Relationship-Based Access Control for OpenMRS

TL;DR

This paper demonstrates how Relationship-Based Access Control (ReBAC), inspired by social networks, can be integrated into the OpenMRS healthcare system, enabling more context-aware permissions while maintaining legacy compatibility.

Contribution

It introduces the first implementation of ReBAC in a production-scale medical records system, extending OpenMRS with advanced ReBAC features and an administrative model.

Findings

ReBAC can be effectively integrated into OpenMRS.

ReBAC policies perform comparably to legacy RBAC schemes.

The implementation offers a scalable and backward-compatible access control solution.

Abstract

Inspired by the access control models of social network systems, Relationship-Based Access Control (ReBAC) was recently proposed as a general-purpose access control paradigm for application domains in which authorization must take into account the relationship between the access requestor and the resource owner. The healthcare domain is envisioned to be an archetypical application domain in which ReBAC is sorely needed: e.g., my patient record should be accessible only by my family doctor, but not by all doctors. In this work, we demonstrate for the first time that ReBAC can be incorporated into a production-scale medical records system, OpenMRS, with backward compatibility to the legacy RBAC mechanism. Specifically, we extend the access control mechanism of OpenMRS to enforce ReBAC policies. Our extensions incorporate and extend advanced ReBAC features recently proposed by Crampton and Sellwood. In addition, we designed and implemented the first administrative model for ReBAC. In this paper, we describe our ReBAC implementation, discuss the system engineering lessons learnt as a result, and evaluate the experimental work we have undertaken. In particular, we compare the performance of the various authorization schemes we implemented, thereby demonstrating the feasibility of ReBAC.