An attributable role-based access control for healthcare

Role Based Access Control (RBAC) has the potential for reducing the complexity and total cost of security administration. Even though RBAC implementations aim on administrating large scale systems, they have a shortcoming in common. They do not allow to define attributable roles and permissions. But such roles are very common in our thoughts and language. When we say "attending physician of patient x", we mean a role attending physician with all associated permissions to fulfill the treatment of patient x. Because the resulting permissions only differ in the restriction to a particular patient, it is desirable that attributes like "patient x" are used in roles and permissions to restrict the rights to access only data related to that patient. This paper shows how attributes can be applied to RBAC, in order to reduce the total number of role- and permission-objects in security administration.