Real Time Information Director User Documentation
RTID Security and Auditing
Hewlett-Packard Company 6 529618 - 002
Standard and Custom Policies
The Director supports the definition of security policies that specify which agents have
access to each consumer’s data. Thus far, two policies are predefined, or standard:
• The SelfService policy gives consumers access to their own data
• The PersonalAgent policy gives specific agents access to the data of specific
consumers.
A policy is implemented as a Java class. Policy classes reside in the com.hp.rtid.security
package.
You implement custom policies as concrete subclasses of abstract policy classes provided
with the Director. For example, the PersonalPhysician policy in the EHR demo is a
subclass of the standard PersonalAgent policy: it gives a patient’s personal physician
access to data pertaining to the patient.
Policy Data Models
Almost every security policy has its own data model. For example, the
PersonalPhysician policy looks up an SQL table that associates a Personal Physician to
his patients.
If the applicable database table does not contain an entry for the incoming
agent/consumer combination, then the document is rejected with a security violation, for
example:
com.hp.rtid.exception.DirectorException: Security violation: Agent is not the
personal physician of this patient
Creating a Custom Policy
Security policies are implemented as subclasses of the abstract class Policy. To create a
custom policy, you extend that class or any of the other abstract or concrete policy classes
provided with the Director.
Two examples of standard abstract policy classes provided as part of the Director are
PersonalAgent and CompoundPolicy. The PersonalAgent policy has already been
mentioned: it gives specific agents access to data for specific consumers. One concrete
policy class that extends PersonalAgent is PersonalPhysician, which gives a patient’s
physician access to the patient’s data.