Governance Policies for Privacy Access Control and their Interactions

We propose the use of process-based access-control methods in the construction of privacy governance systems. Access constraints are specified by policies, but the governance model thus created is prone to interactions and inconsistencies. We show how UML can be used in order to represent the model and how the language Alloy and its model analyzer can be used to formally specify it and to detect interactions and inconsistencies. Examples are taken from the area of banking.

[1]  Craig Schlenoff,et al.  Using process requirements as the basis for the creation and evaluation of process ontologies for enterprise modeling , 1997, SIGG.

[2]  Tom Gray,et al.  Policy-enabled mechanisms for feature interactions: reality, expectations, challenges , 2004, Comput. Networks.

[3]  Stephan Reiff-Marganiec,et al.  A Policy Architecture for Enhancing and Controlling Features , 2003, FIW.

[4]  Patrick R. Gallagher A GUIDE TO UNDERSTANDING DISCRETIONARY ACCESS CONTROL IN TRUSTED SYSTEMS , 1987 .

[5]  Jeffrey O. Kephart,et al.  The Vision of Autonomic Computing , 2003, Computer.

[6]  David A. Basin,et al.  Model driven security for process-oriented systems , 2003, SACMAT '03.

[7]  Alan Bundy,et al.  Constructing Induction Rules for Deductive Synthesis Proofs , 2006, CLASE.

[8]  Gramm Leach Bliley Privacy Enforcement with an Extended Role-Based Access Control Model , 2006 .

[9]  Aditya Agrawal Model Based Software Engineering , Graph Grammars and Graph Transformations Area Paper , 2004 .

[10]  M. Hammer The Agenda: What Every Business Must Do to Dominate the Decade , 2001 .

[11]  Carole S. Jordan A Guide to Understanding Discretionary Access Control in Trusted Systems , 1987 .

[12]  Anne H. H. Ngu,et al.  Business-to-business interactions: issues and enabling technologies , 2003, The VLDB Journal.

[13]  Vladan Devedzic,et al.  Understanding ontological engineering , 2002, CACM.

[14]  Mira Mezini,et al.  Hybrid web service composition: business processes meet business rules , 2004, ICSOC '04.

[15]  Sara K. Kearns,et al.  The Agenda: What Every Business Must Do to Dominate the Decade , 2002 .

[16]  Alain Wegmann,et al.  Context based reasoning in business process models , 2003, Proceedings Fifth IEEE Workshop on Mobile Computing Systems and Applications.

[17]  Giorgio Bruno Model-based software engineering , 1994 .

[18]  Marco Pistore,et al.  Requirements-Driven Verification of Web Services , 2004, Electron. Notes Theor. Comput. Sci..

[19]  Daniel Amyot,et al.  Interactive conflict detection and resolution for personalized features , 2005, Journal of Communications and Networks.

[20]  Günter Karjoth,et al.  A privacy policy model for enterprises , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[21]  Brian Warboys Reflections on the Relationship Between BPR and Software Process Modelling , 1994, ER.

[22]  Sh Sunarno,et al.  Globalization and Information Technology : Forging New Partnerships in Public Administration , 2001 .

[23]  George M. Giaglis,et al.  Simulation of Business Processes , 1999 .

[24]  Veronika Thurner,et al.  A Formally Founded Description Technique for Business Processes , 1998, PDSE.