NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Business Process Driven Framework for Defining an Access Control Service Based on Roles and Rules

Published

Author(s)

Ramaswamy Chandramouli

Abstract

Defining an Access Control Service for an enterprise application requires the choice of an access control model and a process for formulation of access decision rules to be used by the access enforcement mechanism. In this paper, we describe a business process driven framework (called the BPD-ACS) for developing both the model and formulating the access decision rules. The model used is the Role Based Access Control (RBAC) model and the access decision rules are based on temporal business associations. The enterprise setting is a multi-facility hospital and the particular application for which the access control service was defined is the Hospital-based Laboratory Information System. (HLIS).The lesson learnt from this exercise is that a much more sophisticated rule processing capability is required for these types of applications than is currently available in both commercial and research-prototype authorization servers
Proceedings Title
Proceedings of the 23rd National Information Systems Security Conference (NISSC '00)
Conference Dates
October 16-19, 2000
Conference Location
Baltimore, MD
Conference Title
23rd National Information Systems Security Conference (NISSC '00)
Pub Type
Conferences

Download Paper

Local Download

Keywords

access control models, access enforcement mechanism, enterprise security policy, information domains
Cybersecurity and privacy

Citation

Chandramouli, R. (2000), Business Process Driven Framework for Defining an Access Control Service Based on Roles and Rules, Proceedings of the 23rd National Information Systems Security Conference (NISSC '00), Baltimore, MD, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=151214 (Accessed October 14, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created October 19, 2000, Updated February 19, 2017
Was this page helpful?