Abstract
Background and Objective
Hospital access control systems face unique challenges in environments with high staff mobility and overlapping roles. This study aims to develop and validate an Improved Attribute-Based Role Access Control (I_ABRAC) model to address role explosion, computational inefficiency, and compliance issues in healthcare settings.
Methods
We proposed an I_ABRAC model incorporating three mechanisms: (1) an approval-permission dynamic coupling mechanism, (2) a rule number-driven incremental update algorithm, and (3) a permission-rule traceability framework. The model was validated using real-world de-identified operational data from a large tertiary teaching hospital in China, encompassing 60 access control rules, approximately 20,000 personnel, and over 2,000 access points. Experiments were conducted across 16 test scenarios under 24 configurations (8 personnel scales × 3 rule scales).
Results
The I_ABRAC model achieved a 68% reduction in required system roles compared to traditional models (from 176 to 56 roles) while demonstrating correct functional permission assignment across all 16 test scenarios. The optimized algorithm demonstrated an 83.3% improvement in processing efficiency (from 54.96±1.89s to 9.96±2.78s; p<0.001), with performance gains ranging from 81.9% to 83.9% across all 24 configurations (8 personnel scales * 3 rule scales, all p<0.001), confirming its scalability from departmental to hospital-wide deployments.
Conclusions
The I_ABRAC framework effectively resolves core security and operational bottlenecks in hospital access control, provides technical mechanisms to support compliance with medical regulations, and supporting scalable applications such as IoT-based device access and multi-hospital systems.
Keywords
1 Introduction
Hospital access control systems play a crucial role in safeguarding clinical safety and patient privacy.1,2 They directly affect three critical aspects of healthcare delivery: (1) clinical workflow continuity—ensuring that medical staff can promptly access high-risk diagnostic and treatment areas such as operating rooms, pharmacies, and emergency equipment zones; (2) privacy protection—restricting access to sensitive areas such as endoscopy center changing rooms, psychiatric wards, and medical record storage areas; and (3) regulatory compliance—adhering to requirements for infection control, safety isolation, and security of drugs and equipment.3–5 The effectiveness of access control systems directly influences the prevention of medical errors, protection of patient privacy, and compliance with medication safety regulations.
A critical operational characteristic that fundamentally distinguishes hospital access control systems from conventional online authorization systems (e.g., hospital HIS, cloud IAM) is the
Currently, most hospital access control systems adopt Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), or Attribute-Based Role Access Control (ABRAC) models, 6 which enable role deployment and dynamic authorization based on real-time attributes.7–12 However, in recent years, with the accelerated collectivization and informatization of medical institutions in China,13,14 hospital environments have become increasingly characterized by large numbers of personnel, high staff mobility,13,15–17 diversified roles with overlapping clinical and administrative responsibilities,18–20 complex functional areas spanning multiple campuses,21–24 varied opening hours of ward access control points,25,26 and frequent replacement of employee ID cards. These challenges are not unique to individual hospitals but reflect a nationwide trend in the development of China’s healthcare system. As a National Medical Center and one of the largest tertiary hospitals in China, our hospital—the First Affiliated Hospital, (FAHZU)—exemplifies these national trends with even greater prominence. With approximately 20,000 personnel and over 5,000 access control points across six campuses (Yuhang, Qingchun, Zhijiang, Chengzhan, Daxue Road, and Qiantang), the operational environment of our hospital embodies all the complexities described above, making it an ideal representative setting for studying and validating access control solutions in large-scale medical institutions.
This complexity reveals significant limitations when applying current access control models to large-scale medical environments. RBAC simplifies permission management by associating users with predefined roles, but suffers from “role explosion” in large hospitals. As the number of departments, positions, and functional areas increases, cross-departmental collaboration generates redundant roles—leading to exponential growth in the total number of roles. This results in cumbersome permission configuration, increased administrative costs, and prolonged permission waiting times, ultimately hindering clinical workflow coordination.27–29 ABAC achieves fine-grained control through multi-dimensional attributes (user identity, time, regional function, device status). However, its complex attribute matching logic leads to high computational latency and numerous configuration errors. For example, during the pandemic, rapid redeployment of personnel and regional functions could not meet the demand for fast permission updates in medical emergencies.30,31 ABRAC attempts to integrate the advantages of RBAC and ABAC by incorporating roles into attribute constraints, but fails to resolve the conflict between flexibility and computational efficiency. Issues such as redundant permission rules,32,33 high performance overhead, 34 and prolonged decision-making time 35 lead to errors in permission calculations for overlapping roles (e.g., administrative-clinical dual roles) and delays in permission activation. Delays in updating access permissions can result in passive clinical decision-making, including inability to access critical permissions for emergency equipment, medications, and other essential resources.
Based on the management requirements, personnel structure, and regional functional characteristics of our hospital, there is an urgent need to construct a secure and reliable access control model that satisfies the requirements of fine-grained permission management, accuracy, and efficiency. Leveraging our hospital’s personnel system and door access management system, we developed an Improved Attribute-Based Role Access Control (I_ABRAC) model, which organically integrates dynamic role strategies with approval strategies. This model encompasses the entire process of door access permission management, including dynamic role mapping based on personnel attributes, approval workflows for cross-departmental temporary permissions, incremental update calculation of permission rules, and full traceability of permissions and rules. The involved roles include clinical department staff, administrative personnel, the information technology department, and hospital management.
Our objectives are: (1) to achieve online approval and direct activation of temporary permissions through an approval-permission dynamic coupling mechanism, which enables temporary permissions to take effect directly through online approval workflows without creating new roles, thereby effectively avoiding role explosion; (2) to significantly improve permission calculation efficiency through a rule number-driven incremental update algorithm, ensuring that permissions can be rapidly downloaded to front-end devices in emergency situations; (3) to achieve complete auditability of access decisions through a permission-rule traceability framework, which links each permission to its source rule via an “association rule” field, ensuring that permission management complies with medical regulations regarding privacy and medication security, and providing technical support for post-hoc auditing and responsibility tracing. The I_ABRAC model aims to achieve automated permission assignment, online approval processes, real-time permission updates, and traceable permission management, providing a solid technical foundation for hospital clinical safety and patient privacy protection.
Collectively, these four dimensions establish I_ABRAC as a novel solution tailored to the unique requirements of hospital physical access control, rather than a trivial recombination of existing access control paradigms.
2 Related works
2.1 Application of access control models in medical informatics
Access control models have been widely used in medical informatics to address data security and personnel management issues. RBAC-based models are applied in hospital information systems (HISs) for role-based permission allocation, but their lack of dynamics,36,37 susceptibility to human intervention errors,38,39 role explosion,27–29,40 and lack of fine granularity36,37 make them unable to adapt to temporary permission adjustments during epidemics. ABAC models are used for fine-grained control of medical data access (e.g., electronic health records (EHRs)),7,12 but their high policy management costs and performance overhead limit their application in large hospitals.41,42 ABRAC models integrate roles and attributes for permission control, and are used in medical IoT and cloud service platforms.9,11 For example, in access control systems, logical expressions such as (A∩B) ∪(C∩D) are used to filter personnel and access points, and the Cartesian product of filtered sets is calculated to obtain permission sets. 6 This enables visualized permission configuration, but still suffers from role explosion and redundant rules in complex medical scenarios.29,32,35
Recent studies have attempted to optimize these models for medical scenarios. Pan et al. 43 proposed a role quality evaluation method to reconfigure permissions, but it cannot handle real-time dynamic changes (e.g., temporary personnel permission allocation during epidemics). Shen et al. 44 designed a role discovery model based on attribute exploration to solve multi-department collaboration issues, but the generated “static roles” cannot respond to temporary needs, requiring manual configurations that increase security risks. Alanazi 29 addressed RBAC’s security and efficiency flaws in medical IoT scenarios by developing an ECC-TLAF framework integrating triple-layer authentication (device-network-application) and elliptic curve cryptography, which improved attack detection rates and reduced latency compared to traditional RBAC. However, this framework still relies on pre-defined role boundaries and fails to resolve role explosion in complex clinical environments with overlapping personnel roles across departments. In terms of rule redundancy, researchers have proposed conflict detection, 45 rule similarity detection, 46 and policy entry reduction methods, 47 but these tools have high time costs for large-scale policies and fail to resolve logical-level redundancy. 48 Ameer et al. 6 proposed a hybrid ABAC-RBAC model based on blockchain for multi-domain permission collaboration, but it does not address role redundancy and real-time performance in medical scenarios. O. D et al. 32 reduced the number of roles through role clustering, but did not optimize dynamic permission calculations. Notably, Aslam et al. 28 introduced blockchain-based trust certificates to streamline multi-entity authentication in IoMT, which reduced authorization burdens but did not extend to physical access control or resolve static role-related delays in emergency scenarios. These researches indicate that completely eliminating redundancy is impractical in real-world scenarios.49,50 Therefore, policy conflicts in access control permissions within healthcare environments cannot be completely avoided.
Beyond policy conflict resolution, recent years have also seen several system-level frameworks that address scalability, security, and system constraints in a more principled manner. Sarma and Moulik proposed SAMIT 51 and SMAC, 52 which extend Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with multi-authority support, dynamic attribute updates, and attribute unification for fog/cloud-enabled IoT environments. e-SAFE 53 further incorporates attribute convergence, user revocation, and privileged access in a CP-ABE framework for e-health applications. FRESH 54 addresses fault-tolerant real-time scheduling on heterogeneous multiprocessor platforms. However, these CP-ABE-based schemes operate under an online real-time authorization model, where each access request triggers attribute verification and decryption operations against a central authority. In contrast, hospital physical access control systems operate in a fundamentally different “compute-then-download” mode. As elaborated in Section 1, this mode requires permissions to be fully calculated on backend servers and batch-synchronized to distributed door controllers before any access can be granted, distinguishing physical access control from online authorization systems such as hospital HIS where real-time verification against a central database is feasible. This architectural difference has three direct implications. First, regarding scalability, CP-ABE’s per-request latency does not translate to batch permission computation. Second, regarding system constraints, CP-ABE assumes continuous network connectivity for real-time verification, whereas door controllers operate offline once permissions are downloaded, making timely permission updates critical for clinical workflow continuity. Third, regarding security, none of these frameworks provide permission-rule traceability for compliance auditing.
In parallel, blockchain technology has emerged as another promising direction for decentralized security in healthcare. Bose et al. 55 proposed Quantum-Secure HealthChain, combining Quantum Key Distribution (QKD) with blockchain to secure cloud-based healthcare data, achieving 105 transactions per second with quantum biometric authentication. Saha et al. 56 introduced an edge-enabled quantum-safe framework for vaccine supply chain optimization, integrating multi-access edge computing, post-quantum cryptographic protocols (CRYSTALS-Kyber, CRYSTALS-Dilithium, SPHINCS+), and blockchain consensus, demonstrating 68.2% latency reduction and 188.2% throughput improvement. Dutta et al. 57 developed QBUILD, a quantum-resistant blockchain architecture for construction supply chains based on Hyperledger Fabric with lattice-based encryption, achieving 50% improved security resilience, 40% latency reduction, and 35% traceability improvement. While these blockchain-based frameworks offer decentralized trust and tamper-proof audit trails, they similarly focus on data sharing and supply chain traceability rather than physical access control. None address the batch permission computation challenge or provide permission-rule traceability for compliance auditing.
2.2 Limitations of existing studies in medical scenarios
The existing studies lack sufficient consideration of the unique characteristics of medical environments:
Even the latest optimized frameworks have these limitations: Alanazi’s ECC-TLAF framework was validated primarily on resource-constrained IoT devices rather than real multi-campus hospital systems, lacking verification of its adaptability to large-scale personnel collaboration; Aslam et al.'s blockchain-based model, while addressing multi-entity authentication, did not integrate compliance controls for medical privacy regulations (e.g., fine-grained restriction of access to special clinical areas such as the Endoscopy Center) and failed to demonstrate rapid permission adjustment capabilities in epidemic-like emergency scenarios. Frameworks such as SAMIT, e-SAFE, and QBUILD, despite their contributions, operate under different paradigms — they evaluate per-request latency, whereas I_ABRAC evaluates batch computation time — and thus do not support direct quantitative comparison. None of the existing frameworks address data complexity characterization or privacy-preserving decentralized training, which are increasingly critical for large-scale healthcare deployments.
This study addresses these limitations by designing a healthcare-oriented I_ABRAC model, verifying its effectiveness in a real tertiary hospital, and ensuring compliance with medical regulations.
3 Methods
3.1 Overview of the I_ABRAC model
By integrating the advantages and limitations of RBAC, ABAC, and ABRAC, and targeting the unique demands of medical scenarios—including dynamic permission adjustments, strict compliance requirements, and fine-grained control—this study proposes the Improved Attribute-Based Role Access Control (I_ABRAC) model. Built on the foundational framework of ABRAC, I_ABRAC introduces three key innovations to address the limitations of existing approaches.
First, an approval-permission dynamic coupling mechanism enables temporary permissions to take effect directly through online approval workflows without creating new roles, effectively preventing role explosion while ensuring compliance with the principle of least privilege. Second, a rule number-driven incremental update algorithm optimizes the permission calculation process by processing only modified rules or changed personnel attributes (e.g., department, position) and access point attributes (e.g., functional area, security level) within rules, rather than performing full recomputation for all personnel, reducing time complexity from (pg0 * pg1 * …* pgk * papp * pd + 2 * p * p’) to (M*p’). Third, a permission-rule traceability framework links each permission to its source rule via an “association rule” field, enabling precise compliance auditing and backward impact analysis. Figure 1 illustrates the complete workflow integrating these three mechanisms. Improved attribute-based role access control (I_ABRAC) model.
3.2 Core mechanisms of I_ABRAC
The I_ABRAC model comprises two complementary mechanisms that work in tandem: rule-based role mapping for routine permission assignment, and an approval strategy for handling exceptions.
3.2.1 Rule-based role mapping
The rule-based role mapping forms the foundation of routine permission assignment in I_ABRAC. Unlike traditional RBAC, which requires administrators to manually define roles and assign users to them, I_ABRAC automatically determines a subject’s role based on rule-defined attribute combinations.
3.2.2 Approval strategy for medical scenarios
The approval strategy provides a supplementary mechanism for granting individual object permissions when the rule-based role mapping cannot meet specific medical needs. It involves a point-to-point workflow where a subject initiates a permission application via a mobile terminal or computer client, and the approver reviews and approves it online. 60
The core innovation of the I_ABRAC approval strategy is the approval-permission dynamic coupling mechanism, which has two key features: 1) Direct permission writing. The approval result directly writes the subject-object permission relationship into the permission table without modifying any rules. For example, if a doctor applies for “temporary access to a restricted area”, the system automatically adds a time-limited permission entry to the doctor’s account and triggers the permission calculation engine. 2) End-to-end online workflow. Both the application and approval processes are completed online, eliminating manual permission reconfiguration. This reduces administrative costs and avoids human errors (e.g., missed configurations) that could violate medical regulations.
3.3 Formal definition of the I_ABRAC model
Based on the description of the improved role-based control model, the core components of the I_ABRAC model are formally defined as follows.
3.3.1 Basic entity definitions
Let SU, OB, R, and P denote the sets of subjects, objects, roles, and permissions respectively. Let A and B denote the subject attribute set and object attribute set, containing all possible attribute values. Let OP denote the operation set.
p = (su, ob, op, constraints, type, effect).
where: • su ∈ SU is the subject, • ob ∈ OB is the object, • op ∈ OP is the operation, • constraints is a set of attribute conditions (e.g., time constraints t ∈ [start, end], location constraints), • type ∈ {static, approval-derived, time-bound} indicates the nature of the permission, • effect ∈ {grant, deny} indicates whether the permission allows or denies access.
The set of all permissions is denoted as P. A permission p is considered
3.3.2 Dynamic role strategy variables
where su_vark (k ∈ {i, i+1, …, i+n}), and su_vark ∈ A.
where ob_vark (k ∈ {i, i+1, …, i+n}), and ob_vark ∈ B.
3.3.3 Approval strategy variables
App_Perm = (App_Subject, App_Object, op, constraints_app, approval-derived, grant).
where App_Subject ∈ SU is the requesting subject, App_Object ∈ OB is the requested object, and constraints_app includes an expiration time t_expire.
• pending: the request has been submitted but not yet reviewed by an approver • approved: the request has been granted by the approver • active: the corresponding permission App_Perm [i] is valid and enforceable (from approval time until expiration or revocation) • expired: the permission has passed its t_expire and is automatically removed from App_Perms • revoked: the permission has been manually terminated by an authorized administrator prior to expiration
3.3.4 Authorization decision logic
• G(t) = {p ∈ (Dyn_Perms(G) ∪ App_Perms) | p is valid at time t and p. effect = grant} • D(t) = {p ∈ Dyn_Perms(D) | p is valid at time t and p. effect = deny}
• If ∃ p ∈ D(t) such that p. su = su, p. ob = ob, p. op = op, then Auth = deny (deny overrides all grants) • Else if ∃ p ∈ P_eff(t) such that p. su = su, p. ob = ob, p. op = op, then Auth = grant • Else Auth = deny
• p. type = static: always valid unless explicitly revoked • p. type = approval-derived or p. type = time-bound: valid only if t ≤ p. expiration_time • all attribute constraints in p. constraints are satisfied • all contextual constraints (e.g., time_of_day, emergency_mode) in p. constraints are satisfied at time t
• p is immediately removed from App_Perms • The revocation event is recorded in an audit log • Any subsequent access request relying on p is denied
3.3.5 Formal security properties
Based on the defined authorization logic, I_ABRAC satisfies the following properties:
3.4 Optimization of the permission calculation process for medical scenarios
To address inaccuracies in permission calculation and excessive performance overhead induced by redundant rules in medical scenarios, we propose an optimization for the dynamic role-permission calculation process. The optimization specifically focuses on two critical objectives: minimizing latency during emergency permission updates and ensuring compliance with hospital management regulations.
The time consumed for the permission calculation mainly depends on the server performance, data volume, and time complexity of the algorithm. When the physical server performance and data volume cannot be changed, optimizing the algorithm’s time complexity is the primary way to reduce the time consumed for permission calculation. Therefore, optimizing the permission-change-logic algorithm becomes particularly important.
Subsequently, we provide a further detailed explanation of the optimization algorithm for permission change logic, encompassing its formal definition, database design, algorithmic comparison, and permission calculation process.
3.4.1 Supplementary notation for permission calculation
To facilitate the description of the permission calculation process, we define the following notation:
3.4.2 Database Table Design for healthcare
We establish three interlinked database tables: 1) Total Permission Table, which stores valid permissions with a composite primary key (subject ID, object ID) and includes “association rule”, “creation time”, and “expiration time” fields—the association rule field links each permission to its source rule, enabling traceability; 2) Permission Update Table, which records permission changes with change type, operator, and timestamp; 3) Permission Rule Table, which stores rule configurations including rule type, compliance requirements, and effective scope.
The permission-rule traceability mechanism operates through the association rule field in the Total Permission Table, which links each permission to its source rule. This design enables targeted updates without full table traversal—critical for rapid permission adjustments in medical emergencies—while simultaneously providing complete auditability of permission decisions. The traceability supports both forward tracing (from permission to governing rules) and backward impact analysis (from rule changes to affected permissions), directly addressing healthcare compliance requirements where access decisions must be demonstrably linked to specific authorization policies.
For incremental updates, deny rules are precomputed into a deny_permissions_set; any allow permission whose key appears in this set is filtered out before insertion, ensuring deny-override semantics.
3.4.3 Conventional permission calculation method
The conventional algorithm generates permission sets by computing the Cartesian product of all rule sets and merging the results. Based on the formal definitions in Section 3.3, the total permission set is expressed as:
3.4.3 1 Single changed rule (k = 0)
The total number of traversed rows is
Count = p * p’. (i.e., a full comparison between the current and original permission sets).
3.4.3 2 Multiple changed rules (k ≥ 1)
Owing to the existence of permission overlap and redundancy, it is necessary to superimpose the results after calculating the multiple rules to obtain the final number of previous changes. The number of traversed rows in the process of integrating the total permission sets is pg0*pg1*…*pgk*papp*pd.
Data that exist in N [su][ob] but not in N’ [su][ob] are new data, and data that do not exist in N [su][ob] but exist in N’ [su][ob] are deleted. This process is divided into two steps: first, traverse and compare N [su][ob] and N’ [su][ob], record the new and to-be-modified data, and insert them into N’ [su][ob], where the number of traversed rows is p*p’. Then, a left join is performed on N [su][ob] and N’ [su][ob] to get the rows to be deleted, which requires the traversal of p*p’ rows.
Therefore, the total number of traversed rows is as follows:
Using this algorithm to calculate permissions will result in the need to traverse (pg0*pg1*…*pgk) +2* (p*p’) rows every time permissions are issued, regardless of whether there are changes in permissions. This leads to excessively long waiting times, and even situations where the previous permission calculation task has not yet been completed yet another one starts, causing the system to crash and fail to operate normally.
3.4.4 Permission calculation optimization algorithm
Considering that the number of permission rules remains relatively small and stable, the optimization solution shifts from the original individual user-based polling method to a policy rule-based polling approach. Specifically, each row of data in the total permission table includes an additional “association rule” field that records which rules have generated this permission.
The optimized algorithm processes only changed rules. The pseudocode is as follows:
3.4.4.1 Single changed rule (k = 0)
When there is only one grant rule (k = 0), the current total number of permission rows is
The number of permission change rows is mg0, and the total number of traversed rows is as follows:
Count = p’ * mg0. (i.e., comparing the mg0 changed rows against each of the p' original permission rows).
3.4.4.2 Multiple changed rules (k ≥ 1)
When multiple rules change, the optimized algorithm processes only the changed rules, subject, object. The total number of changed rows across all changed rules is M = Mg + Md.
All modification operations on the previous global permission set N' [su][ob] are performed by matching these M changed rows against the existing p' historical permission rows. Consequently, the total number of traversed rows is:
3.4.4.3 Performance ratio
The performance ratio r = Count_conv/Count_opt is
3.4.5 Algorithm advantages
The conventional algorithm traverses all rules regardless of whether they have changed, with complexity proportional to the Cartesian product of all rule sets. In contrast, the optimized algorithm only processes rules that have actually changed. Let M be the total number of changed elements across all changed rules, and p' be the size of the previous permission set. The optimized algorithm traverses M × p' rows, compared to the conventional algorithm which traverses approximately (pg0*pg1*…*pgk*papp*pd) + (p*p’) + (p*p’) rows. The key insight is that the performance advantage grows with the number of unchanged rules. When most rules remain unchanged, M is small and the optimized algorithm runs much faster than the conventional algorithm. This advantage is most pronounced in hospital environments where routine updates (e.g., a few personnel changes) are far more frequent than full-scale rule reconstructions.
3.4.6 Detailed description of the permission calculation process
In conjunction with diagrammatic illustrations, the I_ABRAC model was employed to present a detailed elucidation of the permission calculation process utilizing table structures.
Permission summary list.
Note: Bold entries indicate permission changes relative to the previous state. Personnel4→Door1 and Personnel3→Door3 are newly added permissions (generated by updated rules), while Personnel3→Door2 is a revoked permission (marked as Invalid). Moreover, entries with actual permission changes are obtained, as shown in Table 2.
Permission change summary.
As seen from the above tables, only three updated permissions actually need to be issued: adding the permissions between Person 4 and door1, between Person 3 and door4, and deleting the permission between Person 3 and door2.
The following characteristics can be observed from the permission change process: 1) The permission relationship corresponding to personnel2 and door2 falls within the overlapping area of rule1 and rule2. However, only after rule2 is modified is the permission relationship between personnel2 and door2 deleted. Ultimately, the permission changes do not involve the corresponding permission relationship between personnel2 and door2. 2) The initial final permission relationship between personnel3 and door1 is governed by rule1. After rule2 is modified, the permission relationship between personnel3 and door1 is added. Finally, the permission changes do not involve the corresponding permission relationship between personnel3 and door1.
Therefore, the calculation of the number of permission changes will significantly affect the permission update speed.
After the permission calculation and subsequent aggregation, a schematic diagram of the updated total permission table is obtained, as presented in Table 1.
Change status relationship table.
4 Experiment and results
4.1 Experimental setup
4.1.1 Experimental assumptions
The experiments in this study were conducted under the following conditions, which reflect the dedicated network infrastructure of the participating hospital: 1)The network connection between the central permission server and distributed door controllers was reliable and available throughout the permission update cycles; 2)Permission synchronization latency was negligible compared to the permission calculation time; 3)All door controllers were assumed to receive consistent permission updates within a bounded time window.
These conditions represent the typical deployment scenario of the hospital’s access control system, which operates on a dedicated intranet.
4.1.2 Test environment and scenarios
To validate the applicability of the I_ABRAC model in real-world medical environments without interfering with hospital operations, we exported operational data from the access control systems of three of FAHZU’s six campuses: Qingchun, Chengzhan, and Daxue Road. After complete de-identification, all experiments were conducted on a standalone desktop machine to ensure no impact on the hospital’s live systems. The extracted dataset is characterized by: 1) Approximately 20,000 personnel with high mobility 2) Over 2,000 access control points 3) Diverse and frequently overlapping staff roles 4) Dynamic functional area adjustments 5) Strict compliance requirements for personal privacy and medication security
These characteristics align perfectly with the core challenges our model aims to address: role complexity, attribute dynamics, permission conflicts, and regulatory compliance.
4.1.3 Data source and preprocessing
The experimental data were exported from the operational access control systems of FAHZU. Following de-identification, all experiments and analyses were performed on a standalone desktop machine, with no direct connection to or impact on the hospital’s live systems. The dataset comprises operational data from FAHZU’s access control systems up to the cutoff date of 30 September 2025. The dataset captured the status of personnel attributes, departmental affiliations, and access control rule configurations as of this date. It included 57 active access control rules, covering approximately 20,000 personnel and over 2,000 access points across three campuses. The extracted fields included department, position, duty, employment nature, attached department, and access point functional descriptions.
All identifiable information was systematically de-identified prior to analysis. Department names, position titles, duty names, employment nature, and attached department names were replaced with standardized alphanumeric codes (e.g., Dept_01, PT01, Duty_01, NAT01, AT_01) according to a pre-defined de-identification mapping table. Access points were labeled by functional category only, and personnel were represented by anonymized unique identifiers.
For performance and functional correctness testing, synthetic test user profiles were created. These profiles contained modifiable attributes (Department, Position, Employment Status, Gender, etc.), enabling the simulation of a wide range of real-world scenarios—including cross-departmental roles, temporary assignments, and emergency redeployments—without interacting with actual patient or staff data. This approach ensured controlled, reproducible testing while adhering to ethical data use standards.
4.1.4 Experimental platform configuration
1)Hardware
The experiments were conducted on a desktop system running Windows 10 Professional. The hardware specifications were as follows: ● Processor: Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (4 cores). ● Memory: 20 GB DDR3 RAM. ● System Disk: 447 GB Solid State Drive (SSD).
This configuration provided the necessary computational power and storage efficiency to handle large-scale permission calculations while maintaining the integrity of audit trails—a critical requirement for compliance in healthcare settings. 2)Software
Python 3.9.2 was used exclusively for the entire experimental workflow. This included: (1) implementing the I_ABRAC model and the conventional comparative algorithm; (2) loading and processing the permission rules and attribute data from flat files (CSV format); (3) executing all permission calculation and update operations; and (4) measuring and logging performance metrics. No external database system was used during computation to eliminate potential performance interference; data persistence and audit logging were handled through Python’s native file I/O operations.
4.2 Experimental results
Through comparative experiments between the I_ABRAC model and a conventional permission calculation algorithm under the simulated hospital scenarios described in Section 4.1, we obtained the following key findings across three performance dimensions: 1)Role Quantity (RQ): The total number of unique roles required to model the hospital’s access policies. 2)Functional Correctness (FC): The proportion of test cases where the permission output generated by I_ABRAC matches the manually verified expected result. This reflects the model’s ability to correctly resolve permission redundancies and enforce the defined access logic. 3)Execution Time (ET): The latency for completing a permission update cycle.
4.2.1 Role Quantity reduction
Comparison of role quantities across access control models.
Note. The “Number of Roles” for RBAC, ABAC, and ABRAC represents the total policy entities required to achieve equivalent access control coverage in the hospital environment. This includes both baseline roles/attribute-templates and additional entities generated through individual authorization assignments (e.g., ad-hoc approvals, special permissions). I_ABRAC significantly reduces this count by integrating individual approvals directly into its dynamic coupling mechanism without creating separate policy entities.
This significant reduction is primarily attributed to the “approval-permission dynamic coupling mechanism,” which handles temporary and cross-departmental permissions through workflow approvals rather than creating dedicated roles.
4.2.2 Functional correctness testing
To evaluate the model’s functional correctness in handling complex and redundant permission scenarios, we designed a controlled test based on the hospital’s existing access control policies. 1) Test Data and Scenario:
The test leveraged 57 real-world access control rules from the hospital’s access control system. To simulate a high-redundancy environment without artificial replication, all 57 grant rules were utilized directly, comprising the complete set of real-world rules and inherently containing natural redundancy. In addition, 3 deny rules were configured specifically for the test area to enforce privacy restrictions, bringing the total rule count to 60. The access point for the female changing room in the Endoscopy Center was selected as the test object. This area represents a typical scenario with strict patient privacy compliance requirements and a known potential for permission conflicts due to overlapping access rights among multiple clinical departments.
To avoid any interaction with or alteration of real patient or staff data, a synthetic test user profile was created exclusively for this evaluation. This profile, identified as “Test_Person,” was designed with modifiable attribute fields—including Employee ID, Position, Department, Duty, and Employment Status—allowing for the simulation of various real-world roles and scenarios without compromising data security or privacy. 2) Permission Policy and Logic:
The access policy for the test area was formally defined to include personnel from Dept_04, physicians from Dept_02, Dept_01, and Dept_03, as well as regular employees of administrative departments (e.g., Dept_07–Dept_10) and Dept_13.
This policy was implemented using the ABRAC model, which translates the access logic into the following formal expressions:
where the attributes A–J correspond to personnel attributes such as primary department, position, attached department, duty, and context-specific factors. The complete attribute mapping is provided in the supplementary materials. 3) Testing Protocol and Results:
We systematically configured the “Test_Person” profile into 16 distinct attribute combinations, covering critical cases such as cross-departmental roles and temporary assignments, and deny-rule enforcement (rows with Permission = False). For each configuration, the permission output generated by the I_ABRAC model was compared against the manually verified expected result.
Personnel attributes and permissions correspondence.
4.2.3 Computational performance
We evaluated the computational efficiency of I_ABRAC through a comprehensive stress test spanning 8 personnel scales (2,500 to 20,000 personnel) and 3 rule scales (20, 40, and 60 rules). The 8 personnel scales were constructed by equidistant sampling from the full dataset of 20,000 personnel (sorted by unique identifiers). As detailed in the functional correctness testing section, the complete rule set comprised 57 real-world grant rules plus 3 deny rules added for testing (total 60 rules). The 20- and 40-rule configurations were created by equidistant sampling from this complete 60-rule set, ensuring that the proportion of deny rules was consistently maintained across all configurations. For each combination, we ran 16 test scenarios, totaling 384 test points (8 × 3 × 16).
Performance comparison between conventional and I_ABRAC algorithms across personnel and rule scales.
*Note. Mean Execution Time values are presented as mean ± standard deviation. Speedup Factor = Conventional Mean Time/I_ABRAC Mean Time.
Figure 2 compares the execution time between the two algorithms, Figure 3 shows the improvement ratio distribution. Execution time comparison between the conventional full-traversal algorithm and the proposed I_ABRAC algorithm across personnel and rule scales. Quantitative distribution of execution time improvement ratio of I_ABRAC under all test configurations.

Adversarial Test Robustness. Across the 16 adversarial test scenarios, the I_ABRAC algorithm maintained stable performance with low standard deviations across all configurations, demonstrating robustness under challenging attribute combinations including cross-epartmental role transitions, temporary assignments, attribute extremes, and overlapping permissions.
5 Discussion
5.1 Comparative performance analysis
The experimental findings provide compelling evidence for the superior performance of the I_ABRAC model in addressing the complex access control requirements of large-scale healthcare institutions. Our comparative analysis against conventional models (RBAC, ABAC, ABRAC) reveals significant advancements across three key dimensions: role management efficiency, computational performance, and functional correctness, with an additional critical innovation in permission traceability.
5.1.1 Role management efficiency
Table 4 demonstrates a 68% reduction in system roles, with I_ABRAC requiring only 56 roles compared to 176 in traditional models. This substantial improvement addresses a critical limitation in large-scale healthcare environments where operational complexity spans multiple specialized campuses, over 20,000 personnel, and intricate cross-departmental collaborations. I_ABRAC’s innovative “approval-permission dynamic coupling mechanism” enables this reduction by decoupling fine-grained temporary access from permanent role creation, providing necessary agility for managing temporary assignments, visiting specialists, and rapid team formations while maintaining strict adherence to the principle of least privilege.
5.1.2 Computational performance and statistical validation
The data presented in Table 6 demonstrates an 83.3% improvement in permission calculation efficiency, with average processing time reduced from 54.96 ± 1.89 seconds to 9.96 ± 2.78 seconds—a 5.52× speedup. Statistical analysis via paired t-test across 16 test scenarios confirms the significance of this improvement (p < 0.001).
This performance gain is achieved through I_ABRAC’s “rule number-driven incremental update algorithm,” which processes only modified rules rather than performing full-table traversals as in conventional ABAC/ABRAC models. The result is particularly critical for emergency medical scenarios where rapid permission updates (achieving 9.96-second average calculation time) are essential for clinical workflow continuity during epidemic responses and large-scale departmental reorganizations.
5.1.3 Functional correctness and traceability assurance
As evidenced by the correct functional permission assignment across 16 complex test scenarios in Tables 5 and I_ABRAC demonstrates exceptional capability in handling permission redundancies and conflicts. This performance level is essential in healthcare institutions where regulatory requirements demand absolute precision in access control for sensitive areas including narcotic storage facilities, ICU wards, and research laboratories.
The model’s explicit ‘association rule’ field implementation provides a deterministic and auditable mechanism essential for healthcare compliance. Unlike conventional models where permission origins are obscured, I_ABRAC enables direct traceability from any permission entry back to its governing rules, ensuring that access decisions can be precisely audited against medical regulations (e.g., patient privacy protocols, narcotics access policies).
Comparative analysis of permission traceability capabilities.
5.1.4 Integrated advantages and comparative positioning
The collective data from Tables 4–6, and 7 establish I_ABRAC’s comprehensive superiority in balancing flexibility, efficiency, and accuracy—three often competing demands in healthcare access control. As demonstrated in Tables 7 and I_ABRAC’s permission-rule traceability represents a paradigm shift in healthcare access control auditability and management precision.
Compared with related work: (1) Aslam et al. focused on blockchain-based IoMT authentication but did not address the granular traceability of permission-rule relationships essential for healthcare compliance audits; (2) Alanazi’s ECC-TLAF framework optimized IoT sensor latency but lacked the rule-level auditing capabilities required for regulatory compliance in medical environments; (3) While RBAC provides structural simplicity, it lacks the dynamic rule-permission mapping that enables precise permission management in complex hospital environments where audit trails are legally mandated.
I_ABRAC’s unique rule-permission mapping provides unprecedented transparency in access control management, particularly valuable in compliance audits, security incident investigations, and permission revocation scenarios. As shown in Table 7, this capability directly addresses five critical challenges in healthcare access control, from compliance auditing to dynamic access management. This balanced approach effectively eliminates role explosion problems, computational bottlenecks, and accuracy issues that plague conventional models in large-scale healthcare environments
5.2 Implications for healthcare informatics
The demonstrated capabilities of I_ABRAC have significant implications for access control management in complex healthcare settings, particularly for institutions functioning as national referral centers with extensive research and teaching responsibilities.
5.2.1 Operational efficiency enhancement
The 83.3% reduction in permission calculation time directly supports enhanced clinical workflow efficiency. In both emergency situations and routine operations, the system’s responsiveness ensures healthcare professionals can access required resources without administrative delays, thereby supporting timely clinical decision-making and patient care delivery. The 9.96-second average processing time enables real-time permission adjustments that are critical for dynamic healthcare environments characterized by staff mobility, temporary assignments, and emergency response scenarios.
5.2.2 Security and compliance foundation
The model’s precision in permission management provides a robust foundation for meeting stringent healthcare regulations. By eliminating residual permissions and ensuring accurate access revocation—supported by the ability to trace permissions back to specific rules—I_ABRAC supports compliance with data protection standards and clinical safety requirements. As highlighted in Table 7, this traceability is particularly critical in environments handling sensitive patient information and controlled substances, where audit trails must demonstrate exactly why each permission was granted and through which authorization pathway. The correct functional permission assignment across complex scenarios ensures that access control decisions align precisely with institutional policies and regulatory mandates.
Traditional security threats (e.g., insider misuse, network attacks, unauthorized rule changes) are outside this paper’s scope and require complementary mechanisms. A comprehensive security analysis is identified as future work.
5.2.3 Scalability for growing institutions
The architectural innovations in I_ABRAC offer a scalable solution for expanding healthcare institutions. The model’s efficient handling of increasing numbers of roles, rules, and permissions—coupled with its 68% role reduction and 83.3% computational improvement—positions it as a sustainable access control solution for growing medical centers and healthcare networks. The hybrid architecture supports both the structural clarity needed for routine operations and the dynamic adaptability required for exceptional circumstances, making it suitable for institutions ranging from single-campus hospitals to multi-hospital health systems with diverse operational requirements.
5.2.4 Limitations and future directions
While the I_ABRAC model demonstrates significant advantages for physical access control in large hospitals, several limitations merit consideration, alongside opportunities for future research and development. 1)Representativeness of the experimental setting.
The model was validated at a large tertiary teaching hospital in China, a leading national medical center with over 20,000 staff, more than 2,000 access points, and multi-campus operations. This environment reflects the complexity, scale, and role diversity commonly encountered in top-tier hospitals in China and internationally. As such, the findings are likely generalizable to other large, multi-departmental institutions with similar operational profiles, including teaching hospitals, regional medical centers, and integrated healthcare systems. However, the model’s applicability to smaller community hospitals, specialized clinics, or facilities with distinctly different workflow patterns (e.g., outpatient-only centers) remains to be validated. Variations in staff structure, regulatory frameworks, and technical infrastructure may influence the model’s performance and configuration. Therefore, future studies should incorporate multi-center trials across diverse healthcare settings to further assess the model’s generalizability and adaptability. 2) Time overhead in initial global permission calculation.
It should be noted that the performance advantage of I_ABRAC is most evident in incremental permission updates. During the initial global permission calculation—such as system initialization, platform deployment, or extensive rule reconstruction—its time overhead may approximate or even exceed that of conventional algorithms. This occurs because each permission record must be annotated with an “association rule” field to establish a complete permission–rule mapping, a process essential for traceability but which incurs substantial database write operations. Notably, this overhead is typically a one-time cost incurred during system setup and does not diminish the model’s efficiency in daily incremental updates, which are far more frequent in operational healthcare environments. Thus, this computational cost represents a necessary and justified trade-off to achieve full permission traceability, a critical requirement for compliance and auditability in healthcare. 3) Current implementation scope and scalability.
The present version of I_ABRAC focuses primarily on physical access control. Significant opportunities exist for its integration with electronic health record (EHR) systems and other digital platforms, particularly where the permission traceability feature could enhance data access auditing—an increasingly critical need amid stricter healthcare data privacy regulations. Additionally, while the model effectively handles institutions with up to 20,000 personnel, ultra-large rule sets (beyond the scales tested in this study) may benefit from distributed computing approaches to maintain performance without compromising the integrity of the rule-permission mapping. Additionally, while adversarial scenarios were tested, independent security audits would be necessary for high-security deployments. 4)Emergency access formalization.
The current I_ABRAC model implements a strict Deny-override principle (Definition 19), where any applicable deny permission overrides all grant permissions. While this design ensures safety for routine operations, it does not support emergency scenarios that may require overriding existing deny rules (e.g., allowing a staff member to enter a normally restricted area during a cardiac arrest or epidemic outbreak). A complete formalization of emergency override semantics—including its interaction with the Deny-override principle and the conditions under which overrides are permitted—remains beyond the scope of this paper and is identified as an important direction for future work. 5) Future research directions.
To address these limitations and expand the model’s applicability, several promising research directions emerge. Future work should focus on the following areas: ● Exploring distributed and concurrent processing strategies to enhance scalability. The current implementation processes permission change requests sequentially, which eliminates race conditions and is sufficient for typical hospital workloads. For ultra-large-scale or multi-hospital deployments, future work could explore: (i) sharding by rule groups to enable parallel rule processing; (ii) distributed computing architectures that preserve permission-rule traceability across multiple nodes. ● Developing integration frameworks for comprehensive security management across both physical and digital domains, leveraging the traceability feature. ● Investigating blockchain-based solutions to provide immutable audit trails in compliance-sensitive scenarios, which could complement I_ABRAC’s rule-permission mapping. ● Conducting further validation across diverse healthcare settings to strengthen the model’s generalizability and robustness. ● Extending the model to support predictive permission assignment based on staff schedules, department workflows, and historical access patterns, which could further enhance operational efficiency while maintaining traceability ● Formalizing emergency override semantics that can safely interact with the Deny-override principle while maintaining compliance with healthcare regulations. ● Exploring adaptation of I_ABRAC to enable meaningful comparison with online policy engines (e.g., OpenFGA, OPA). Direct quantitative comparison is currently not feasible due to architectural differences (online per-request vs. batch pre-computation), but hybrid approaches that combine both paradigms remain an open research direction. ● Developing automatic static detection methods for Separation of Duty and Conflict of Interest conflicts at rule configuration time, extending the current runtime enforcement mechanisms.
5.2.5 Conclusion
I_ABRAC represents a significant advancement in healthcare access control systems, successfully addressing the unique challenges of large-scale medical institutions through its innovative integration of role-based and attribute-based approaches. The model’s demonstrated performance improvements—68% role reduction, 83.3% computational efficiency gain with statistical significance (p < 0.001), and correct functional permission assignment—are complemented by its groundbreaking permission-rule traceability capability as detailed in Table 7. This comprehensive feature set positions I_ABRAC as a valuable solution for addressing the security and efficiency challenges of modern healthcare delivery, while providing technical mechanisms that can be leveraged to meet regulatory compliance requirements. By providing both the structural clarity of role-based management and the dynamic adaptability of attribute-based control, while maintaining precise rule-permission traceability, I_ABRAC establishes a new benchmark for access control systems in complex healthcare environments.
Ethical considerations
This study was approved by the Clinical Research Ethics Committee of the FAHZU (Approval Number: [2026B] IIT Ethics Approval No.0180). The data used in this study are pre-existing, fully de-identified operational data from the hospital’s routine access control system, with a cutoff date of 30 September 2025. As these data were generated as part of routine hospital operations prior to the initiation of this research, the ethics committee reviewed the study protocol and granted a waiver of informed consent due to the retrospective nature of the study and the use of de-identified data. The authors did not have access to any information that could identify individual participants during or after data collection.
Footnotes
Acknowledgements
During the preparation of this work, the authors used AI-assisted language polishing tools to improve readability and grammar. After using these tools, the authors reviewed and edited the content as needed and take full responsibility for the content of the publication.
Consent for publication
This study does not involve individual patient data or any personally identifiable information of patients. The institutional data used in this study (including hospital staff role categories, access point configurations, permission calculation performance metrics, and 57 access control rules) were obtained with the formal approval of the participating tertiary hospital. The hospital management has confirmed consent for the publication of these de-identified institutional data as part of this study. No additional consent from individual subjects is required, as the study does not involve human participants or their personal information.
Author contributions
Minshi Wang: Conceptualization, Methodology, Software, Validation, Investigation, Writing – original draft, Writing – review & editing. Min Xu: Methodology, Formal analysis, Data curation, Validation, Writing – review & editing. Min Zhou: Conceptualization, Supervision, Project administration, Writing – review & editing, Corresponding author. All authors have read and approved the manuscript.
Funding
The authors received no financial support for the research, authorship, and/or publication of this article.
Declaration of conflicting interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Data Availability Statement
The data that support the findings of this study are available from FAHZU, but restrictions apply to the availability of these data, which were used under approval for the current study, and so are not publicly available. Data are however available from the authors upon reasonable request and with permission of the hospital.
