Abstract
Several researches in recent years have pointed out that for the proper enforcement of privacy policies within enterprise data handling practices the privacy requirements should be captured in access control systems. In this paper, we extend the role-based access control (RBAC) model to capture privacy requirements of an organization. The proposed purpose-aware RBAC extension treats purpose as a central entity in RBAC. The model assigns permissions to roles based on purpose related to privacy policies. Furthermore, the use of purpose as a separate entity reduces the complexity of policy administration by avoiding complex rules and applying entity assignments, coherent with the idea followed by RBAC. Our model also supports conditions (constraints and obligations) with clear semantics for enforcement, and leverages hybrid hierarchies for roles and purposes for enforcing fine grained purpose and role based access control to ensure privacy protection.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Antón, A.I., Bertino, E., Li, N., Yu, T.: A roadmap for comprehensive online privacy policy management. Communications of the ACM 50(7), 109–116 (2007)
Powers, C., Ashley, P., Schunter, M.: Privacy promises, access control, and privacy management: Enforcing privacy throughout an enterprise by extending access control. In: Proc. 3rd International Symposium on Electronic Commerce, October 18-19, 2002, pp. 13–21 (2002)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Ni, Q., Trombetta, A., Bertino, E., Lobo, J.: Privacy-aware role based access control. In: Proc. 12th ACM symposium on Access control models and technologies, pp. 41–50. ACM Press, New York (2007)
Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-P3P privacy policies and privacy authorization. In: Proc. ACM workshop on Privacy in the Electronic Society, pp. 103–109. ACM, New York (2002)
Sandhu, R.S., Samarati, P.: Access control: Principles and practice. IEEE Communications Magazine 32(9), 40–48 (1994)
Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: The platform for privacy preferences 1.0 specification. Technical report, W3C (2002)
OECD: Oecd guidelines on the protection of privacy and transborder flows of personal data (1980), http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html
Joshi, J.B.D., Bertino, E., Ghafoor, A., Zhang, Y.: Formal foundations for hybrid hierarchies in gtrbac. ACM Transactions on Information and System Security 10(4), 1–39 (2008)
Ferraiolo, D., Kuhn, D.R., Chandramouli, R.: Role-based access control. Artech House computer security series. Artech House, Boston (2003)
Karjoth, G., Schunter, M.: A privacy policy model for enterprises. In: Proc. 15th IEEE Computer Security Foundations Workshop, June 24-26, 2002, pp. 271–281 (2002)
Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Proc. 10th ACM symposium on Access control models and technologies, pp. 102–110. ACM Press, New York (2005)
Joshi, J., Bertino, E., Ghafoor, A.: Hybrid role hierarchy for generalized temporal role based access control model. In: Proc. 26th Annual International Computer Software and Applications Conference (COMPSAC), August 26-29, 2002, pp. 951–956 (2002)
FTC: Children’s online privacy protection act of 1998 (coppa) (1998), http://www.ftc.gov/ogc/coppa1.htm
Samarati, P., De Capitani di Vimercati, S.: Access control: Policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)
Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practices: Privacy-enabled management of customer data. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 69–84. Springer, Heidelberg (2003)
Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled services for enterprises. In: Proc. 13th International Workshop on Database and Expert Systems Applications, September 2-6, 2002, pp. 483–487 (2002)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Transactions on Database Systems 26(2), 214–260 (2001)
Karjoth, G., Schunter, M., Van Herreweghen, E.: Translating privacy practices into privacy promises: how to promise what you can keep. In: Proc. 4th IEEE International Workshop on Policies for Distributed Systems and Networks, June 4-6, 2003, pp. 135–146 (2003)
IBM: The enterprise privacy authorization language, http://www.zurich.ibm.com/security/enterprise-privacy/epal/
Ni, Q., Lin, D., Bertino, E., Lobo, J.: Conditional privacy-aware role based access control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 72–89. Springer, Heidelberg (2007)
Ni, Q., Bertino, E., Lobo, J.: An obligation model bridging access control policies and privacy policies. In: Proc. 13th ACM symposium on Access control models and technologies, pp. 133–142. ACM, New York (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Masoumzadeh, A., Joshi, J.B.D. (2008). PuRBAC: Purpose-Aware Role-Based Access Control. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems: OTM 2008. OTM 2008. Lecture Notes in Computer Science, vol 5332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88873-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-88873-4_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88872-7
Online ISBN: 978-3-540-88873-4
eBook Packages: Computer ScienceComputer Science (R0)