Role-based access control for data service integration

摘要

We describe the implementation of role-based access control in a data service integration system. Users in research or other projects may access a diverse collection of data sources but are to allowed access to only the part of the data collection that is necessary for their purposes. To simplify the administration of the access control, Role Based Access control is used, with the role hierarchy defined within and limited to each project. User queries to the integration system are analysed for their data access needs and those needs checked against the access control policies. The policies for the data held by individual data custodians can be managed and implemented by the custodian, or held in a central authorisation server in the integration system. The system is built around the Security Assertion Markup Language and eXtensible Access Control Markup Language standards. The access control architecture was developed for a health data integration system, but both the architecture and some of itscomponents for authentication and authorisation could be readily reused in other similar systems.