Published: October 19, 2000
Author(s)
Ramaswamy Chandramouli (NIST)
Conference
Name: 23rd National Information Systems Security Conference (NISSC '00)
Dates: October 16-19, 2000
Location: Baltimore, Maryland, United States
Citation: Proceedings of the 23rd National Information Systems Security Conference (NISSC '00),
Announcement
Defining an Access Control Service for an enterprise application requires the choice of an access control model and a process for formulation of access decision rules to be used by the access enforcement mechanism. In this paper, we describe a business process driven framework (called the BPD-ACS) for developing both the model and formulating the access decision rules. The model used is the Role Based Access Control (RBAC) model and the access decision rules are based on temporal business associations. The enterprise setting is a multi-facility hospital and the particular application for which the access control service was defined is the Hospital-based Laboratory Information System. (HLIS).The lesson learnt from this exercise is that a much more sophisticated rule processing capability is required for these types of applications than is currently available in both commercial and research-prototype authorization servers
Defining an Access Control Service for an enterprise application requires the choice of an access control model and a process for formulation of access decision rules to be used by the access enforcement mechanism. In this paper, we describe a business process driven framework (called the BPD-ACS)...
See full abstract
Defining an Access Control Service for an enterprise application requires the choice of an access control model and a process for formulation of access decision rules to be used by the access enforcement mechanism. In this paper, we describe a business process driven framework (called the BPD-ACS) for developing both the model and formulating the access decision rules. The model used is the Role Based Access Control (RBAC) model and the access decision rules are based on temporal business associations. The enterprise setting is a multi-facility hospital and the particular application for which the access control service was defined is the Hospital-based Laboratory Information System. (HLIS).The lesson learnt from this exercise is that a much more sophisticated rule processing capability is required for these types of applications than is currently available in both commercial and research-prototype authorization servers
Hide full abstract
Keywords
access control models; access enforcement mechanism; enterprise security policy; information domains
Control Families
Access Control
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
