This wiki has undergone a migration to Confluence found Here

Product Sec RBAC

From HL7Wiki
Jump to navigation Jump to search

Product Brief - Role-based Access Control Healthcare Permission Catalog (RBAC)

back to Main_Page
back to Product_List

Product Name

Role-based Access Control Healthcare Permission Catalog, Release 2


Standard Category

  • Health Information Exchange Standards

Integration Paradigm

  • Foundation


Normative, ANSI Standard


ANSI/HL7 V3 RBAC, R1-2008; ANSI/HL7 V3 RBAC, R2-2010


This document is an overview of the five documents that together comprise the HL7 Security Work Group's Role Based Access Control project work products.


This document presents normative language to the HL7 permission vocabulary in constructing permissions {operation, object} pairs. The vocabulary contained in this permission catalog provides information supporting access control decision and enforcement functions as defined by ISO 10181-3. Other forms of access control information are possible including entity based access control and context based access control outside the scope of these definitions. This vocabulary does not presume or prevent organizations from executing these controls or other local constraints used for other purposes (e.g., cardinality constraints regarding the number of persons asserting a role with a specific permission at a particular time). Specifically, this vocabulary does not prohibit use of logical rules and policies that an entity may choose to execute. This vocabulary is consistent with OASIS XACML and ANSI INCITS RBAC standards allowing entities to integrate RBAC into their total access management solution. This vocabulary is appropriate for RBAC only and may not be appropriate for use by other security services. There is nothing in these definitions to suggest that RBAC completely defines all aspects of access control information, only that which is necessary for interoperability defined by roles.

The HL7 Security WG has future plans to consider situations that reflect the policies of specific domains. These domain specific considerations are out of scope of the current permission definitions.


Work Groups