Health Transformation Blog

Attribute Based Access Control

Posted on March 9, 2009 by Krister Svanberg

Access control is one of the key issues handling the information flow inside healthcare actors, between healthcare actors and cross border healthcare actions.
Conventional access control models are for example Identity Based Access Control (IBAC) and Role Based Access Control (RBAC). In IBAC access permissions are directly associated with a subject and it is difficult to scale. In RBAC access permissions are based on the role(s) a subject is performing. RBAC gives better scalability and ease of use but have drawbacks.
In Sweden a national security application are under way and is built upon Attribute Based Access Control (ABAC). This model consists of three groups of attributes:
• Subject Attributes
Associated with a subject (E.g. identifier, name, job title, role….)
• Resource Attributes
Associated with a resource (E.g. metadata elements …)
• Environment Attributes
Describes the environment or context (E.g. current date, time, classifications…)
This Swedish initiative will be the world’s largest XACML 3.0 (OASIS) deployment.
I see the beauty of policy’s and the abilities in the Service Oriented perspectives but in the daily caregiver situation could the complexity making the policies be too high and leaving doors open accessing confidential electronic patient records?

About the author

Attribute Based Access Control Krister has been in the IT business since 1978. His major areas of professional interest and expertise have bearing on both activity and IT. Krister is one of Sweden leading authority in business architecture and specialized in the sector of healthcare. Krister has also a deep understanding for business workflow and processes combined with quality management. Risk management, like the review of tenders, agreements and projects are other fields of expertise. Krister has been an active board member of IT companies, and has also been a controller in economics.




This entry was posted in Applying Technology. Bookmark the permalink.

One Response to Attribute Based Access Control

  • Ludwig Seitz says:
    December 17, 2009 at 9:22 am

    Hello Krister,
    I think you need to separate the making of long term access control policies from day to day access administration.
    For long term access control policies you either need intensive training with XACML or an application specific interface, that lets a user formulate policies in a way he/she understands, hiding the complexity of XACML.
    For day to day administration, you don’t touch the policies, you set attributes (it’s what ABAC is all about). In order to do that you only need a description (which can be fully independent from XACML) of which attributes will give you which permissions.
    If you want to learn more about ABAC and XACML we provide a lot of material om our website: http://www.axiomatics.com/
    Regards,
    Ludwig Seitz

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>