Difference between revisions of "May 5th, 2009 Security Conference Call"
(→Agenda) |
|||
Line 15: | Line 15: | ||
− | = | + | May 5 2009 |
− | + | =Security Working Group Meeting= | |
− | |||
− | |||
+ | ==Agenda== | ||
+ | #’’ (05 min)'' Roll Call | ||
+ | #’’ (05 min)'' Approve Minutes & Accept Agenda | ||
+ | #’’ (15 min)'' '''[http://hl7projects.hl7.nscee.edu/docman/view.php/59/2564/RBACObjectVocabulary%202009.05.05.xls RBAC Object Vocabulary (as of 5/5/2009)]''' | ||
+ | |||
+ | ANSI-INSI 359 – any system resource…(workflow?—is that a system resource? per Mike yes. This is consistent w/earlier model of access control;”… …it contains or receives information.” | ||
+ | (Steve) it produces [[artifacts]]. | ||
+ | |||
+ | The object definition is flexible, it receives data from users. The way the analysis was completed, we started with work flows, we then broke it down to tasks then steps to component pieces. The problem with work flow is that it could have multiple pieces. We start with scenario to work flow to task, a task can only be done by one user. It’s important that we have permissions. RBAC provides user authorization to use functions as well as to use objects. | ||
+ | * some of the issues may be resolved by splitting out the objects into artifacts. | ||
+ | |||
+ | Our intent is to control the operation of the system. (Execute is a verb, as is print and items like that.) | ||
+ | |||
+ | To ''participate in a workflow''...that’s a verb. Within the workflow you have detailed functional 'things to do', it does not mean you can do all the details functional access involved. | ||
+ | |||
+ | An example of objects within a workflow might be: A bank service needs to send a check to a customer. Policy states that the bank personnel who authorizes and writes the check cannot be the same person who signs the check. There are two scenarios in the workflow, one scenario is authorizing/writing the check the other scenario is the signing of the check. | ||
+ | |||
+ | We will ask INCITS about their interpretation of an object is to resolve this issue. ('''Mike to do''') If necessary, we can update/change the standard to clarify it. | ||
− | |||
Revision as of 16:15, 12 May 2009
Contents
Security Working Group Meeting
==Attendees== (expected)
- Steven Connolly
- Mike Davis Security Co-chair
- Suzanne Gonzales-Webb CBCC Co-chair
- Milan Petkovik
- David Sperzel
- Richard Thoreson CBCC Co-chair
- Tony Weida
- Craig Winter
May 5 2009
Security Working Group Meeting
Agenda
- ’’ (05 min) Roll Call
- ’’ (05 min) Approve Minutes & Accept Agenda
- ’’ (15 min) RBAC Object Vocabulary (as of 5/5/2009)
ANSI-INSI 359 – any system resource…(workflow?—is that a system resource? per Mike yes. This is consistent w/earlier model of access control;”… …it contains or receives information.” (Steve) it produces artifacts.
The object definition is flexible, it receives data from users. The way the analysis was completed, we started with work flows, we then broke it down to tasks then steps to component pieces. The problem with work flow is that it could have multiple pieces. We start with scenario to work flow to task, a task can only be done by one user. It’s important that we have permissions. RBAC provides user authorization to use functions as well as to use objects.
- some of the issues may be resolved by splitting out the objects into artifacts.
Our intent is to control the operation of the system. (Execute is a verb, as is print and items like that.)
To participate in a workflow...that’s a verb. Within the workflow you have detailed functional 'things to do', it does not mean you can do all the details functional access involved.
An example of objects within a workflow might be: A bank service needs to send a check to a customer. Policy states that the bank personnel who authorizes and writes the check cannot be the same person who signs the check. There are two scenarios in the workflow, one scenario is authorizing/writing the check the other scenario is the signing of the check.
We will ask INCITS about their interpretation of an object is to resolve this issue. (Mike to do) If necessary, we can update/change the standard to clarify it.
- (5 min) Other Business