Simplified Security Model

We have developed a more complex security model, discussed under Ideal Security Model. While, Ideal, in the sense that its the most flexible, its a much bigger endeavor, that would require a significant amount of functional and load testing, as well as development time. Therefore, we've taken the "80/20" rule, and constructed a simplified security model, which should cover at least 80% of the use cases for security, thus only annoying only 20% of your users.

Differences Between the Simplified Model and the Ideal Model

The Simplified Model defined a finite set of roles that can be applied to individuals and systems. This means that despite not owning the database being supplied from the System of Records, we are defining the security model for this information. This model may conflict with the model the department normally uses to secure the information.

This contrasts to the Ideal Security Model which is flexible enough that each department would have had almost complete control over how their information was accessed and could potentially represent THEIR security model. However, this is a much more complex system, requiring significantly more resources and testing, and was not feasible for a first release.

Description of the Simplified Model

The simplified model is based on a series of roles, each of which grant certain access and privileges. Holders of a particular role for a System of Record, may grant other roles.

Roles

Application Administrator

An Application Administrator has complete control of the system. He or she can grant any roles necessary, as well as has access to all System of Records, and information. Application Administrators are typically the owners of the local OpenRegistry deployment (i.e. the IdM Group)

Department Administrator

Data Entry

Help Desk Tier 3

A Help Desk Tier 3 staff member would have complete read access to all System of Records (and the calculated person), can grant Help Desk Tier 3 access to others, as well as lower level Help Desk Access (Tier 2 and Tier 1). Help Desk Tier 3 members can also execute the Split/Join Use Cases.

Help Desk Tier 2

Help Desk Tier 1