skip to main content
research-article

Privacy-aware role-based access control

Published:30 July 2010Publication History
Skip Abstract Section

Abstract

In this article, we introduce a comprehensive framework supporting a privacy-aware access control mechanism, that is, a mechanism tailored to enforce access control to data containing personally identifiable information and, as such, privacy sensitive. The key component of the framework is a family of models (P-RBAC) that extend the well-known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. We formally define the notion of privacy-aware permissions and the notion of conflicting permission assignments in P-RBAC, together with efficient conflict-checking algorithms. The framework also includes a flexible authoring tool, based on the use of the SPARCLE system, supporting the high-level specification of P-RBAC permissions. SPARCLE supports the use of natural language for authoring policies and is able to automatically generate P-RBAC permissions from these natural language specifications. In the article, we also report performance evaluation results and contrast our approach with other relevant access control and privacy policy frameworks such as P3P, EPAL, and XACML.

References

  1. Anderson, A. H. 2006. A comparison of two privacy policy languages: EPAL and XACML. In Proceedings of the 3rd Workshop on Secure Web Services. ACM, New York, 53--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Barth, A., Mitchell, J. C., and Rosenstein, J. 2004. Conflict and combination in privacy policy languages. In Proceedings of the Workshop on Privacy in the Electronic Society. ACM, New York, 45--46. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Byun, J.-W. and Li, N. 2008. Purpose-based access control for privacy protection in relational database systems. VLDB J. 17, 4, 603--619. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Chandramouli, R. 2001. A framework for multiple authorization types in a healthcare application system. In Proceedings of the 17th Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA, 137. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., and Chandramouli, R. 2001. Proposed standard for role-based access control. ACM Trans. Inform. Syst. Secur. 4, 3, 224--274. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Fischer-Hubner, S. 2001. IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms. Springer-Verlag, Berlin. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. He, Q. 2003. Privacy enforcement with an extended role-based access control model. Tech. rep. TR-2003-09, Department of Computer Science, North Carolina State University. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Karat, C.-M., Karat, J., Brodie, C., and Feng, J. 2006. Evaluating interfaces for privacy policy rule authoring. In Proceedings of the Conference on Human Factors in Computing Systems. ACM, New York, 83--92. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Karat, J., Karat, C.-M., Brodie, C., and Feng, J. 2005a. Designing natural language and structured entry methods for privacy policy authoring. In Proceedings of the International Conference on Human-Computer Interaction. Springer-Verlag, Berlin, 671--684. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Karat, J., Karat, C.-M., Brodie, C., and Feng, J. 2005b. Privacy in information technology: Designing to enable privacy policy management in organizations. Int. J. Hum.-Comput. Stud. 63, 1-2, 153--174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Karjoth, G. and Schunter, M. 2002. A privacy policy model for enterprises. In Proceedings of the 15th Computer Security Foundations Workshop. IEEE, Los Alamitos, CA, 271--281. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Law, U. S. F. 1996. Health insurance portability and accountability act of 1996. Pub. L. 104--191.Google ScholarGoogle Scholar
  13. Ni, Q., Bertino, E., and Lobo, J. 2008. An obligation model bridging access control policies and privacy policies. In Proceedings of the Symposium on Access Control Methods and Technologies. ACM, New York, 133--142. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.-M., Karat, J., and Trombetta, A. 2009. Privacy-aware role-based access control. Tech. rep., CERIAS, Purdue University.Google ScholarGoogle Scholar
  15. Ni, Q., Lin, D., Bertino, E., and Lobo, J. 2007. Conditional privacy-aware role-based access control. In Proceedings of the European Symposium on Research in Computer Security. Springer-Verlag, Berlin, 72--89. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. OASIS. 2005. eXtensible Access Control Markup Language (XACML) 2.0. http://www.oasis-open.org/.Google ScholarGoogle Scholar
  17. Organisation for Economic Co-operation and Development. 1980. Oecd guidelines on the protection of privacy and transborder ows of personal data of 1980. http://www.oecd.org/.Google ScholarGoogle Scholar
  18. Park, J. and Sandhu, R. S. 2004. The uconabc usage control model. ACM Trans. Inform. Syst. Secur. 7, 1, 128--174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Powers, C. S. 2002. Privacy promises, access control, and privacy management. In Proceedings of the 3rd International Symposium on Electronic Commerce. IEEE, Los Alamitos, CA, 13. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer 29, 2, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Shankar, C. and Campbell, R. 2005. A policy-based management framework for pervasive systems using axiomatized rule-actions. In Proceedings of the 4th International Symposium on Network Computing and Applications. IEEE, Los Alamitos, CA, 255--258. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Privacy-aware role-based access control

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Information and System Security
          ACM Transactions on Information and System Security  Volume 13, Issue 3
          July 2010
          253 pages
          ISSN:1094-9224
          EISSN:1557-7406
          DOI:10.1145/1805974
          Issue’s Table of Contents

          Copyright © 2010 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 30 July 2010
          • Accepted: 1 February 2009
          • Received: 1 January 2008
          Published in tissec Volume 13, Issue 3

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!