Access Control Model for Regulated Documents

Use RBAC as the backbone, with classification- and attribute-based constraints. Many regulated organizations approach MAC-like behavior for high-sensitivity content.

Base Model: RBAC + ABAC Hybrid

RBAC (Role-Based Access Control)

Roles mapped to permission sets over document types and classifications.

Role	Permissions
`clinician`	doc.read, doc.view_phi (facility-scoped)
`billing`	doc.read (billing docs only)
`trader`	doc.read, doc.write (desk-scoped)
`compliance_officer`	doc.read, doc.approve, doc.audit
`records_manager`	doc.read, doc.archive, doc.destroy
`admin`	All permissions

ABAC (Attribute-Based Access Control)

Attributes from metadata (document) and user profile refine decisions.

Document Attributes:

jurisdiction
business_unit
classification
contains_phi
contains_financial

User Attributes:

location
org_unit
clearance_level
certifications

Classification-Aware Rules

PHI Documents

Readable only by roles with phi_access = true
Must be within same facility/jurisdiction
Access logged for HIPAA audit

Trading Procedures

Limited to specific desks
Plus compliance and audit roles
Requires trading_desk attribute match

Confidential Documents

Requires security_clearance >= confidential
Manager approval for external sharing

Example Policy Rules

# PHI Access Rule
allow(user, "doc.read", doc) if:
  user.roles contains "clinician" AND
  user.permissions contains "doc.view_phi" AND
  doc.contains_phi == true AND
  user.facility == doc.facility

# Trading Desk Rule
allow(user, "doc.read", doc) if:
  user.roles contains "trader" AND
  doc.domain == "trading" AND
  user.desk in doc.allowed_desks

# Compliance Override
allow(user, "doc.read", doc) if:
  user.roles contains "compliance_officer"

Least Privilege and Segregation of Duties

Least Privilege

Enforce at role definition
Regularly review role-permission mappings
Remove unused permissions

Segregation of Duties

Author cannot finally approve own policy
Different reviewers at each stage
Dual control for destruction

Implementation Pattern

Central Policy Engine

Use OPA, Cedar, or custom PDP:

allow(user, action, doc) → boolean

Components

Component	Description
Policy Decision Point (PDP)	Evaluates access requests
Policy Information Point (PIP)	Provides user/resource attributes
Policy Enforcement Point (PEP)	Enforces PDP decisions
Policy Administration Point (PAP)	Manages policy rules

Example Flow

User requests access to document
PEP intercepts request
PIP loads user roles + attributes from DB
PIP loads document metadata from DB
PDP evaluates policy
PEP enforces allow/deny
Audit log records decision

High-Sensitivity Content (MAC-like)

For highly sensitive subsets (special PHI, financial records):

System-enforced clearances
Non-bypassable rules
Layered on top of RBAC

Base Model: RBAC + ABAC Hybrid​

RBAC (Role-Based Access Control)​

ABAC (Attribute-Based Access Control)​

Classification-Aware Rules​

PHI Documents​

Trading Procedures​

Confidential Documents​

Example Policy Rules​

Least Privilege and Segregation of Duties​

Least Privilege​

Segregation of Duties​

Implementation Pattern​

Central Policy Engine​

Components​

Example Flow​

High-Sensitivity Content (MAC-like)​

References​