Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
For demonstration purposes a simple application example has been developed together with Simone Fischer-Hübner. Although several modules are used, our focus clearly lay on the privacy model, being the most complex and powerful. Other modules are used for special purposes.
A small medical treatment center wants to use a centralized data management. High level privacy is to be guaranteed for all patient data, but statistical research on operations and selective data transmission to other centers must remain possible. The principles of minimal knowledge and separation of duties are to be enforced.
Storing and processing of data are done within one protected system without remote access from and transfer to other systems. The only exceptions are the transfer of billing data to the patient's medical insurance company and the necessary transfer of diagnosis data to another medical treatment center. Both require a secure network connection.
The patient's way through treatment shall follow the following steps:
First of all, the purposes of data storage and their tasks are defined:
Purpose | Treatment | Management | Research |
---|---|---|---|
Tasks | Diagnosis | Reception | Statistics |
Operation | Dismissal | ||
Therapy | Billing | ||
Transfer | Data Transfer |
For storage the following object classes are needed:
Object class | Purpose | Contents |
---|---|---|
Reception data | Management | Basic patient data |
Billing data | Management | Data needed for billing |
Diagnosis | Treatment | Diagnosis data |
Treatment instruction | Treatment | Instructions for surgeons and therapists |
Operation data | Treatment | Operation protocol |
Action data | Management, Treatment | Protocol of treatment actions |
Statistics | Research | Statistics on operations |
Next, users are defined and authorized for their tasks:
User | Authorized Tasks |
---|---|
Examinator | Diagnosis, Therapy, Transfer |
Surgeon | Operation, Transfer |
Therapist | Therapy |
Clerk | Reception, Dismissal |
Billing clerk | Billing, Data transfer |
Scientist | Statistics |
Data processing is done by transformation procedures:
TP | Usage for |
---|---|
pm_create | Creation of data files of a class |
Appending editor | Appending text to an existing file |
Editor | Modifying a text file |
Display program | Displaying a text file on the screen |
Deletion program | Deletion of a file |
Transfer program | Encrypted data transfer by interprocess communication |
Statistics program | Reading files, calculating statistics, writing those to another file |
The next step is the definition of authorized TPs for all tasks:
Task | Authorized TP |
---|---|
Diagnosis | pm_create, Appending editor, Editor, Display program |
Operation | pm_create, Appending editor, Editor, Display program |
Therapy | Appending editor, Display program |
Transfer | Transfer program |
Reception | pm_create, Editor |
Dismissal | Appending editor |
Billing | Editor, Display program |
Data transfer | Transfer program |
Statistics | pm_create, Editor, Statistics program |
Finally, all necessary accesses are to be given. Possible accesses are Read, Write, Delete, Create and Append.
Task | Object class | TP | Accesses |
---|---|---|---|
Diagnosis | Diagnosis | pm_create | Create |
“ | ” | Editor | Read, Write, Append |
“ | ” | Display program | Read |
“ | Action data | Appending editor | Append |
” | Treatment instruction | pm_create | Create |
“ | ” | Editor | Read, Write, Append |
Operation | Treatment instruction | Display program | Read |
“ | Operation data | pm_create | Create |
” | “ | Editor | Read, Write, Append |
” | Action data | Appending editor | Append |
Therapy | Treatment instruction | Display program | Read |
“ | Action data | Appending editor | Append |
Transfer | Diagnosis | Transfer program | Read |
” | Treatment instruction | Transfer program | Read |
“ | Interprocess Communication | Transfer program | Create, Write, Append |
Reception | Reception data | pm_create | Create |
” | “ | Editor | Read, Write, Append |
” | Action data | pm_create | Create |
“ | ” | Appending editor | Append |
Dismissal | Reception data | Appending editor | Append |
“ | Action data | Appending editor | Append |
Billing | Action data | Display program | Read |
” | Billing data | pm_create | Create |
“ | ” | Editor | Read, Write, Append |
Data transfer | Billing data | Transfer program | Read |
“ | Interprocess Communication | Transfer program | Create, Write, Append |
Statistics | Statistics data | pm_create | Create |
” | “ | Editor | Read, Write, Append |
” | “ | Deletion program | Delete |
” | “ | Statistics program | Write, Append |
” | Diagnosis | Statistics program | Read |
“ | Treatment instruction | Statistics program | Read |
” | Operation data | Statistics program | Read |
All data must be entered by a security officer with rsbac_pm, using tickets provided by a data protection officer with the same program. Currently, all object classes, tasks, purposes etc. must be entered as numbers, leaving the encoding for humans. Other Models
Since the Privacy Model only protects personal data and system calls, other data are still only protected by discretionary access control and should be protected by another security model. At least the identification and authentification file /etc/shadow should also be declared as personal data with its own object class, so that only necessary accesses by authorized programs can be performed.
In this example Functional Control can be used to restrict access to security relevant files. In this model, objects of categories security and system object are only accessible by security officers (not necessarily the same users as in PM) and administrators. If only unauthorized modification must be prevented, e.g. for /etc/passwd, the Security Information Modification model with its attribute data type should be sufficient.
The Mandatory Model should be additionally used for confident, but not personal data, e.g. business data. Steps of Treatment from the System's Point of View
A patient's progress through the medical treatment center is covered by the following steps:
Table of Contents: RSBAC Handbook
Back: Administration Examples