next up previous contents
Next: Control Up: Security Policy Previous: Access control

Record opening

Rather than trying to deal with objects having multiple access control lists, we will assume that there are multiple records. A patient might for example have:

This is logically equivalent to having a record with three different fields each with its own access control list. However is much simpler for us to deal with.

So the clinician may open a new record when an existing patient wishes to discuss something highly sensitive, or when a new patient registers with her, or when a patient is referred from elsewhere. The access control list on a new record is as follows:

Principle 2: A clinician may open a record with herself and the patient on the access control list. Where a patient has been referred, she may open a record with herself, the patient and the referring clinician(s) on the access control list.


Ross Anderson
Fri Jan 12 10:49:45 GMT 1996