Article

Free access

A case study in access control requirements for a Health Information System

Authors:

Serge BögeholzAuthors Info & Claims

ACSW Frontiers '04: Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation - Volume 32

Pages 53 - 61

Published: 01 January 2004 Publication History

Abstract

We present a detailed examination of the access constraints for a small real-world Health Information System with the aim of achieving minimal access rights for each of the involved principals. We show that, even for such a relatively simple system, the resulting constraints are very complex and cannot be expressed easily or clearly using the static per-method access control lists generally supported by component-based software. We derive general requirements for the expressiveness of access constraints and propose criteria for a more suitable access control mechanism in the context of component-based systems. We describe a two-level mechanism which can fulfil these criteria.

References

[1]

Beznosov, K., Deng, Y. (1999): A Framework for Implementing Role-based Access Control using CORBA Security Service, Proc. 4th ACM Workshop on Role-based access control, Fairfax.]]

Digital Library

[2]

Bögeholz, S. (2003): Access Control in a Distributed Health Information System: A Case Study, Masters Thesis, University of New England, Armidale.]]

[3]

Blakley, B., Blakley, R., Soley, R. M. (2000): CORBA Security: An Introduction to Safe Computing with Objects, Addison-Wesley.]]

Digital Library

[4]

Brose, G. (1999): A View-Based Access Control Model for CORBA, in: Jan Vitek, Christian Jensen (eds.), Secure Internet Programming: Security Issues for Mobile and Distributed Objects, LNCS 1603, Springer.]]

Digital Library

[5]

Eddon, G. (1999): The COM+ Security Model Gets You Out of the Security Programming Business, Microsoft Systems Journal, November.]]

[6]

Evered, M. (2002): Bracket Capabilities for Distributed Systems Security, Proc. 25th Australasian Computer Science Conference, Melbourne.]]

Digital Library

[7]

Evered, M. (2002): Opsis: A Distributed Object Architecture Based on Bracket Capabilities, Proc. Conference on Technology of Object-Oriented Languages and Systems, Sydney.]]

Digital Library

[8]

Evered, M. (2003): Flexible Enterprise Access Control with Object-oriented View Specifications, Australasian Information Security Workshop, Adelaide.]]

Digital Library

[9]

Fernandez, E. B., Larrondo-Petrie, M. M., Gudes, E., A. (1993): Model of Methods Access Authorization in Object-oriented Databases, Proc. of the 19th VLDB Conference, Dublin.]]

Digital Library

[10]

Gamma, E. et al. (1995): Design Patterns, Addison-Wesley.]]

[11]

Habermann, A. N., Campbell, R. H. (1974): The specification of process synchronization by path expressions, Lecture Notes on Computer Science, 16.]]

[12]

Hartman, B., Flinn, D. J., Benznosov, K. (2001): Enterprise Security with EJB and CORBA, Wiley.]]

Digital Library

[13]

Jones, A., Liskov, B. (1978): A language extension for expressing constraints on data access. Communications of the ACM, 21(5):358--367, May.]]

Digital Library

[14]

Keedy, J. L., Richards, I. (1982): A Software Engineering View of Files, Australian Computer Journal, 14, 2.]]

[15]

Keedy, J. L., et al. (2000): Software Reuse in an Object Oriented Framework: Distinguishing Types from Implementations and Objects from Attributes, Proc. Sixth International Conference on Software Reuse, Vienna.]]

Digital Library

[16]

Kiczales, G. et al. (1997): Aspect-oriented programming, Proc. European Conference for Object-Oriented Programming, Finland (Lecture Notes in Computer Science, vol. 1241). Springer.]]

[17]

Mishra, P., Eich, M. H. (1994): Taxonomy of views in OODBs, Proc. ACM Computer Science Conference.]]

Digital Library

[18]

Richardson, J., Schwarz, P., Cabrera, L. (1992): CACL: Efficient Fine-Grained Protection for Objects, Proc. OOPSLA Conference.]]

Digital Library

[19]

Rosenberg, J., Abramson, D. A. (1985): The MONADS Architecture: Motivation and Implementation, Proc. First Pan Pacific Computer Conference, p. 4/10--4/23.]]

[20]

Saltzer, J. H. (1973): Protection and the Control of Information Sharing in Multics, Symposium on Operating System Principles, Yorktown Heights, NY.]]

Digital Library

[21]

Wilkes, M. V., Needham, R. M. (1979): The Cambridge CAP Computer and its Operating System, North Holland.]]

Digital Library

Cited By

Krishnan PVorobyov K(2015)Enforcement of privacy requirementsComputers and Security10.1016/j.cose.2015.03.00452:C(164-177)Online publication date: 1-Jul-2015
https://dl.acm.org/doi/10.1016/j.cose.2015.03.004
Amthor PKühnhauser WPölck AConti MVaidya JSchaad A(2013)Heuristic safety analysis of access control modelsProceedings of the 18th ACM symposium on Access control models and technologies10.1145/2462410.2462413(137-148)Online publication date: 12-Jun-2013
https://dl.acm.org/doi/10.1145/2462410.2462413
Kulkarni DBertino ESandhu RBauer LPark J(2013)A fine-grained access control model for key-value systemsProceedings of the third ACM conference on Data and application security and privacy10.1145/2435349.2435370(161-164)Online publication date: 18-Feb-2013
https://dl.acm.org/doi/10.1145/2435349.2435370
Show More Cited By

Index Terms

A case study in access control requirements for a Health Information System
1. Applied computing
  1. Life and medical sciences
    1. Health care information systems
2. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Constraints-based access control
Das'01: Proceedings of the fifteenth annual working conference on Database and application security

The most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.This paper ...
Towards Attribute-Centric Access Control: an ABAC versus RBAC argument

Recent developments in attribute-based access control have fueled the conventional debate regarding the pros and cons of Attributes-based access control ABAC versus Role-based access control RBAC. However, existing arguments have been primarily focused ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...

Comments

Information & Contributors

Information

Published In

cover image DL Hosted proceedings

ACSW Frontiers '04: Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation - Volume 32

January 2004

192 pages

Publisher

Australian Computer Society, Inc.

Australia

Publication History

Published: 01 January 2004

Author Tags

Qualifiers

Article

Conference

ACSW Frontiers '04

ACSW Frontiers '04: Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation

01 01 2004

Dunedin, New Zealand

Acceptance Rates

Overall Acceptance Rate 204 of 424 submissions, 48%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
2,562
Total Downloads

Downloads (Last 12 months)72
Downloads (Last 6 weeks)14

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Krishnan PVorobyov K(2015)Enforcement of privacy requirementsComputers and Security10.1016/j.cose.2015.03.00452:C(164-177)Online publication date: 1-Jul-2015
https://dl.acm.org/doi/10.1016/j.cose.2015.03.004
Amthor PKühnhauser WPölck AConti MVaidya JSchaad A(2013)Heuristic safety analysis of access control modelsProceedings of the 18th ACM symposium on Access control models and technologies10.1145/2462410.2462413(137-148)Online publication date: 12-Jun-2013
https://dl.acm.org/doi/10.1145/2462410.2462413
Kulkarni DBertino ESandhu RBauer LPark J(2013)A fine-grained access control model for key-value systemsProceedings of the third ACM conference on Data and application security and privacy10.1145/2435349.2435370(161-164)Online publication date: 18-Feb-2013
https://dl.acm.org/doi/10.1145/2435349.2435370
Kulkarni DAhmed TTripathi A(2012)A Generative Programming Framework for Context-Aware CSCW ApplicationsACM Transactions on Software Engineering and Methodology10.1145/2089116.208912121:2(1-35)Online publication date: 1-Mar-2012
https://dl.acm.org/doi/10.1145/2089116.2089121
Yang FAotani TMasuhara HNielson FNielson H(2011)Combining static analysis and runtime checking in security aspects for distributed tuple spacesProceedings of the 13th international conference on Coordination models and languages10.5555/2022052.2022066(202-218)Online publication date: 6-Jun-2011
https://dl.acm.org/doi/10.5555/2022052.2022066
Dong NJonker HPang J(2011)Challenges in ehealthProceedings of the First international conference on Foundations of Health Informatics Engineering and Systems10.1007/978-3-642-32355-3_12(195-206)Online publication date: 29-Aug-2011
https://dl.acm.org/doi/10.1007/978-3-642-32355-3_12
Becker MFournet CGordon A(2010)SecPAL: Design and semantics of a decentralized authorization languageJournal of Computer Security10.5555/1835408.183541118:4(619-665)Online publication date: 1-Dec-2010
https://dl.acm.org/doi/10.5555/1835408.1835411
Kohler MBrucker AScandariato RWilliams L(2010)Access control caching strategiesProceedings of the 6th International Workshop on Security Measurements and Metrics10.1145/1853919.1853930(1-8)Online publication date: 15-Sep-2010
https://dl.acm.org/doi/10.1145/1853919.1853930
Molloy ICheng PRohatgi PBishop MProbst CKeromytis ASomayaji A(2009)Trading in riskProceedings of the 2008 New Security Paradigms Workshop10.1145/1595676.1595694(107-125)Online publication date: 21-Aug-2009
https://dl.acm.org/doi/10.1145/1595676.1595694
Stoller SYang PGofman MRamakrishnan CCarminati BJoshi J(2009)Symbolic reachability analysis for parameterized administrative role based access controlProceedings of the 14th ACM symposium on Access control models and technologies10.1145/1542207.1542233(165-174)Online publication date: 3-Jun-2009
https://dl.acm.org/doi/10.1145/1542207.1542233
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents