Abstract
Privacy is considered critical for all organizations needing to manage individual related information. As such, there is an increasing need for access control models which can adequately support the specification and enforcement of privacy policies. In this paper, we propose a model, referred to as Conditional Privacy-aware Role Based Access Control (P-RBAC), which supports expressive condition languages and flexible relations among permission assignments for more complex privacy policies. Efficient algorithms for detecting conflicts, redundancies, and indeterminism for a set of permission assignments are presented. In the paper we also extend Conditional P-RBAC to Universal P-RBAC by taking into account hierarchical relations among roles, data and purposes. In comparison with other approaches, such as P3P, EPAL, and XACML, our work has achieved both expressiveness and efficiency.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Agrawal, D., Giles, J., Lee, K.-W., Lobo, J.: Policy ratification. In: POLICY 2005. Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, Stockholm Sweden, pp. 223–232. IEEE Computer Society, Los Alamitos (2005)
Amazon.com: Amazon privacy notice, available at http://www.amazon.com/exec/obidos/tg/browse/-/468496/102-8997954-0573735
Anderson, A.H.: A comparison of two privacy policy languages: Epal and xacml. In: SWS 2006: Proceedings of the 3rd ACM workshop on Secure web services, pp. 53–60. ACM Press, New York (2006)
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (epal 1.2). W3C Member Submission 10 (November 2003), available at http://www.w3.org/Submission/EPAL/
Barth, A., Mitchell, J.C., Rosenstein, J.: Conflict and combination in privacy policy languages. In: WPES 2004: Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pp. 45–46. ACM Press, New York (2004)
Bettini, C., Jajodia, S., Wang, X., Wijesekera, D.: Obligation monitoring in policy management. In: POLICY 2002. Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks, Washington, DC, USA, p. 2. IEEE Computer Society, Los Alamitos (2002)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Fischer-Hubner, S.: IT-security and privacy: design and use of privacy-enhancing security mechanisms. Springer, Heidelberg (2001)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Inverardi, P., Jazayeri, M. (eds.) ICSE 2005. LNCS, vol. 4309, pp. 196–205. Springer, Heidelberg (2006)
IBM Zurich Research Laboratory, Switzerland: The enterprise privacy authorization language (epal 1.1), available at http://www.zurich.ibm.com/security/enterprise-privacy/epal/
Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 134–143. ACM Press, New York (2006)
Kanellakis, P.C., Kuper, G.M., Revesz, P.Z.: Constraint query languages (preliminary report). In: PODS 1990: Proceedings of the ninth ACM SIGACT-SIGMOD-SIGART symposium on Principles of database systems, pp. 299–313. ACM Press, New York (1990)
Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practices: Privacy-enabled management of customer data. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 69–84. Springer, Heidelberg (2003)
Kolovski, V., Hendler, J., Parsia, B.: Formalizing xacml using defeasible description logics, available at http://www.mindswap.org/~kolovski/xacml_tr.pdf
Li, N., Mitchell, J.C.: Datalog with constraints: A foundation for trust management languages. In: Dahl, V., Wadler, P. (eds.) PADL 2003. LNCS, vol. 2562, pp. 58–73. Springer, Heidelberg (2002)
Mont, M.C., Beato, F.: On parametric obligation policies: Enabling privacy-aware information lifecycle management in enterprises. Tech. Report HPL-2007-7, Trusted Systems Laboratory, HP Laboratories Bristol, available at http://www.hpl.hp.com/techreports/2007/HPL-2007-7.pdf
Ni, Q., Trombetta, A., Bertino, E., Lobo, J.: Privacy aware role based access control. In: SACMAT 2007. Proceedings of the 12th ACM symposium on Access control models and technologies, ACM Press, New York (2007)
OASIS: extensible access control markup language (xacml) 2.0, available at http://www.oasis-open.org/
Organisation for Economic Co-operation and Development: Oecd guidelines on the protection of privacy and transborder flows of personal data of 1980, available at http://www.oecd.org/
Powers, C.S.: Privacy promises, access control, and privacy management. In: ISEC 2002: Proceedings of the Third International Symposium on Electronic Commerce, Washington, DC, USA, p. 13. IEEE Computer Society, Los Alamitos (2002)
Revesz, P.Z.: Constraint databases: A survey. In: Thalheim, B. (ed.) Semantics in Databases. LNCS, vol. 1358, pp. 209–246. Springer, Heidelberg (1998)
Revesz, P.Z.: Safe datalog queries with linear constraints. In: Maher, M.J., Puget, J.-F. (eds.) CP 1998. LNCS, vol. 1520, pp. 355–369. Springer, Heidelberg (1998)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Smith, S.W., Spafford, E.H.: Grand challenges in information security: Process and output. IEEE Security and Privacy, 69–71 (January 2004)
TRUSTe.org: An independent, nonprofit enabling trust based on privacy for personal information on the internet, available at http://www.truste.org/
Tschantz, M.C., Krishnamurthi, S.: Towards reasonability properties for access-control policy languages with extended xacml analysis. Tech. Report CS-06-04, CS, Brown University, available at http://www.cs.brown.edu/publications/techreports/reports/CS-06-04.html
United State Department of Health: Health insurance portability and accountability act of 1996, available at http://www.hhs.gov/ocr/hipaa/
U.S. Senate Committee on Banking, Housing, and Urban Affairs: Information regarding the gramm-leach-bliley act of 1999, available at http://banking.senate.gov/conf/
W3C: Platform for privacy preferences (p3p) project, available at http://www.w3.org/P3P
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ni, Q., Lin, D., Bertino, E., Lobo, J. (2007). Conditional Privacy-Aware Role Based Access Control. In: Biskup, J., López, J. (eds) Computer Security – ESORICS 2007. ESORICS 2007. Lecture Notes in Computer Science, vol 4734. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74835-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-74835-9_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74834-2
Online ISBN: 978-3-540-74835-9
eBook Packages: Computer ScienceComputer Science (R0)