Re: Is this Roles?

rmorea_at_satx.rr.com (Craig Morea) wrote in message news:<b9319429.0410040253.661ffb1c_at_posting.google.com>...
> Hi,
>
> I am a non-technical manager who needs to understand technical issues
> concerning database management (probably mostly Oracle) well enough to
> know what the tech-guys are talking about. If I can understand how it
> all works at the flowchart model level, it is not necessary that I
> understand how to code it. I apologize if this question is in the
> wrong place and would accept redirection if that is appropriate.
>
> The main issue I need to understand is a variation on roles-based
> access. There is quite a bit of information available on how systems
> use roles to grant or limit permissions, but I have not found what I
> am looking for. Since many examples focus on hospitals, I will make
> my example along the same lines:
>
> The general assumption seems to be that Doctors have more permissions
> than Nurses. This is fine. But both Doctors and Nurses always seem
> to have access to all the records in the hospital. I want to be able
> to restrict their access to the records of patients specifically
> assigned to them.

Since both examples you mentioned are similar, Lets just look at roles DOCTORS and NURSES and patient data. The nurses need access to basic info like, name, room, age, height, weight, diet, and medications. Doctors need additional information such as diagnosis and prognosis, family history, and test results. ROLES can make that division fairly easy.

Now when you want to make more detailed restrictions, such as only allowing nurses to view patient records assigned to them, would likely be done at the application (programming) level. ROLES would be awkward to use for this. Consider, if roles were to be used like this, you'd have to create a role for every individual nurse. Kind of loses it's generic nature when you try to use a role like that.
>
> Also, I'd like to be able to grant access to personnel data on
> employees, to the employee's supervisor, and also to his supervisor's
> supervisor, all the way up the chain, but not to anyone outside the
> chain. This appears to be partly a role issue, since supervisors can
> only see certain data, but it is also beyond roles, because the
> question is "who is supervisor of who?," and it gets worse when you
> want to add supervisor's supervisor, etc.

Sometimes this kind of application of ROLES can work, except you remove the recursive descriptions (supervisor's supervisor) and work in hierarchical terms, assigning titles like team lead, manager, department manager, VP, Exec. VP, etc.

A CFO needs access to corporate information that a VP is restricted from using.
>
> So...I'm not looking for solutions (unless you happen to have one
> handy). But an assessment of whether these things are even possible
> and an explanation of where to start looking to tackle this kind of
> thing would be appreciated.
>
> Thanks,
>
> Craig

ROLES can help, but much of what you desire needs to be done in the application software. If you are considering a package, e.g., ORACLE HR, much of that is build in and you may just need to assign uses to the right ROLES (departments, job positions).

If you are building your own system, the developers/designers can make this fairly flexible by having much of the rules to be table driven. That way, changing the rules can be done just by changing the database, with little of no change to the application programs.

Feel free to contact me if you'd like (phone or email). Otherwise, there are also several other wise and knowledgable people in this group that can help. I'm sure you'll see their posts soon too.

Ed Prochak
Magic Interface, Ltd.
440-498-3700 Received on Mon Oct 04 2004 - 12:45:11 CDT