| Summary: | 碩士 === 國立清華大學 === 資訊工程學系 === 94 === The design of proper models for authorization and access control for electronic medical record (EMR) is essential to a wide scale use of EMR in large health organizations. There is a need for distributed, automated management agents whose behaviors also have to dynamically change to reflect the evolution of the system being managed. Policy-based management is one of the latest developments in network and distributed systems management. The use of policy-based management in areas such as security is particularly attractive. Security management involves specification and deployment of access control policies. Policies are a means of specifying and influencing management behavior within a system, without coding the behaviors into the manager agents. Our approach is aimed at specifying implementable policies, although policies may be initially specified at the organizational level, and then refined to implementable actions. Authorization policies specify what activities a role is permitted or forbidden to do to a set of target objects and are similar to security access control policies. Obligation policies specify what activities a role must or must not do to a set of target objects and essentially define the duties of the role. This model regulates user’s access to EMR based on organizational roles. It supports positive and negative authorizations; static and dynamic separation of duties based on weak and strong role conflicts. Authorization with context use environmental information available at access time, like user/patient relationship, in order to decide whether a user is allowed to access an EMR resource. This enables the specification of a more flexible and precise authorization policy, where permission is granted or denied according to the right and the need of the user to carry out a particular job function. We also discuss various precedence relationships that can be established between policies in order to allow inconsistent policies to co-exist with the system and review policy conflicts, focusing on the problems of conflict detection and resolution.
|
|---|
