Modern enterprise systems, e.g., enterprise resource planning (ERP) systems, customer relationship management (CRM) systems, enforce a variety of different and complex security policies. Moreover, more and more enterprises operate in regulated markets and, thus, need to prove that their information technology (IT) systems comply with applicable compliance regulations.
IT systems implement fine-grained access control mechanisms to protect assets of the enterprise and to comply with regulations, e.g., the Sarbanes-Oxley Act (SoX) in the financial sector, the Health Insurance Portability and Accounting Act (HIPAA) in the healthcare sector. In general, access control cannot fully capture all requirements. For exceptional situations, for example, it is difficult to formulate access control policies taking all possible legitimate accesses into account. For example, a physician requiring access to a patient's information in an emergency situation, while the physician and patient do not already have a treatment relationship established.
Exceptional access control is an approach for allowing users to override access control decisions, e.g., in emergency situations. Different approaches and techniques have been presented to enable users to override access control restrictions in a controlled manner.