A conditional purpose-based access control model with dynamic roles

This paper presents a model for privacy preserving access control which is based on variety of purposes. Conditional purpose is applied along with allowed purpose and prohibited purpose in the model. It allows users using some data for certain purpose with conditions. The structure of conditional purpose-based access control model is defined and investigated through dynamic roles. Access purpose is verified in a dynamic behavior, based on subject attributes, context attributes and authorization policies. Intended purposes are dynamically associated with the requested data object during the access decision. An algorithm is developed to achieve the compliance computation between access purposes and intended purposes and is illustrated with Role-based access control (RBAC) in a dynamic manner to support conditional purpose-based access control. According to this model, more information from data providers can be extracted while at the same time assuring privacy that maximizes the usability of consumers' data. It extends traditional access control models to a further coverage of privacy preserving in data mining atmosphere. The structure helps enterprises to circulate clear privacy promise, to collect and manage user preferences and consent.

[1]  Dorothy E. Denning,et al.  The SeaView security model , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[2]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[3]  Matthias Schunter,et al.  Privacy promises, access control, and privacy management. Enforcing privacy throughout an enterprise by extending access control , 2002, Proceedings. Third International Symposium on Electronic Commerce,.

[4]  Md. Enamul Kabir,et al.  Conditional Purpose Based Access Control Model for Privacy Protection , 2009, ADC.

[5]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[6]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[7]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[8]  Peter J. Stuckey,et al.  Flexible access control policy specification with constraint logic programming , 2003, TSEC.

[9]  John Mylopoulos,et al.  Minimal Disclosure in Hierarchical Hippocratic Databases with Delegation , 2005, ESORICS.

[10]  Fang Chen,et al.  The multilevel relational (MLR) data model , 1998, TSEC.

[11]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[12]  Rakesh Agrawal,et al.  Extending relational database systems to automatically enforce privacy policies , 2005, 21st International Conference on Data Engineering (ICDE'05).

[13]  Elisa Bertino,et al.  Database Security: Research and Practice , 1995, Inf. Syst..

[14]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[15]  Sushil Jajodia,et al.  Toward a multilevel secure relational data model , 1991, SIGMOD '91.

[16]  Ning Zhang,et al.  A Purpose-Based Access Control Model , 2007 .

[17]  C. Powers Privacy Promises, Access Control, and Privacy Management , 2002 .

[18]  Jun Gu,et al.  Dynamic Purpose-Based Access Control , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications.

[19]  Elisa Bertino,et al.  Purpose based access control of complex data for privacy protection , 2005, SACMAT '05.

[20]  Sabah S. Al-Fedaghi,et al.  Beyond Purpose-Based Privacy Access Control , 2007, ADC.