Single sign on approaches

NTUH is a large enterprise having the ramifications of roles and access permissions. For

growing diversity, complexities of acute hospital care, it is particularly difficult to achieve,

predict clearly mapping medical providers into roles or assigning access permissions,

privileges to roles in healthcare environments. Initially, the hospital adopts the classical role

based access control mechanism to deal with users, roles, and associated access rights

(Barkley, 1997; 2004-Single). However, we encounter a dilemma: either few roles defined

inducing role expansion (Adamcik et al., 1986; Bullough, 1976) or a role per individual

resulting in role proliferation (Zhang, 2003; Woods, 2007). Therefore, to cope with the

conflicts, a NTUH employee is entitled a basic set of permissions, following the principle of

least privilege, according to his/her occupational territory. Additional access permissions,

authorities will be aggrandized on demand. In here, the access permissions are pre-defined

as web page access rights.

The SSOS scheme has been implemented as followings. For authentication, user’s employee

ID, SSN (Social Security Number), and current timestamp are utilized to randomly generate

the authentication access key. The key is utilized to authenticate among the NTUH

components to achieve the SSOS scheme as described in the previous section. For

authorization or access permissions, each HIS web page is assigned an identity, i.e., a web

36 Web Intelligence and Intelligent Agents

page ID; every user is correlated with a set of web pages. If a user does not have the

authority, the user can not access, execute the web pages. The user ID and his/her

associated web page IDs are stored and maintained in the HIS database. In addition, prefetched,

paired page ID & user ID can be cached in Win-Session Server in order to improve

the validation performance. The cached data are synchronized with HIS database on hourly

basis.

The architecture of Web-session Servers is developed, deployed under the .NET web

services environment. The Win-session Servers are implemented as daemons. All requests

received in the Web-session Servers are forwarded to the daemons and operated there,

including database interfaces.

Auth-WS is the core of the SSOS scheme for certifications. In the scheme, the Portal service

and HIS components are developed under Microsoft .Net technologies. Thus, these two

modules can communicate with Auth-WS directly. However, we design a COM component

to adopt, facilitate the communications between the Legacy HIS applications and the Auth-

WS. The communications between the Auth-WS and the Outsourcing Systems are achieved

via their APIs. The flows of the scheme are demonstrated in Figure 2 red arrows.

4.3 Portal design & implementation

In order to achieve the requirements, we design and enhance a new, dynamic portal for

NTUH. First, the portal integrates SSOS features. Secondly, we establish a hierarchical

architecture and classify function linkages into groups which will be described clearly later.

Therefore, the portal can provide intuitive and effective access. In addition, the portal site

needs to provide visualized menu selections. The independent function linkages (URL links)

are kept in files, i.e., configuration files. These files will be used for menu configuration and

generation dynamically.