From Clinfowiki
Jump to: navigation, search

Authorization is the process specifying access rights to resources. It defines who is authorized to do and see what. Along with authentication and audit trails, authorization is one of the three pillars of security in any given system.[1] A well-formed authorization design should not prevent providers from their patient care activities. Fundamentally, all secured information systems are designed in a "need to know" basis fashion. In this manner, each user has the minimum access possible that helps them to perform their required tasks but at the same time restricts them from accessing unnecessary or confidential information in the system. [2]

Authorization Types

Authorization can be user based, role based, or context based.

  • User based In user based authorization, access rights are assigned to individuals based on who they are as an individual. For example: "Dr. Smith has the right to..."
  • Role based In role based authorization, rights are assigned to individuals based on their role in the organization. For example: "All doctors have the right to view..." . This form of access granting is usually more scalable than the user based type, because with addition of new users to the system, the set of rights can stay the same and only the new user is added to the list.
  • Context based In context based authorization, rights are assigned to individuals based on who they are and where they are or what they are doing. This form of authorization is the most secure among the three forms.

When the process of authorization for a user occurs, there are two approaches that might be taken by the system in order to restrict user from accessing restricted data: Form-Base Authorization, and Field-Base Authorization.

Form-Based Authentication

This approach restricts a particular user or role from accessing a whole function. For instance, a provider might be restricted to have access to patient registration form or a nurse might be restricted from accessing accounting form. In this approach, user or role is completely denied to see a particular form and they might be restricted to see the function availability in the system.

Field-Based Authentication

In this approach, security designers prepare a granular approach to allow different users or role have access to the same resource but with different view. Therefore, same users might have access to the same form but the might see different functions with different effect to the system. An example of this approach is a patient dashboard that displays different aspects of the current institute information but some information are visible only to providers but others are visible to hospital administrators.


  1. AAA Protocol
  2. Authorization (computer access control)