ABSTRACT
As privacy becomes a major concern for both consumers and enterprises, many research efforts have been devoted to the development of privacy protecting technology. We recently proposed a privacy preserving access control model for relational databases,where purpose information associated with a given data element specifies the intended use of the data element. In this paper, we extend our previous work to handle other advanced data managementsystems, such as the ones based on XML and the ones based on the object-relational data model. Another contribution of our paper isthat we address the problem of how to determine the purpose forwhich certain data are accessed by a given user. Our proposedsolution relies on the well-known RBAC model as well as the notionof conditional role which is based on the notions of role attributeand system attribute.
- Agrawal, Jerry Kiernan, Ramakrishman Srikant, and Yirong Xu.Hippocratic databases.In The 28th International Conference on Very Large Databases (VLDB), 2002. Google ScholarDigital Library
- David Bell and Leonard LaPadula.Secure computer systems: mathematical foundations and model.Technical report, MITRE Corporation, 1974Google Scholar
- Jiwon Byun, Elisa Bertino, and Ninghui Li.Purpose-based access control for privacy protection in relational database systems.Technical Report 2004-52, Purdue University, 2004Google Scholar
- Fang Chen and Ravi Sandhu.Constraints for role-based access control. In the first ACM Workshop on Role-based access control, 1996 Google ScholarDigital Library
- Federal Trade Commision.Children's online privacy protection act of 1998. Available at www.cdt.org/legislation/105th/privacy/coppa.htmlGoogle Scholar
- Dorothy Denning, Teresa Lunt, Roger Schell, William Shockley, and Mark Heckman.The seaview security model.In The IEEE Symposium on Research in Security and Privacy, 1998Google ScholarDigital Library
- Cheh Goh and Adrian Baldwin.Towards a more complete model of role.In The 3rd ACM workshop on Role-based access control, 1998 Google ScholarDigital Library
- IBM. The Enterprise Privacy Authorization Language (EPAL).Available at www.zurich.ibm.com/security/enterprise-privacy/epalGoogle Scholar
- Arun Kumar, Neeran Karnik, and Girish Chafle.Context sensitivity in role-based access control.In ACM SIGOPS Operating Systems Review, July 2002 Google ScholarDigital Library
- Kristen LeFevre, Rakesh Agrawal, Vuk Ercegovac, Raghu Ramakrishnan,Yirong Xu, and David DeWitt.Disclosure in hippocratic databases.In The 30th International Conference on Very Large Databases (VLDB), August 2004. Google ScholarDigital Library
- United State Department of Health.Health insurance portability and accountability act of 1996.Available at www.hep-c-alert.org/links/hippa.htmlGoogle Scholar
- United State Department of Justice.The federal privacy act of 1974.Available at www.usdoj.gov/foia/privstat.htmGoogle Scholar
- Fausto Rabitti, Elisa Bertino, Won Kim, and Darrell Woelk.A model of authorization for next-generation database systems. In ACM Transactions on Database Systems (TODS), March 1991 Google ScholarDigital Library
- Ravi Sandhu. Role hierarchies and constraints for lattice-based access control.In the European Symposium on Research in Computer Security, 1996 Google ScholarDigital Library
- Ravi Sandhu and Fang Chen.The multilevel relational data model. In ACM Transaction on Information and System Security, 1998 Google ScholarDigital Library
- Ravi Sandhu, David Ferraiolo, and Richard Kuhn.The nist model for role-based access control: Towards a unified standard.In the fifth ACM workshop on Role-based access control, 2000. Google ScholarDigital Library
- Ravi Sandhu and Sushil Jajodia.Toward a multilevel secure relational data model.In ACM International Conference on Management of Data (SIGMOD), 1991. Google ScholarDigital Library
- World Wide Web Consortium (W3C). Platform for Privacy Preferences (P3P). Available at www.w3.org/P3P.Google Scholar
Index Terms
- Purpose based access control of complex data for privacy protection
Recommendations
Privacy-aware role-based access control
In this article, we introduce a comprehensive framework supporting a privacy-aware access control mechanism, that is, a mechanism tailored to enforce access control to data containing personally identifiable information and, as such, privacy sensitive. ...
A conditional purpose-based access control model with dynamic roles
This paper presents a model for privacy preserving access control which is based on variety of purposes. Conditional purpose is applied along with allowed purpose and prohibited purpose in the model. It allows users using some data for certain purpose ...
Purpose based access control for privacy protection in relational database systems
In this article, we present a comprehensive approach for privacy preserving access control based on the notion of purpose. In our model, purpose information associated with a given data element specifies the intended use of the data element. A key ...
Comments