An access control system should support the ability to make changes in response to emergencies. The authors of this paper propose a model for making such changes during medical emergencies, which are actually business as usual in a hospital. Such emergencies require predictable, context-dependent, temporary, and dynamic changes to authorizations.

The authors use the core event specification language to trigger the start and the end of an emergency condition. Temporary access control policies (TACPs) are activated when an emergency is detected and are parameterized with specific emergency instance data, such as the specific actors involved.

The framework must be constrained to address the possibility of overlaps between start and end emergency conditions. The proposed model calls this the simultaneous holding problem (SHP). The authors propose constraints to address the SHP and prove that they correctly handle it.

The paper describes administration policies designed to ensure that emergency managers securely introduce TACPs. New policies issued are checked against the administration policies. The possible result is not just “ok” or ”not ok,” because the proposed policy may be rewritten automatically to comply with the administration policy. The authors prove that only compliant policies will result.

The last part of the paper presents the performance results for a prototype implementation, which seem acceptable.

Predictable situations should not be treated as exceptions that are ad hoc and insecure. This paper provides a basis for a complete and better approach for such emergency situations.