Jim Kennedy wrote:
> "Craig Morea" <rmorea_at_satx.rr.com> wrote in message
> news:b9319429.0410040253.661ffb1c_at_posting.google.com...
>
>>Hi,
>>
>>I am a non-technical manager who needs to understand technical issues
>>concerning database management (probably mostly Oracle) well enough to
>>know what the tech-guys are talking about. If I can understand how it
>>all works at the flowchart model level, it is not necessary that I
>>understand how to code it. I apologize if this question is in the
>>wrong place and would accept redirection if that is appropriate.
>>
>>The main issue I need to understand is a variation on roles-based
>>access. There is quite a bit of information available on how systems
>>use roles to grant or limit permissions, but I have not found what I
>>am looking for. Since many examples focus on hospitals, I will make
>>my example along the same lines:
>>
>>The general assumption seems to be that Doctors have more permissions
>>than Nurses. This is fine. But both Doctors and Nurses always seem
>>to have access to all the records in the hospital. I want to be able
>>to restrict their access to the records of patients specifically
>>assigned to them.
>>
>>Also, I'd like to be able to grant access to personnel data on
>>employees, to the employee's supervisor, and also to his supervisor's
>>supervisor, all the way up the chain, but not to anyone outside the
>>chain. This appears to be partly a role issue, since supervisors can
>>only see certain data, but it is also beyond roles, because the
>>question is "who is supervisor of who?," and it gets worse when you
>>want to add supervisor's supervisor, etc.
>>
>>So...I'm not looking for solutions (unless you happen to have one
>>handy). But an assessment of whether these things are even possible
>>and an explanation of where to start looking to tackle this kind of
>>thing would be appreciated.
>>
>>Thanks,
>>
>>Craig
>
>
> Others have answered as to how to do it so I won't repeat their suggestions.
> One suggestion I do have is that you consider allowing Nurses or Dr.'s to
> "break the glass" and log the glass breaking. If in fact you are talking
> about a medical application then there are instances where you do NOT want
> to restrict the information because to do so would endanger a patient's
> life. By breaking the glass I mean that the Nurse or Dr could view a chart
> (in its entirety, or the confidential parts) and the access is logged. As
> long as Dr.s and Nurses know that their access is logged then it is less
> likely that they will "break the glass" without a very good reason.
> Jim
An excellent recommendation.
--
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)
Received on Mon Oct 04 2004 - 23:01:01 CDT
