of multi‐encryption over super‐encryption, in terms of encryption and decryption time requirements. It also demonstrates the scalability of the approach as the size of the input document and complexity of the schema‐level RBACP are increased.

An extension of this work involves designing and implementing re‐usability of keyrings when a schema or ACP is modified. In addition, more flexible solutions for handling cycles in schema graphs are possible. The current solution encounters difficulty when schema graphs are particularly deep and broad.

The experimental results indicate that the proposed approach is scalable, and is applicable to scenarios in which XML documents conforming to a common schema are to be securely published.

This paper contributes to the efficient implementation of secure XML publication systems.

The paper aims to describe the results of a recent GridShibPERMIS project whose purpose was to provide policy‐driven role‐based access control decision‐making to grid jobs, in which the user's attributes are provided by an external Shibboleth Identity Provider (IdP).

This was achieved by integrating the identity‐federation and attribute‐assignment functions of Shibboleth and the policy‐based enforcement functions of PERMIS with the Grid job management functions of Globus Toolkit v4.

Combining the three technologies proved to be relatively easy due to the Policy Information Point (PIP) and Policy Decision Point (PDP) Java interfaces recently introduced into Globus Toolkit v4.

However, a number of limitations in the current Grid‐Shib implementation were revealed, namely: the lack of support for pseudonymous access to grid resources; scalability problems because only one issuer scope domain is supported and because name mappings have to be provided for each grid user; and the inability to collect a user's attributes from multiple IdPs for use in authorisation decision‐making.

This paper provides an overview of and describes the benefits of the three technologies (GT4, Shibboleth and PERMIS), shows how they may be combined to good effect via GT4's java interfaces, describes the limitations of the current GridShib implementation and suggests possible solutions and additional research that are needed in the future in order to address the current shortcomings.

Workflow systems are often associated with business process re‐engineering (BPR). This paper argues that the functional access control requirements in workflow systems are rooted in the scope of a BPR project. A framework for access control in workflow systems is developed. The framework suggests that existing role‐based access control mechanisms can be used as a foundation in workflow systems. The framework separates the administration‐time and the run‐time aspects. Key areas that must be investigated to meet the functional requirements imposed by workflow systems on access control services are identified.

The purpose of this paper is to create a model of role‐based access control (RBAC) based access control for virtual enterprise (VE).

An access control model for security and management of VE is presented by integrating generic structure of VE and applying the principles of RBAC. In addition, the application of the model to a supply chain‐oriented VE illustrates that a general access control scheme can ensure the running of VE.

A theory base of access control for the realization of the VE is found.

The paper presents a very useful new model of access control for VE. This paper is aimed at researchers and engineers.

The paper aims to propose a flexible framework to support X-STROWL model. Extensible access control markup language (XACML) is an international standard used for access control in distributed systems. However, XACML and its existing extensions are not sufficient to fulfill sophisticated security requirements (e.g. access control based on user’s roles, context-aware authorizations and the ability of reasoning). Remarkably, X-STROWL, a generalized extension of XACML for spatiotemporal role-based access control (RBAC) model with reasoning ability, is a comprehensive model that overcomes these shortcomings. It mainly focuses on the architecture design as well as the implementation and evaluation of proposed framework and the comparison with others.

Based on the concept of X-STROWL model, the paper reviewed a large amount of open sources implementing XACML with defined criteria and chose the most suitable framework to be extended for the implementation. The paper also presented a case study used to evaluate the research result.

Holistic enterprise-ready application security framework – architecture framework (HERAS-AF) is chosen as the most suitable framework to be extended to implement X-STROWL model. Extending HERAS-AF to support spatiotemporal aspect and other contextual conditions as well as the way to integrate security in the access request, together with ability of reasoning for hierarchical roles, are striking features that make the proposed framework able to meet more sophisticated security requirements in comparison with others.

Due to the research content, the performance of proposed framework is not the focused issue of this work.

The proposed framework is a crucial contribution of our research to provide a holistic, extensible and intelligent authorization decision engine.