Abstract
This paper presents a role-involved conditional purpose-based access control (RCPBAC) model, where a purpose is defined as the intension of data accesses or usages. RCPBAC allows users using some data for certain purpose with conditions. The structure of RCPBAC model is defined and investigated. An algorithm is developed to achieve the compliance computation between access purposes (related to data access) and intended purposes (related to data objects) and is illustrated with role-based access control (RBAC) to support RCPBAC. According to this model, more information from data providers can be extracted while at the same time assuring privacy that maximizes the usability of consumers’ data. It extends traditional access control models to a further coverage of privacy preserving in data mining environment as RBAC is one of the most popular approach towards access control to achieve database security and available in database management systems. The structure helps enterprises to circulate clear privacy promise, to collect and manage user preferences and consent.
Chapter PDF
Similar content being viewed by others
References
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: 28th International Conference on Very Large Databases, Hong Kong, pp. 143–154 (2002)
Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Xu, Y.: Extending relational database systems to automatically enforce privacy policies. In: 21st International Conference on Data Engineering, Tokyo, pp. 1013–1022 (2005)
Al-Fedaghi, S.S.: Beyond Purpose-based privacy access control. In: 18th Australian Database Conference, Ballarat, pp. 23–32 (2007)
Barker, S., Stuckey, P.N.: Flexible access control policy specification with constraint logic programming. ACM Transaction on Information and System Security 6(4), 501–546 (2003)
Bertino, E., Jajodia, S., Samarati, P.: Data-base security: Research and practice. Information Systems 20(7), 537–556 (1995)
Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: 10th ACM Symposium on Access Control Model And Technologies, Stockholm, pp. 102–110 (2005)
Byun, J.W., Bertino, E., Li, N.: Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4), 603–619 (2008)
Denning, D., Lunt, T., Schell, R., Shockley, W., Heckman, M.: The seaview security model. In: 1988 IEEE Symposium on Research in Security and Privacy, Oakland, pp. 218–233 (1988)
Forrester Research: Privacy concerns cost e-commerce $15 billion. Technical report (2001)
IBM. The Enterprise Privacy Authorization Language (EPAL), http://www.zurich.ibm.com/security/enterprise-privacy/epal
Kabir, M.E., Wang, H.: Conditional Purpose Based Access Control Model for Privacy Protection. In: 20th Australisian Database Conference, Wellington, pp. 137–144 (2009)
LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D.: Disclosure in Hippocratic databases. In: 30th International Conference on Very Large Databases, Toronto, pp. 108–119 (2004)
Marchiori, M.: The platform for privacy preferences 1.0 (P3P1.0) specification. Technical report, W3C (2002)
Massacci, F., Mylopoulos, J., Zannone, N.: Minimal Disclosure in Hierarchical Hippocratic Databases with Delegation. In: 10th Europran Symposium on Research in Computer Security, Milan, pp. 438–454 (2005)
Rizvi, S., Mendelzon, A.O., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: ACM SIGMOD Conference 2004, Paries, pp. 551–562 (2004)
Powers, C.S., Ashley, P., Schunter, M.: Privacy promises, access control, and privacy management. In: 3rd International Symposium on Electronic Commerce, North Carolina, pp. 13–21 (2002)
Sandhu, R., Jajodia, S.: Toward a multilevel secure relational data model. In: 1991 ACM Transactional Conference on Management of Data, Colorado, pp. 50–59 (1991)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Sandhu, R., Chen, F.: The multilevel relational data model. ACM Transaction on Information and System Security 1(1), 93–132 (1998)
World Wide Web Consortium (W3C).: Platform for Privacy Preferences (P3P), http://www.w3.org/P3P
Yang, N., Barringer, H., Zhang, N.: A Purpose-Based Access Control Model. In: 3rd International Symposium on Information Assurance and Security, Manchester, pp. 143–148 (2007)
Peng, H., Gu, J., Ye, X.: Dynamic Purpose-Based Access Control. In: IEEE International Symposium on Parallel and Distributed Processing with Applications, Sydney, pp. 695–700 (2008)
Hung, P.C.K.: Towards a Privacy Access Control Model for e-Healthcare Services. In: Third Annual Conference on Privacy, Security and Trust, New Brunswick (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP
About this paper
Cite this paper
Kabir, M.E., Wang, H., Bertino, E. (2010). A Role-Involved Conditional Purpose-Based Access Control Model. In: Janssen, M., Lamersdorf, W., Pries-Heje, J., Rosemann, M. (eds) E-Government, E-Services and Global Processes. EGES GISP 2010 2010. IFIP Advances in Information and Communication Technology, vol 334. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15346-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-15346-4_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15345-7
Online ISBN: 978-3-642-15346-4
eBook Packages: Computer ScienceComputer Science (R0)