Informatics in Medicine Unlocked (Jan 2021)
Implications of loosened Role-based Access Control session control implementation for the enforcement of Dynamic Mutually Exclusive Roles properties on Health Information Systems
Abstract
Role-based Access Control (RBAC) session control is used in the authorization vetting of controlled objects within the system to check if a user intended action is permitted by the associated roles that he/she possesses. The session control is also used to enforce Separation of Duty (SoD) via the Dynamic Mutually Exclusive Roles (DMER), limiting the roles that can be associated with a particular user during a session due to its conflicted permission nature. The RBAC requirements that dictate session controls functions preventing conflicted roles to be assigned to users can be poorly implemented because of possible interpretation of the RBAC standard. This loosened interpretation is here discussed by assessing RBAC function textual description and objectives and by formally stating the different interpretations using Z notation and Colored Petri Nets (CPN) to effectively demonstrate the resulting functionality and its reflexes on system use. Three different aspects of security properties are discussed comparing the interpretations and impacts on the RBAC functionality: a) the implications of user's authorization characterization on system's session, b) the actual DMER conflict detection capability, and c) possible collusion scenarios considering RBAC administrator capabilities. Two different interpretations of the RBAC session-control function are formally defined in full, to leverage investigation of its inner functionalities and expected behaviour on the system. The assessment of the functionalities is presented in order to highlight ambiguities that could lead to less secure implementations so as to provide for a more robust RBAC description that can cope with more rigid and predictable behaviour on Health Information Systems (HIS). Outcomes from poorly session-control implementation on a system include the inability to fulfil healthcare corporate security policy or even allowing illegal actions to take place due to the absence of expected restrictions and constraints imposed on user's interactions.