Delegation of access rights in a privacy preserving access control model

Delegation is a process of sharing access rights by users of an access control model. It facilitates the distribution of authorities in the model. It is also useful in collaborative environments. Despite the advantages, delegation may have an impact on the access control model's security. Allowing users to share access rights without the control of an administrator can be used by malicious users to exploit the model. Delegation may also result in privacy violations if it allows accessing data without the data provider's consent. Even though the consent is taken, the privacy can still be violated if the data is used differently than the data provider agreed. Our work investigates data privacy in delegation. As a contribution, a privacy model is introduced that allows a data provider setting privacy policies that state how their data should be used by different organizations or parties who are interested in their data. Based on this setting, a delegation model is designed to consider the privacy policies in taking delegation decisions and also, to set the data usage criteria for the access right receivers. In addition to privacy policies, several delegation policies and constraint have been used to control delegation operations. Delegation is studied within a party and between two parties.

[1]  Gregory Neven,et al.  Downstream Usage Control , 2010, POLICY.

[2]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[3]  Jorge Lobo,et al.  An obligation model bridging access control policies and privacy policies , 2008, SACMAT '08.

[4]  Akhil Kumar,et al.  DW-RBAC: A formal security model of delegation and revocation in workflow systems , 2007, Inf. Syst..

[5]  Peter J. Denning,et al.  Fault Tolerant Operating Systems , 1976, CSUR.

[6]  Ken Barker,et al.  Analysis of social networking privacy policies , 2010, EDBT '10.

[7]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[8]  Ken Barker,et al.  A Data Privacy Taxonomy , 2009, BNCOD.

[9]  Ninghui Li,et al.  On mutually-exclusive roles and separation of duty , 2004, CCS '04.

[10]  Shigeru Hosono,et al.  A delegation framework for federated identity management , 2005, DIM '05.

[11]  Jason Crampton,et al.  Delegation in role-based access control , 2007, International Journal of Information Security.

[12]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[13]  Reihaneh Safavi-Naini,et al.  Towards defining semantic foundations for purpose-based privacy policies , 2011, CODASPY '11.

[14]  Vijayalakshmi Atluri,et al.  Supporting conditional delegation in secure workflow management systems , 2005, SACMAT '05.

[15]  Akira Matsushita,et al.  Capability-based delegation model in RBAC , 2010, SACMAT '10.

[16]  Elisa Bertino,et al.  Fine-grained role-based delegation in presence of the hybrid role hierarchy , 2006, SACMAT '06.

[17]  Philip W. L. Fong Relationship-based access control: protection model and policy language , 2011, CODASPY '11.

[18]  J. Lloyd Foundations of Logic Programming , 1984, Symbolic Computation.

[19]  Ken Barker,et al.  A Lattice-Based Privacy Aware Access Control Model , 2009, 2009 International Conference on Computational Science and Engineering.

[20]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[21]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2002, SACMAT '02.

[22]  Md. Moniruzzaman,et al.  A study of privacy policy enforcement in access control models , 2010, 2010 13th International Conference on Computer and Information Technology (ICCIT).