Relationship-Based Access Control for OpenMRS
This work addresses access control challenges in healthcare systems by enabling fine-grained authorization based on relationships, such as allowing only a patient's family doctor to access their records, which is an incremental advancement in applying ReBAC to real-world medical software.
The authors tackled the problem of implementing Relationship-Based Access Control (ReBAC) in a production-scale medical records system, OpenMRS, by extending its access control mechanism with backward compatibility to legacy RBAC, and demonstrated its feasibility through performance comparisons of authorization schemes.
Inspired by the access control models of social network systems, Relationship-Based Access Control (ReBAC) was recently proposed as a general-purpose access control paradigm for application domains in which authorization must take into account the relationship between the access requestor and the resource owner. The healthcare domain is envisioned to be an archetypical application domain in which ReBAC is sorely needed: e.g., my patient record should be accessible only by my family doctor, but not by all doctors. In this work, we demonstrate for the first time that ReBAC can be incorporated into a production-scale medical records system, OpenMRS, with backward compatibility to the legacy RBAC mechanism. Specifically, we extend the access control mechanism of OpenMRS to enforce ReBAC policies. Our extensions incorporate and extend advanced ReBAC features recently proposed by Crampton and Sellwood. In addition, we designed and implemented the first administrative model for ReBAC. In this paper, we describe our ReBAC implementation, discuss the system engineering lessons learnt as a result, and evaluate the experimental work we have undertaken. In particular, we compare the performance of the various authorization schemes we implemented, thereby demonstrating the feasibility of ReBAC.