Purpose-Based Access Control Policies and Conflicting Analysis

This paper proposes a purpose-based framework for supporting privacy preserving access control policies and mechanisms. The mechanism enforces access policy to data containing personally identifiable information. The key component of the framework is purpose involved access control models (PAC) that provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and conditions. A policy refers to an access right that a subject can have on an object, based on attribute predicates, obligation actions, and system conditions. Policy conflicting problems may arise when new access policies are generated. The structure of purpose involved access control policy is studied, and efficient conflict-checking algorithms are developed. Finally a discussion of our work in comparison with other access control and frameworks such as EPAL is presented.

[1]  Yanchun Zhang,et al.  Access control management for ubiquitous computing , 2008, Future Gener. Comput. Syst..

[2]  Jennifer Widom,et al.  The Lowell database research self-assessment , 2003, CACM.

[3]  John C. Mitchell,et al.  Conflict and combination in privacy policy languages , 2004, WPES '04.

[4]  Elisa Bertino,et al.  Purpose based access control of complex data for privacy protection , 2005, SACMAT '05.

[5]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[6]  L. Nelson Data, data everywhere. , 1997, Critical care medicine.

[7]  Jorge Lobo,et al.  Conditional Privacy-Aware Role Based Access Control , 2007, ESORICS.

[8]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[9]  Elisa Bertino,et al.  An Extended Authorization Model for Relational Databases , 1997, IEEE Trans. Knowl. Data Eng..

[10]  Yanchun Zhang,et al.  Optimal Privacy-Aware Path in Hippocratic Databases , 2009, DASFAA.

[11]  R. Watson,et al.  Data Management , 1980, Bone Marrow Transplantation.

[12]  Hong Zhu,et al.  Fine-Grained Access Control for Database Management Systems , 2007, BNCOD.

[13]  Latanya Sweeney,et al.  Achieving k-Anonymity Privacy Protection Using Generalization and Suppression , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[14]  Elisa Bertino,et al.  Privacy-Preserving Database Systems , 2005, FOSAD.

[15]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[16]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[17]  Ninghui Li,et al.  A semantics based approach to privacy languages , 2006, Comput. Syst. Sci. Eng..

[18]  Anne Adams,et al.  Privacy in Multimedia Communications: Protecting Users, Not Just Data , 2001, BCS HCI/IHM.

[19]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[20]  Ernesto Damiani,et al.  An Access Control Model for Data Archives , 2001, SEC.

[21]  Chris Clifton,et al.  Using Sample Size to Limit Exposure to Data Mining , 2000, J. Comput. Secur..

[22]  Ernesto Damiani,et al.  A component-based architecture for secure data publication , 2001, Seventeenth Annual Computer Security Applications Conference.