CN100449450C - Method and system for protecting electronic data objects from unauthorized access - Google Patents

Abstract

The invention relates to a method and a data processing system for protecting electronic data objects from unauthorized access. The method comprises the steps of: a) generating an electronic data object identifier (56, 57) according to the content of the electronic data object, b) determining an access right according to the data object identifier (63), c) allowing access to the electronic data object according to the access right ( 65). The data processing system has a data processing device (1) capable of accessing electronic data objects and an access control module (7). The data object identification is generated according to the content of the data object through the access control module (7), and the access right is determined according to the data object identification. Access rights include standard rights such as "read", "write" and "execute". The advantage of the present invention is that the information for establishing the data object identification can be stored in the data object itself and retained, for example, when the data object is copied or transmitted, thereby ensuring that the access rights remain unchanged.

Description

Method and system for protecting electronic data objects from unauthorized access

technical field

The invention relates to a method for protecting electronic data objects from unauthorized access, to a data processing system implementing the method, and to a storage medium on which information for implementing the method at a data processing device is stored.

Background technique

The increasing use of electronic data objects requires more and more intelligent mechanisms for protecting electronic data objects from unauthorized access. In this case, a data object can be, for example, an individual file, an integrated file system or a file structure for storing or storing information. The protection of data objects is especially important in workplaces that are used by multiple people and from which confidential information can be called up. Such information occurs in, among others, medical work environments, in laboratories, research, development, etc. or work environments where demographics are performed. Basically, especially personal information requires special protection measures.

Known protection mechanisms are based on encryption of data objects. However, the encryption and decryption of data objects takes a lot of time especially for large-scale data objects, so it is not practical in a work environment that requires a rational and economical work style. Furthermore, the corresponding operation of sufficiently reliable ciphers for the encryption system constitutes a significant outlay. In particular, changes to the encryption system can only be carried out directly on the data storage itself, and other copies of the data object (for example a data carrier or a mobile workstation) are not sufficient.

In addition, encryption-based protection of data objects does not provide protection against deletion of data objects and does not allow differentiated assignment of access rights, such as distinctions for read, write or delete access. In particular, in the case of asymmetric encryption methods, all recipients must already be known during the encryption, since the public key of each recipient must be taken into account.

Also known is the protection of data objects at the operating system level, wherein the scope of access to the data is predetermined as a function of the authorizations of the user logged on to the operating system. The scope of data access rights is determined by so-called access control lists (ACLs), which are assigned to each data object in the file system by the operating system. List user-dependent access rights specific to each operating system in the ACL of each data object.

However, so far the ACL is an integral part of the operating system or the file system, rather than just a data object that is copied (ie inherited) with the data object when it is copied in the file system, and it is obtained when it is copied out of each file system. less than. This is not possible due to the way ACLs work against the operating system. Furthermore, changes to the access rights for data objects that occur during multiple copies within the file system cannot be carried out centrally, since they cannot be automatically transferred to the copy of the data objects.

Furthermore, for example in medical systems in outpatient settings or in personnel or financial management systems it is preferred not only to restrict specific functions to specific users but also in relation to the data to be processed. In this way, for example, in an outpatient environment, full access rights to the patient's private data can only be read by the attending doctor as a special case, while all other patient data are allowed to be accessed by all doctors. In addition, data types such as laboratory reports can be treated differently. In principle, only laboratory personnel should have processing authority for such reports, while other hospital personnel only need to read authority. Similar distinctions also make sense in other work environments such as banking or human resources management.

Typically, a user is given a combination of "create", "read", "update" and "delete" permissions (ie corresponding to the standard permissions) depending on the user and the current system or domain. The functional right called "execute" right is given only within the application by the application itself, depending on the type of data or the content of the data. The "execute" right determines whether execution of a specific function is permitted, eg image processing measures, evaluation of a data set, diagnosis of electronic patient records, etc. The assignment of standard rights to users is independent of the data-dependent assignment of functional "execute" rights. The data-related assignment of the functional "execute" authorization is again application-dependent and can therefore be treated differently by different applications in different domains in an undesired manner.

A particular problem with conventional methods for access control is the copying of data objects, for example by e-mail or transmission on a portable memory carrier, which takes place in an uncontrollable number and extent. As a result, it is rendered impossible to subsequently modify the access rights centrally for the content-associated or identical copy or modified copy. Conventional control mechanisms cannot thus be performed on all data objects, since the number and location of occurrence of data objects is not known.

Contents of the invention

The technical problem to be solved by the present invention is to provide a method and a data processing system for granting access rights to electronic data objects stored for information storage. The access rights of the data objects included in the copy are changed.

The present invention solves the above technical problems through a method, a data processing system and a storage medium.

The basic idea of the invention is to provide a method for protecting an electronic data object stored for information storage against unauthorized access, wherein in a first step an electronic data object is generated from the content of said electronic data object In the next step, the access authority is determined according to the data object identifier, and in the last step, access to the electronic data object is allowed according to the access authority. A data object is understood here to mean a file or an object consisting of one or more files or a file structure or directory structure. Access rights are here understood both as standard rights and as functional "execute" rights. This means that the standard rights are supplemented by freely definable access rights.

An essential element of this approach is the use of an electronic data object identification that is dependent on the content of the data object. In this way, access rights can be determined starting from the data object itself. The content of the data object which is important for determining the access right is also copied, ie inherited, since it is itself part of the content, so that each copy of the data object also contains the information required for determining the access right. The assignment between access rights and data object identifiers by which access rights are granted can be stored centrally, for example in the form of a table, and can be changed, so that changes to this assignment are automatically effective for all copies of the data objects. In this way, access rights can be changed at any time from a central location independently or even without knowledge of the number and location of the copies. Access rights here include all standard rights and "execute" rights valid for the data object.

Another basic idea of the present invention is to provide a data processing system, which has a data processing device that can access electronic data objects and an access control module, through which electronic data can be generated according to the content of the data object. A data object identifier, through which the access control module can determine an access right according to the data object identifier, and through the access control module, can allow access to the electronic data object according to the access right. The access control module makes it possible to give access rights to data objects based on information contained in the data objects. Since the content of a data object is copied together when a copy is made, the granting of access rights is thus consistent for this data object and all copies of this data object originate from a central location and are independent of the storage location of possible copies ongoing. Access rights are understood here to mean all standard rights and "execute" rights valid for data objects.

In a preferred configuration of the invention, the data object identification is automatically generated using information stored in the data object. For example, a data object identifier is formed using a stored combination of a person's name, date of birth, and content type (such as an image or text). This allows generating a data object identification with information about the content of the data object therein, so that data objects can be systematically classified and categorized according to the data object identification. If, for example, the same access rights should be granted to all data objects associated with a particular content (e.g. for all laboratory reports, research results, diagnostic findings, or calculation data), this data identification can also be successfully applied to classes of data objects Systematically grant access rights.

In a further preferred embodiment of the invention, an electronic identifier is stored in the data object as the data object identifier. It is then sufficient to generate the data object identifier as a copy in the data object. In other words, only the identifier has to be read out from the data object. Generating the data object identity as a direct copy of the identity contained in the data object also reduces the possibility of tampering, because tamperable steps cannot be used to indirectly generate the data object identity from the content of the data object, such as from the stored The person's name and date of birth are synthesized into a data object identifier.

A further preferred configuration of the invention consists in implementing the method on a data processing system comprising an access authorization module, by means of which the assignment of user identification and access authorization to each other can be stored, wherein the access authorization of the data processing system The control module can determine the access right according to the access to the access right module. Modules are here understood to mean various forms of electronic services, such as servers, electronic libraries or processes running on computers. This results in a modular arrangement of the access authorization modules within the data processing system, which allows central positioning at flexible locations. Changes to the assigned access rights can thus be made from a central location. Via the access authorization module of this so-called central tag storage module, access authorization classes are defined within which certain user identifications are assigned certain access authorizations, such as read, write, delete, copy or functional authorizations . In this case, user identifications include both individual and group user identifications.

Another preferred configuration of the present invention is that the data processing system comprises a data object classification module, through which the assignment of data object identifiers and access rights classifications to each other can be stored, and the access control module can access this module, wherein , the access authority can be determined according to the access to the data object classification module through the access control module. Also as above, modules are understood here to mean various forms of electronic services, such as servers, electronic libraries or processes running on computers. The data object classification module allows to determine and change the assignment of data object identities and access rights classifications to each other. By means of changes within the data object classification module, it is possible to assign data object identifiers to other access authorization classes from a central location and thereby change the data access authorization.

The invention has the advantage that all data objects and all copies thereof are protected in a consistent manner. That is to say, as long as the user is in the data processing system, the user has the same access right to each data object and its copy, and it has nothing to do with the place where the data object is accessed or where the data object is stored. Such a data processing system can be a network with several machines with flexible access possibilities. Appropriate device access rights can ensure that data objects do not leave this security domain.

The invention also has the advantage that a user's access rights to a data object can be determined independently of the data object itself. Nevertheless, it is sufficient to know the data object identity. This can be easily achieved if the data object identification is systematically generated from the content of the data object or other information relating to the data object. In this way, it is sufficient to know system information (for example, the four data items of a patient and the current ward in a certain workflow) in order to determine the access rights for the relevant data objects. Access rights to data objects that can be assigned to certain system classes can thus be determined independently of their location.

Another advantage of the present invention is that the transfer of data objects can take place within the secure domain independently of the data transfer protocol or the operating system. It is sufficient only to ensure the integrity of the data object during the transfer, so that the data object identification required for determining the access authorization can also be generated from the copy of the data object.

Securing the information used to generate the data object identification also preferably enables a controlled transfer of the data object from one security domain to another. This makes it possible to change the access rights automatically without having to change the content of the data object. This application of different security domains is particularly applicable in workflow systems where data objects are transferred from one department to another. This makes it possible to grant different access rights for receiving patients, radiology departments, and prescribing in a medical environment by representing each workflow step with a specific security domain. For this purpose, different access rights and data object classifications are set in different security domains. As a result, different domain-dependent access rights are produced in a predetermined manner. In addition, different user groups can also be set up if necessary, so that different group properties can be formed in particular.

A particular advantage of the present invention is that the data object identification can be generated from the content stored in the data object. Thereby, access rights can also be set according to content. If changes are made to the data objects, which may occur, for example, during the processing of information associated with tasks and memories, changed access rights can eventually be generated. For example, access to a specific class of people can be automatically prohibited after the data subject adds confidential information about the individual.

Description of drawings

The implementation manner will be further described below in conjunction with the accompanying drawings. in,

Figure 1 shows a data processing system for implementing the present invention,

Fig. 2 shows the schematic structure of the inner logical layer of the data processing system, and

Figure 3 shows the method steps of the invention.

Detailed ways

A data processing system for implementing the invention is shown in FIG. 1 . The system comprises a data processing device 1 with a display 3 and a keyboard 5 via which electronic data objects can be accessed. The data objects that can be accessed are located in the application memory 9 . Access to data objects in the application memory 9 is controlled by the access control module 7 .

The access control module 7 works independently of the operating system's access control mechanisms (eg, relying on user-specific file-specific ACLs). In a preferred configuration, it is designed as an additional program layer (data access layer) and can be connected to the data bus of the data processing device 1 as a modular hardware component. However, its implementation can also take place within the data processing device 1 only on a software level. The access control module 7 controls all data accesses to the data objects it controls, such as deletion, copying, creation, editing or execution of functions, that is to say all data accesses to data objects within the security domain. Furthermore, it is naturally also possible to store other data objects independently of the access control module 7 , ie from outside the security domain, in the data memory 9 and via the data processing device 1 , for example applications or public non-confidential data objects.

When starting the operating system of the data processing device 1 a user login is usually required, wherein the user must be identified and authenticated for data access. This authentication includes both identifying the user and authorizing the user's access to the data. In order to identify the user, a security challenge is provided for which, for example, a user ID and a password have to be entered via the keyboard 5 . In this sense, any input device can serve as identification device 6 . In a particularly preferred embodiment, the identification device 6 (for example a chip card) automatically performs an interrogation of the fingerprint or the structure of the iris of the eye, which uniquely identifies the user. Although the access control by the access control module 7 is independent of the user's login on the operating system, the identity of the user can also be indicated. For this purpose, the user can use the same identification method via the keyboard 5 or the identification device 6 .

The essential element of the present invention is that a unique data object identifier can be generated for each electronic data object stored under access of the access control module 7 . The data object identification may be stored in the data object, or automatically generated from the content of the data object. For example, it may be a DICOM-UID commonly found in DICOM data objects. The access control module 7 not only generates the identifier, which is stored in the data object, but also generates (or extracts) the data object identifier from the content of the data object.

Data object identifiers can be structured systematically so that structural associations of access rights can be described, such as workgroups, research teams, personnel hierarchies, content about people or assignments to business domains or research content in the system of access rights. For example, for an electronic patient record, a data object is identified as four items identifying the patient including patient name, gender, date of birth, and hospital identification. Such four items of patient data are generally sufficient to uniquely identify a patient. Additionally, data object identification can reflect medical record attributes for medical research, diagnostic discovery, or sequence over a longer period of time or for specific diagnostic image types such as radiographs or ultrasound images. Such structured information can be taken into account when assigning access authorizations such that the respective access authorizations specify, for example, the treating physician, research supervisor, radiology specialist or computer department. Under the condition of making full use of this system information, a unique data object identifier can be set for each electronic data object independently of the respective working environment.

In order to carry out the assignment using the described systematic data object identification, the access control module 7 requires attribute information about the accessing user, his group and information about the assignment of the data object type to a specific access authorization category. This information is stored separately and can be accessed modularly within the data processing system.

In a preferred embodiment of the invention, the system has an access authorization module 11 which can access an access authorization memory 13, for example a server, an electronic library or a process running on a computer, and an access authorization memory 17 The user group module 15 can also be, for example, a server, an electronic library or a process running on a computer. Information for assigning user identifications to access authorization categories is stored in the access authorization memory 13 . The access rights category describes which users or user groups are allowed with which access rights. For example, an access category can be defined as follows:

- User A has no access

- User B only has read access

- Usergroup C has all access rights

- User group D can perform functions 1 and 2

- User group E can perform function 2

Possible access rights include, for example, creating data objects, making copies or inheriting information from data objects, reading, changing and deleting information stored in data objects, changing access rights and performing specific functions within the respective access right category, As long as they are available in the workplace.

Information is stored in the user group memory 17 which makes it possible to assign user identifications or user groups on the basis of previously determined information for identifying and authenticating users. The user identity or group of users is characterized by a single, electronic user identity that enables unique identification within the data processing system. The attributes of a group can reflect, for example, attributes for a working group, attributes for a function such as a senior doctor on duty, attributes for a hierarchy such as a clinic director's classification, attributes for a professional setting such as a radiology department, or attributes for a function such as a manpower Department attribute for department or billing department.

The attributes of user identities and groups allow a complete description of the working environment structure that is important for determining access rights. Identification of users and assignments to groups can be changed centrally in the user group memory 17 and thus take effect throughout the system for each data access of the respective user, regardless of when or where the user accesses the data.

The access control module 7 allocates the electronic data objects to the access right storage 13 according to the electronic data object identifiers. According to the electronic user identification, the access authority category is also configured for the accessing user on the basis of access to the access authority module 11 . These two settings define which user is permitted to use which access rights when accessing certain data objects.

By means of changes in the access authorization module 11 or in the user group module 15 , the authorization of the access authorization can be changed from a central location for all data objects from which a specific data object identifier is generated, independently of the location of the data object. Changes of this setting also automatically affect every copy of the data object, since the part of the content from which the particular data object identity was generated remains unchanged in the copy.

In another preferred embodiment, the system has an access authorization module 11, a user group module 15 and an additional data object classification module 12, which can also be, for example, a server, an electronic library or a process. The data object classification module 12 can access the data object classification storage 14, in which information used to associate data object identifiers with access right classifications is stored, and can change the information.

Compared with the above description, the degree of modularization of this embodiment is stronger. As mentioned above, the user group module 15 provides information for determining electronic user identities, while the access rights module 11 provides information for how to assign user identities to access right categories as above. The data object classification module 12 provides supplementary information enabling the assignment of user identifications to access rights classifications. Through the data object classification module 12, each data object can be reserved and changed, and which access right classification they belong to.

In this way, in each access right category, the users and user groups assigned in this access right category have the access rights predetermined therein. By successively making data objects accessible to different users or groups of users, changing the assignment in the data object classification module 12 , it is possible, for example, to change the access rights for a data object corresponding to the execution of a predetermined workflow. In a medical work environment, such states can be, for example: reception of a patient in a clinic, admission examination, subsequent examination by means of radiological image-generating methods, treatment and final diagnosis, wherein the respective different user groups, e.g. Medical technicians, radiologists and therapeutic staff, who work on patient data objects.

When the data is to be accessed in the data processing system, that is, in the security domain, the data object identification of the data object to be accessed is firstly generated by the access control module 7 . Through access to the user group module 15 , the access control module 7 determines a user ID, and based on the user ID, through access to the access rights module 11 , an access right category is determined. The access data object classification module 12 determines which access right classification belongs to the data object according to the previously generated data object identification. All information is thus determined by the assignment of the data object identifier and the user identifier in order to be able to grant the user specific access rights to the data object.

The mode of operation of the access control module 7 can also be used for data access from remotely located workstations. For example, a mobile data processing device 21 (such as a PDA or notebook computer) can access data objects of the system via a data remote connection 19 (such as a modem connection or a mobile wireless connection). This may be the case, for example, in a home workplace or within a work environment on a mobile device like a clinic.

The structure of the data processing system described above can be modified in its modularity without changing the mode of operation of the access control module 7 . For example, the user group memory 17 and the access right memory 13 can be combined on a common storage medium, or the access right module 11 and the user group module 15 can be integrated into a single data processing device. Provisions separate from the access control module 7 are also not required for the mode of operation, but can be integrated therein. The modular construction allows a particularly flexible use of the system in accordance with all structural requirements of the respective working environment.

The logical layers within the data processing system (ie within the security domain) are schematically shown in FIG. 2 . On the lowest layer 31 are the electronic data objects whose access is controlled. These data objects have identification-relevant content 33 from which a data object identification can be generated. Previously, this identification-relevant content 33 had to be arranged on a higher layer, since the data object identification had to be accessible independently of the user's access rights in order to be able to determine the extent of such access rights.

An ACL 35 is set above the data layer, which controls access to data on the operating system layer and within the respective operating system independently of user logins on the operating system. The ACL 35 has hitherto not been part of the data object layer 31 , 33 because it cannot be maintained after leaving the respective file system or after changes to the operating system. It is not inherited along with the data, but is lost. Therefore, ACL 35 is shown as a separate layer in the schematic representation.

Arranged above the ACL 35 is an operating system layer 37 which controls the ACL 35 and via the ACL 35 the data object layers 31 , 33 .

The access control layer 39 is located above the operating system layer 37 and executes the functions of the access control module 7 inside it. It controls access to all data in addition to currently existing operating system access controls.

On top of the access control layer 39 is an application layer 41 for applications with respective working environments.

The right part of the figure shows an example of a logical layer that can carry out the transfer of files to another operating system as indicated by the arrows. This other operating system has no ACLs in the chosen example. In particular, if the data object identifier 33 is transmitted together, the data object layers 31, 33 remain unchanged. However, there is no access control through the operating system layer 37 due to the lack of ACLs.

However, access to the data object layers 31 , 33 is only possible via the access control layer 39 depending on their location. That is, the control over data access within the set range remains unchanged after data import and is independent of operating system changes. The application layer 41 can access data only through the access control layer 39 .

The method steps for accessing a data object within a security domain are shown in FIG. 3 . Access to the data object starts at step 51 from the user or application side.

In step 53 a user identification for identifying the user is determined. As described above, the required information is collected based on keyboard input or biometric data collection. Based on the data collected in this way, the subscriber identification is determined by accessing the subscriber group memory 17 via the subscriber group module 15 .

In step 55 it is checked whether a data object identifier can be generated for the data object to be accessed. The data object identifier is either stored in the own data object or contains information that enables the identifier to be determined automatically.

If it turns out that a data object identifier cannot be generated, then in step 56 a default data object identifier is assigned, on the basis of which a standard-based access authorization range can then be set. Thus, for example, without introducing a data object identifier into the system, other method steps for determining the scope of the access rights can be carried out according to the standard without taking time, so as to realize the access control to the data object.

If possible, the data object identity is generated at step 57 as a copy of the identity stored in the data object or automatically from the content stored in the data object.

In step 59 the access authorization module 11 is accessed in order to determine an access authorization classification based on the information in the access authorization memory 15 . In this case, an assignment between user identification and access authorization classification is called, which assignment can be stored in table form or as a graph.

In step 61 the data object classification module 12 is accessed in order to obtain information from the data object classification memory 14 from which an access authorization class assigned to a previously determined data object identifier can be determined.

After obtaining all the information for user identification, group identification and data object classification, at step 63 the access rights allowed by the user are determined. This determination is made either on the basis of the data called up in steps 59 and 61 or on the basis of the standard values assigned in step 56 . In this case, the assignment of standard values can take place without further access to the module in order to avoid unnecessary access and save access time.

In step 65 the access to the data takes place according to the previously determined access rights.

Access to the data is ended in step 67 . For example, a user may log off from the system, or be automatically timed out by the system, or the classification used to determine access rights may be changed in the system.

In order to illustrate the procedural aspects of the invention, several extremely simplified semantic applications of the steps for implementing the method of the invention are reproduced below. Simplifications include, for example, the reading out of variable definitions and error handling.

The User Groups module allows adding, modifying, deleting and recalling user and group identification. Furthermore, it includes measures for identifying the individual users. Its implementation can find application in the following allocations:

bool createUser(wchar_t*theUserName, wchar_t*thepassword, wchar_t*&heSID);

bool deleteUser(wchar_t*theUserNarme);

bool querySID(wchar_t*theUserName, wchar_t*&theSID);

bool createGroup(wchar_t*theGroupName, wchar_t*&heGID);

bool deleteGroup(wchar_t*theGroupName);

bool queryGID(wchar_t*theGroupName, wchar_t*&theGID);

bool addUserToGroup(wchar_t*theSID, wchar_t*theGID);

bool removeUserFromGrouP(wchar_t*theSID，wchar_t*theGID);

bool authenticateUser(wchar_t*theUserName, wchar_t*theUserPassword, wchar_t*theUID);

bool releaseUID(wchar_t*theUID);

bool analyzeUID(wchar_t*thetUID，wchar_t*&theSID，wchar_t*&theGID)

Among them, "bool" is a C++ keyword that can take the Boolean value TRUE or FALSE, and this keyword is located before the variable definition, method definition or method description. "wchar_t" defines a Microsoft data type. "enum" is a C++ keyword that can define enumerated types (Enumerations). "struct" is a C++ keyword that can define new composite data types.

SID and GID are unique identifiers for user identification and group identification, and are used in a security domain. They serve to represent users and groups within the security domain without having to use actual identities or names for this purpose.

Other so-called pointers, such as createGroup or deleteGroup, are selected individually and can be interpreted from their own meaning.

With each successful authentication of the user will generate a UID that uniquely identifies the user and work environment. The UID is deleted once the user logs out of the system or the work environment ends from the secure area due to a timeout.

Access rights modules can be implemented using the following directives:

Enum TokenRights

{

Create, // Allows creation of new sub-objects in hierarchically organized files

Read, //Allow to read file content

Update, //Allow modification of file content

Delete, //Allows to delete the entire file, that is, physical destruction

Execute, //Allow updating the current protection for this file

ExecuteSpecificFunction //Allows special functions to be performed on the contents of the file

};

bool createToken(wchar_t*theTokenName);

bool assignRight(wchar_t*theTokenName, wchar_t*theSID, TokenRights

theGrantedRights);

bool assignRight(wchar_t*theTokenName, wchar_t*theGID, TokenRights

theGrantedRights);

bool removeToken(wchar_t*theTokenName);

TokenRights authorize(wchar_t*theTokenName, wchar_t*theSID wchar_t

*theGID);

In order to be able to determine the access rights of a user, the access rights module 11 uses his SID and GID. Different access rights can be configured for group identification and user identification, and a user can obtain multiple identities, so all SIDs and GIDs must be evaluated to determine the range of access rights for each user.

Assignment, denoted as "Token" in the previous command example, that identifies a data object to a class, allows adding, deleting, searching and modifying individual assignments. It can be achieved by using the following commands:

struct SecurityID //Sampling definition for DICOM constituent files

{

wchar_t *thePatientQuadruple;

  wchar_t *theStudyInstanceUID;

};

bool setDefaultProtection(wchar_t*theTokenNames);

bool addProtection(SecurityID & theDocumentSecurityID, wchar_t

*theTokenNames);

bool queryProtection(SecurityID & theDocumentServiceID, wchar_t

*&theTokenNames);

bool removeProtection(SecurityID & theDocumentServiceID, wchar_t

*theTokenNames);

A Data Object ID can be assigned to multiple categories. Data objects that are not assigned to a category identify scopes that get standard default access rights.

Claims (10)

1. A method of protecting an electronic data object against unauthorized access, said data object being arranged for storing information, wherein a) in a first step (56, 57) an electronic data object identification is generated on the basis of the content of said electronic data object, b) in a next step (63) access rights are determined on the basis of the data object identification, and c) in a last step (65) access to the electronic data object is allowed on the basis of the access rights, wherein,

an electronic user identification is determined for the operator in a further step (53) prior to step c), and information enabling the assignment of the user identification to the access right classification is determined in a further step (59), and the access right is determined on the basis of the assignment of the user identification to the access right classification.

2. The method of claim 1, wherein the data object identification is generated as a copy of an identification contained in the data object.

3. The method of claim 1, wherein the data object identification is generated using information stored in the data object.

4. Method according to claim 1, wherein in a further step (61) after said step a) information is determined which enables an assignment of the data object identification to an access rights classification, and the access rights are determined from the assignment of the data object identification to an access rights classification.

5. The method of any of claims 1-4, wherein the access rights include one standard right and one functional right.

6. The method of claim 1, wherein medical data about an individual is stored in the data object.

7. A data processing system having a data processing apparatus (1) which can access electronic data objects and an access control module (7), by means of which access control module (7) an electronic data object identification is generated on the basis of the content of the data object and an access right is determined on the basis of the data object identification by means of the access control module (7) and access to the electronic data object is permitted on the basis of the access right by means of the access control module (7), wherein the data processing system further comprises a recognition means (6) by means of which an electronic user identification of an operator can be determined and an access right module (13) by means of which an assignment between the electronic user identification and the classification of the access right is stored and which access right module (13) can be accessed by the access control module (7), wherein the access rights can be determined by the access control module (7) from the access to the access rights module (13).

8. The data processing system according to claim 7, said data processing system comprising a data object classification module (12), by means of which data object classification module (12) the assignment of electronic data object identifications and access rights classifications to each other is stored, and which module (12) is accessible to said access control module (7), wherein said access rights are determinable by said access control module (7) on the basis of access to said data object classification module (12).

9. The data processing system of claim 7, wherein the data processing system determines one standard right and one functional right as access rights.

10. The data processing system of claim 7, wherein the data processing system is designed as a medical workstation.

Images