Partial Access Control Permissions and Rights

In order to satisfy the Principle of Least Privilege1 in large enterprises which employ Role Based Access Control systems a large number of roles must be defined. Role management can become a demanding and complex task in such situations. This paper introduces the concepts of Partial Access Control Permissions (Partial Permissions) and Partial Access Control Rights (Partial Rights) which enable the number of roles to be reduced and role management burdens to be eased. Partial permissions are linked permissions which are applied simultaneously to two or more roles. The rights defined in a partial permission only become active when an access request triggers a sufficient number of linked partial permissions. Partial permissions enable permissions to be given to any combination of roles. For example, if a hospital patient is attended by clinicians with a “treating team ” role and the hospital has a “doctor” role, a partial permission applied to the two roles is only triggered during an access request from a doctor who is on the treating team. Similarly, a Full Right is triggered when a complete set of Partial Rights are activated. Partial rights provide a means for incorporating consent and authorisation into the access control system, as well as facilitating the application of general access control rules to groups of associated roles.