TY - GEN
T1 - Extending Attribute Based Access Control to Facilitate Trust in eHealth and Other Applications
AU - Longstaff, Jim
PY - 2013/1/1
Y1 - 2013/1/1
N2 - We describe a new model for Attribute Based Access Control (ABAC) which handles negative permissions and overrides in a single permissions processing mechanism. The model lends itself to the generation of explanations and permissions review, which can be used to foster end-user trust and confidence in the authorization system. We illustrate using a scenario in which a patient, with the assistance of an information specialist, develops consent directives for her medical records while receiving explanations and demonstrations. The model extends the approaches of ABAC and parameterized Role Based Access Control (RBAC) in that users, operations, and protected objects have properties, which we call classifiers. The simplest form of classifier is an attribute, as defined for ABAC; additional information is also handled by classifiers. Classifier values themselves are hierarchically-structured. A permission consists of a set of classifier values, and permissions review/determining an individual's risk exposure is carried out by database querying. The model has general applicability to areas where tightly-controlled sharing of data and applications, with well-defined overrides, is required.
AB - We describe a new model for Attribute Based Access Control (ABAC) which handles negative permissions and overrides in a single permissions processing mechanism. The model lends itself to the generation of explanations and permissions review, which can be used to foster end-user trust and confidence in the authorization system. We illustrate using a scenario in which a patient, with the assistance of an information specialist, develops consent directives for her medical records while receiving explanations and demonstrations. The model extends the approaches of ABAC and parameterized Role Based Access Control (RBAC) in that users, operations, and protected objects have properties, which we call classifiers. The simplest form of classifier is an attribute, as defined for ABAC; additional information is also handled by classifiers. Classifier values themselves are hierarchically-structured. A permission consists of a set of classifier values, and permissions review/determining an individual's risk exposure is carried out by database querying. The model has general applicability to areas where tightly-controlled sharing of data and applications, with well-defined overrides, is required.
UR - http://www.scopus.com/inward/record.url?scp=84904875366&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-41205-9_11
DO - 10.1007/978-3-642-41205-9_11
M3 - Conference contribution
AN - SCOPUS:84904875366
SN - 9783642412042
T3 - Communications in Computer and Information Science
SP - 127
EP - 137
BT - Cyber Security and Privacy - Trust in the Digital World and Cyber Security and Privacy EU Forum 2013, Revised Selected Papers
PB - Springer Verlag
T2 - Trust in the Digital World and Cyber Security and Privacy EU Forum, CSP EU Forum 2013
Y2 - 18 April 2013 through 19 April 2013
ER -