A Framework for Modeling Privacy Requirements in Role Engineering

Privacy protection is important in many industries, such as healthcare and finance. Capturing and modeling privacy requirements in the early stages of system development is essential to provide high assurance of privacy protection to both stakeholders and consumers. This paper presents a framework for modeling privacy requirements in the role engineering process. Role engineering entails defining roles and permissions as well as assigning the permissions to the roles. Role engineering is the first step to implement a Role-Based Access Control (RBAC) system and essentially a Requirements Engineering (RE) process. The framework includes a data model and a goal-driven role engineering process. It seeks to bridge the gap between high-level privacy requirements and low-level access control policies by modeling privacy requirements as the contexts and obligations of RBAC entities and relationships. A healthcare example is illustrated with the framework.

[1]  Annie I. Antón,et al.  Precluding incongruous behavior by aligning software requirements with security and privacy policies , 2003, Inf. Softw. Technol..

[2]  Annie I. Antón,et al.  Contrasting use case, goal, and scenario analysis of the Euronet system , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[3]  Stanley Y. W. Su,et al.  Enabling transnational collection, notification, and sharing of information , 2003 .

[4]  Annie I. Antón,et al.  Analyzing Website privacy requirements using a privacy goal taxonomy , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[5]  Arun Kumar,et al.  Context sensitivity in role-based access control , 2002, OPSR.

[6]  Günter Karjoth,et al.  A privacy policy model for enterprises , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[7]  Sushil Jajodia,et al.  Obligation monitoring in policy management , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[8]  Gail-Joon Ahn,et al.  A role-based delegation framework for healthcare information systems , 2002, SACMAT '02.

[9]  Andreas Schaad,et al.  Observations on the role life-cycle in the context of enterprise security management , 2002, SACMAT '02.

[10]  Mark Strembeck,et al.  A scenario-driven role engineering process for functional RBAC roles , 2002, SACMAT '02.

[11]  Evangelia Kavakli,et al.  Goal-Oriented Requirements Engineering: A Unifying Framework , 2002, Requirements Engineering.

[12]  Darrel C. Ince,et al.  Towards an Analytical Role Modelling Framework for Security Requirements , 2002 .

[13]  Ravi S. Sandhu,et al.  Engineering of role/permission assignments , 2001, Seventeenth Annual Computer Security Applications Conference.

[14]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[15]  A. van Lamsweerde Goal-oriented requirements engineering: a guided tour , 2001, Proceedings Fifth IEEE International Symposium on Requirements Engineering.

[16]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[17]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[18]  Hermann Kaindl,et al.  A design process based on a model combining scenarios with goals and functions , 2000, IEEE Trans. Syst. Man Cybern. Part A.

[19]  Gerhard Schimpf,et al.  Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization , 2000, RBAC '00.

[20]  A. Antón,et al.  Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems , 2000 .

[21]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[22]  Z Hudson,et al.  Privacy: report on the privacy policies and practices of health web sites. , 2000, Professional ethics report : newsletter of the American Association for the Advancement of Science, Committee on Scientific Freedom & Responsibility, Professional Society Ethics Group.

[23]  Alistair Cockburn,et al.  Structuring Use Cases with Goals , 2000 .

[24]  Ravi S. Sandhu,et al.  Towards a UML based approach to role engineering , 1999, RBAC '99.

[25]  Colette Rolland,et al.  Guiding Goal Modeling Using Scenarios , 1998, IEEE Trans. Software Eng..

[26]  Annie I. Antón,et al.  The use of goals to surface requirements for evolving systems , 1998, Proceedings of the 20th International Conference on Software Engineering.

[27]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.

[28]  Edward J. Coyne Role engineering , 1996, RBAC '95.

[29]  Annie I. Antón,et al.  Goal-based requirements analysis , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[30]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[31]  Hermann Kaindl,et al.  An integration of scenarios with their purposes in task modeling , 1995, Symposium on Designing Interactive Systems.

[32]  Annie I. Antón,et al.  Goal Decomposition and Scenario Analysis in Business Process Reengineering , 1994, CAiSE.

[33]  S. J. Goldsack,et al.  Requirements engineering for real-time systems , 1991, Softw. Eng. J..

[34]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .