We present a model of authorisation that is more powerful than Role Based Access Control (RBAC), and is suitable for complex web applications in addition to computer systems administration. It achieves its functionality by combining Identity Based Access Control (IBAC) and RBAC in novel ways. A particular feature of the model is a rigorous definition of override, for granting access to data and resources in exceptional circumstances. Despite its power, the model can be implemented by a single algorithm, as an extension to RBAC. The basis of the model is a new concept of permission, which we call Confidentiality Permission. There are five types of confidentiality permission, for granting access rights for identities and roles; also negative confidentiality permissions, for denying access to data and resources, exist. A single concept of Collection is used for structuring roles, identities, resource and resource type, although the RBAC general and limited role hierarchies can be used if desired. Confidentiality permissions may be defined to inherit within collections, thereby providing a mechanism for confidentiality permission assignment; however confidentiality permissions may be assigned in other ways that do not depend on collections. We use a demanding scenario from Electronic Health Records to illustrate the power of the model. We have produced several demonstrators, one of which utilises the model to control data retrieval from commercial GP and Social Services systems.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	J J Longstaff, MG Thick, G Capper, MA Lockyer, Eliciting and recording eHR/ePR Patient Consent in the context of the Tees Confidentiality Model, HC2002 Conference, Harrogate, England, March 2002.
	2	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
	3	www.nhsia.nhs.uk/confidentiality/pages/consultation/
	4	J. J. Longstaff , M. A. Lockyer , M. G. Thick, A model of accountability, confidentiality and override for healthcare and other applications, Proceedings of the fifth ACM workshop on Role-based access control, p.71-76, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344304]
	5	J J Longstaff, MG Thick, G Capper, MA Lockyer, eHR and EPR Confidentiality based on Accountability and Consent:Tools for the Caldicott Guardian, Health Informatics Journal, Vol 6 / No 1 March 2000, ISSN 1460-4582
	6	M G Thick, J J Longstaff, G Capper, M A Lockyer, An Authorisation Model Based on Accountability and Consent, Proceedings of TEPR 2001 Conference, Boston, USA, May 2001, Medical Records Institute
	7	Sejong Oh , Ravi Sandhu, A model for role administration using organization structure, Proceedings of the seventh ACM symposium on Access control models and technologies, June 03-04, 2002, Monterey, California, USA  [doi>10.1145/507711.507737]
	8	Michael M. Swift , Anne Hopkins , Peter Brundrett , Cliff Van Dyke , Praerit Garg , Shannon Chan , Mario Goertzel , Gregory Jensenworth, Improving the granularity of access control for Windows 2000, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.398-437, November 2002  [doi>10.1145/581271.581273]
	9	Health Record Infrastructure, version 1.3, NHS Information Authority, 15 October 2002
	10	www.nhsia.nhs.uk/erdip . (Search on 'Tees', "Confidentiality and Consent", etc).
	11	Joon S. Park , Ravi Sandhu , Gail-Joon Ahn, Role-based access control on the web, ACM Transactions on Information and System Security (TISSEC), v.4 n.1, p.37-71, Feb. 2001  [doi>10.1145/383775.383777]