Knowledge hub

Conditional Access

Conditional access is a security feature that uses dynamic context-based policies to determine who can access which resources under what circumstances. Unlike static models like role-based access control (RBAC), conditional access introduces "condition" factors like device health, network location, user risk level, or time, which refine access decisions beyond simply assigning permissions to a role. This ensures that individuals or vendors are granted the precise level of access they need, exactly when they need it, aligning with the principle of least privilege and bolstering organizational security.

For conditional access, role-based access remains the foundation: users are grouped into roles (e.g., “doctor,” “nurse,” or “administrator”), each with a defined set of permissions based on job functions and responsibilities. Conditional access overlays these roles with contextual filters. For instance, a nurse might normally have read/write access to patient records, but conditional policies could restrict access if the request comes from an unmanaged personal device or outside secure hospital Wi-Fi. This combination maintains RBAC’s simplicity in assignment, while greatly increasing flexibility and control.

Different groups and vendors often require tailored conditional access policies. Internal staff might pass minimal scrutiny when accessing sensitive systems from managed, on‑premises devices, while external vendors — even those assigned a privileged role — would face stricter conditions. For example, a third‑party vendor needing temporary access to a medical device system could be granted a vendor‑privileged access role, but only if their login uses multifactor authentication, originates from a registered device, and occurs within a specified time window. This not only enforces the principle of least privilege but also supports auditability and regulatory compliance by tightly defining “who, what, when, and how.”

Examples of conditional access span many scenarios:

  • Network-based: Physicians accessing the EHR system on the hospital network bypass extra checks; remote access triggers multifactor authentication and device compliance verification.
  • Time-based: A vendor’s privileged access role may only work during scheduled maintenance hours, with outside-window attempts blocked or requiring escalation.
  • Device posture: Interns using unmanaged devices may have read-only access to non-PHI resources, whereas managed hospital tablets permit full EHR functionality.
  • Geolocation: Access from outside the country can be blocked or routed through VPNs and additional authorization steps.

These conditional access examples illustrate why a one‑size‑fits‑all access model is insufficient. Organizations handling sensitive data like patient records, financials, or intellectual property must differentiate between roles, adjust permissions according to environment, and manage access for both users and vendors securely and dynamically.

Conditional access strengthens RBAC by adding adaptive controls, reducing risk, improving compliance, and tailoring access to real-world use cases while preventing over-privileged accounts.

Back to top