===== Privacy Model (PM) Example =====

For demonstration purposes a simple application example has been developed together with Simone Fischer-Hübner. Although several modules are used, our focus clearly lay on the privacy model, being the most complex and powerful. Other modules are used for special purposes.

==== Demonstration Goal ====

A small medical treatment center wants to use a centralized data management. High level privacy is to be guaranteed for all patient data, but statistical research on operations and selective data transmission to other centers must remain possible. The principles of minimal knowledge and separation of duties are to be enforced.

Storing and processing of data are done within one protected system without remote access from and transfer to other systems. The only exceptions are the transfer of billing data to the patient's medical insurance company and the necessary transfer of diagnosis data to another medical treatment center. Both require a secure network connection.

The patient's way through treatment shall follow the following steps:

  - Reception by a clerk
  - Diagnosis and treatment instruction by an examination specialist
  - Operation by a surgeon or transfer to another medical treatment center
  - Recovering therapy
  - Dismissal by a clerk
  - Billing to the patient's medical insurance company

==== Transferral into Privacy Model ====

First of all, the purposes of data storage and their tasks are defined:

^Purpose 	^Treatment 	^Management 	^Research ^
| Tasks 	| Diagnosis 	| Reception 	| Statistics |
|  	| Operation 	| Dismissal | 	 |
|  	| Therapy 	| Billing |	 |
|  	| Transfer 	| Data Transfer |  |

For storage the following object classes are needed:

^Object class 	^Purpose 	^Contents ^
| Reception data 	 | Management 	 | Basic patient data | 
| Billing data 	 | Management 	 | Data needed for billing | 
| Diagnosis 	 | Treatment 	 | Diagnosis data | 
| Treatment instruction 	 | Treatment 	 | Instructions for surgeons and therapists | 
| Operation data 	 | Treatment |  	Operation protocol | 
| Action data 	 | Management, Treatment 	 | Protocol of treatment actions | 
| Statistics 	 | Research 	 | Statistics on operations | 

Next, users are defined and authorized for their tasks:

^User 	^Authorized Tasks ^
| Examinator 	 | Diagnosis, Therapy, Transfer | 
| Surgeon 	 | Operation, Transfer | 
| Therapist 	 | Therapy | 
| Clerk 	 | Reception, Dismissal | 
| Billing clerk 	 | Billing, Data transfer | 
| Scientist 	 | Statistics | 

Data processing is done by transformation procedures:

^TP 	^Usage for ^
| pm_create 	 | Creation of data files of a class | 
| Appending editor 	 | Appending text to an existing file | 
| Editor 	 | Modifying a text file | 
| Display program 	 | Displaying a text file on the screen | 
| Deletion program 	 | Deletion of a file | 
| Transfer program 	 | Encrypted data transfer by interprocess communication | 
| Statistics program 	 | Reading files, calculating statistics, writing those to another file | 

The next step is the definition of authorized TPs for all tasks:

^Task 	^Authorized TP ^
| Diagnosis 	 | pm_create, Appending editor, Editor, Display program | 
| Operation 	 | pm_create, Appending editor, Editor, Display program | 
| Therapy 	 | Appending editor, Display program | 
| Transfer 	 | Transfer program | 
| Reception 	 | pm_create, Editor | 
| Dismissal 	 | Appending editor | 
| Billing 	 | Editor, Display program | 
| Data transfer  | Transfer program | 
| Statistics 	 | pm_create, Editor, Statistics program | 

Finally, all necessary accesses are to be given. Possible accesses are Read, Write, Delete, Create and Append.

^Task 	^Object class 	^TP 	^Accesses ^
| Diagnosis 	 | Diagnosis 	 | pm_create 	 | Create | 
| " 	 | " 	 | Editor 	 | Read, Write, Append | 
| " 	 | " 	 | Display program |  	Read | 
| " 	 | Action data 	 | Appending editor |  	Append | 
| " 	 | Treatment instruction 	 | pm_create 	 | Create | 
| " 	 | " 	 | Editor 	 | Read, Write, Append | 
| Operation 	 | Treatment instruction 	 | Display program 	 | Read | 
| " 	 | Operation data  | 	pm_create 	 | Create | 
| " 	 | " 	 | Editor  | 	Read, Write, Append | 
| " 	 | Action data 	 | Appending editor 	 | Append | 
| Therapy 	 | Treatment instruction 	 | Display program 	 | Read | 
| " 	 | Action data 	 | Appending editor 	 | Append | 
| Transfer 	 | Diagnosis 	 | Transfer program 	 | Read | 
| " 	 | Treatment instruction 	 | Transfer program 	 | Read | 
| " 	 | Interprocess Communication 	 | Transfer program 	 | Create, Write, Append | 
| Reception 	 | Reception data 	 | pm_create 	 | Create | 
| " 	 | " 	 | Editor 	 | Read, Write, Append | 
| " 	 | Action data  | 	pm_create 	 | Create | 
| " 	 | " 	 | Appending editor 	 | Append | 
| Dismissal 	 | Reception data 	 | Appending editor 	 | Append | 
| " 	 | Action data 	 | Appending editor 	 | Append | 
| Billing 	 | Action data  | 	Display program 	 | Read | 
| " 	 | Billing data 	 | pm_create 	 | Create | 
| " 	 | " 	 | Editor 	 | Read, Write, Append | 
| Data  transfer 	 | Billing data 	 | Transfer program 	 | Read | 
| " 	 | Interprocess Communication 	 | Transfer program 	 | Create, Write, Append | 
| Statistics 	 | Statistics data 	 | pm_create  | 	Create | 
| " 	 | " 	 | Editor 	 | Read, Write, Append | 
| " 	 | " 	 | Deletion program 	 | Delete | 
| " 	 | " 	 | Statistics program 	 | Write, Append | 
| " 	 | Diagnosis 	 | Statistics program 	 | Read | 
| " 	 | Treatment instruction 	 | Statistics program  | 	Read | 
| " 	 | Operation data 	 | Statistics program 	 | Read | 


All data must be entered by a security officer with rsbac_pm, using tickets provided by a data protection officer with the same program. Currently, all object classes, tasks, purposes etc. must be entered as numbers, leaving the encoding for humans.
Other Models

Since the Privacy Model only protects personal data and system calls, other data are still only protected by discretionary access control and should be protected by another security model. At least the identification and authentification file /etc/shadow should also be declared as personal data with its own object class, so that only necessary accesses by authorized programs can be performed.

In this example Functional Control can be used to restrict access to security relevant files. In this model, objects of categories security and system object are only accessible by security officers (not necessarily the same users as in PM) and administrators. If only unauthorized modification must be prevented, e.g. for /etc/passwd, the Security Information Modification model with its attribute data type should be sufficient.

The Mandatory Model should be additionally used for confident, but not personal data, e.g. business data.
Steps of Treatment from the System's Point of View

A patient's progress through the medical treatment center is covered by the following steps:

  - The Clerk checks in the patient. She creates a file for action data with pm_create and a file for reception data with the editor, appending reception to the action file.
  - The examination specialist creates a diagnosis file and uses the editor to write and change her diagnosis. The she creates and fills a treatment instruction file for this patient with the editor, changing it when necessary. Finally she appends her actions to the action file. If necessary, she can transfer a patient to another specialist or medical treatment center. For this she can transfer diagnosis and treatment instruction data by the transfer program.
  - The surgeon reads her treatment instruction with the display program and operates the patient. Afterwards she creates and edits the operation data file, writing a protocol of the operation. As before, all actions are appended to the action file. Like the examinator, the surgeon can transfer patients to another specialist or medical treatment center. For this she can also transfer diagnosis and treatment instruction data by the transfer program.
  - The therapist also reads her treatment instructions, works with the patient and appends her actions to the action file.
  - When the treatment has been completed, the patient is dismissed by the clerk, who finishes reception and action data with the append editor.
  - At last, the billing clerk reads the action file and creates and edits the billing file, which she transfers to the patient's medical insurance company by transfer program.
  - Diagnosises, treatment instructions and operation data can be read by the scientist's statistics program, generating statistical data. Reading of other data requires the patient's consent for the purpose research. Statistical data files can only be created, changed and deleted by users with the current task statistics.


\\ 
----
**Table of Contents:** [[documentation:rsbac_handbook|RSBAC Handbook]]\\
**Back:** [[documentation:rsbac_handbook:configuration_basics:administration_examples|Administration Examples]]\\