Real Time Information Director User Documentation

RTID Security and Auditing

Hewlett-Packard Company 2 529618 - 002

This document describes the security, auditing, and transaction logging features of the

Director.

Director Security and Auditing Features

The Director has security and auditing features to guarantee the rights of the consumer.

Security policies restrict access to data pertaining to the consumer. Auditing provides a

record of who read or modified what data.

The metadata defining a document indicates whether the document requires security

and/or auditing. For security, the metadata specifies the name of the security policy that

governs access to the document. For auditing, the metadata can specify what data (audit

details) must be included in an audit.

The features described here currently apply to native XML documents, not to IDocs.

Consumers and Agents

Both security and auditing depend on information included in the header of a document:

• Identification of the consumer to whom the data applies, if the data applies to

one consumer. Examples of consumers are a customer of a financial institution, a

patient known to an EHR system, and a guest of a hotel.

• Identification of the agent, that is, of the person who submits a query or change

to the database. Such a person might be a doctor, a customer service agent, or the

patient or customer himself.

A document that does not require security or auditing (as prescribed by the metadata that

defines the document) need not have a header.

Here is an excerpt from a hypothetical document recording the birth of a child. In this

example, health events are audited, so the document contains a header. It identifies the

child as the consumer and his doctor as the agent. (Most of the data pertaining to the

event is omitted here for brevity.)

- <PATIENTEVENTS>

<ROLE>PersonalPhysician</ROLE>

</HEADER>