Utilising organisation structure to design access control

Access control allows us to have restrictions on the availability of data and system components within an organisation. This is useful in a variety of scenarios like if a component is a special feature that the organisation wants to be available only to its premium customers, they can do that by implementing an access control mechanism.


In healthcare various laws and regulations like HIPAA are in place to ensure that the patient data is stored and transferred in a secure fashion. While there are multiple checks that must be put in place to ensure the security of patient data, the first one towards this is to ensure that only the people authorised to handle that have access to it.


We recently worked on a US based healthcare platform where we designed and developed the whole application from the scratch. One of the primary requirement that came up was the need for an access control system within the application which would ensure that the patient data could be accessed only by the users who had the authority to do so


We divided the task in hand into two parts-

  • Understanding the organisation structure, i.e., how they were able to maintain access control on patient data while they were working offline.
  • Designing an architecture that-
    • Represented their organisation structure in the most appropriate manner in our application.
    • Took into consideration the ease of implementation on the application logic.


For the first step, we had a couple of discussion with the clients where we tried to analyse how their organisation was currently set up. We found that within the organisation there were department like divisions with each department taking care of a particular activity. Certain data was restricted to access by people that were part of that department only. Inside the department there was a hierarchical structure, which further enhanced the access control inside the department. It was also found that one person could be part of multiple department.


With this understanding we moved on to the next part of designing an architecture and worked on how we could replicate this structure efficiently in our application. We proposed two new attributes that would be attached to the users of the organisation with which we could create an architecture that would represent the organisations original structure. These are described below-

  • User Role– All the activities that user’s performed in the organisation were listed out and all of them that required special permission to be performed were represented by user roles. A user could play one or multiple roles in the organisation. Each role would grant the user having them certain authorizations that other users won’t.
  • User Level–  User Levels were introduced to represent the hierarchy that existed within the organisations.


Using the combination of both these we were able to introduce an effective access control system in our application which was similar in structure to the organisations original structure.


Since our solution was based on how their organisation was working, which we had gathered from our interactions with the client, it enabled us to propose an architecture that was similar to their existing organisation structure. This eased out their learning curve towards the new application, while also enabling us to implement that solution easily since we had considered the ease of implementing the solution as well before proposing it.


For a technical view of how the solution was implemented, please refer to this blog.


Designing an access control architecture by incorporating organisations existing structure.



Next case study