Abstract
Typically, informational privacy aims to protect personal data from unauthorized access. In this paper, we propose to use the OrBAC model enhanced by some concepts to model privacy policies. We will take into account the concepts of consent, accuracy, purposes of the access and provisional obligation within role-based access control model.
First, we focus on modelling of the requirement of the data owner consent before delivering the sensitive data. The subscriber defines that he must be notified before terminating the access. The access is delayed until the satisfaction of this condition.
On the other hand, the accuracy of the sensitive data is usually underestimated within privacy models. We design an object hierarchy based on predefined accuracy levels. For this, we propose a derivation rule of sensitive objects. So, data owner can define authorisations based on different object accuracies.
Furthermore, access control models usually permit the access to the stored data based on the role of the requester. We propose to extend this concept to take into account the purpose of the access. For this, we take advantage of the OrBAC user-declared context.
Finally, we propose in this work to model the provisional obligations after accessing personal information. Third parties must notify data controller about further usage over collected data.
To validate our approach, we show how the resulting model can be used to model the privacy policy for a location-based service. This can be applied within a mobile operator organization.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
3rd Generation Partnership Project: Open Service Access; Application Programming Interface (API); Part 3: Framework, 3GPP TS 29.198-3
Audy, S.: Le respect de la vie privée et la protection de la confidentialitéen recherche. Comité de liaison en éthique de la recherche de l’Université de Montréal (CLERUM), Canada, Mars (2006)
Byun, J., Bertino, E., Li, N.: Purpose Based Access Control for Complex Data for Privacy Protection. In: SACMAT, Stockholm, Sweden (2005)
Cuppens, F., Cuppens-Boulahia, N.: Modeling Contextual Security Policies. International Journal of Information Security (2007)
Cuppens, F., Miège, A.: An Administration Model for OrBAC. International Journal of Computer Systems Science and Engineering (May 2004)
Gedik, B., Liu, L.: Protecting Location Privacy with Personalized k-Anonymity: Architecture and Algorithms. IEEE Transactions on Mobile Computing (2007)
Masoumzadeh, A., Joshi, J.B.D.: PuRBAC: Purpose-Aware Role-Based Access Control. In: OTM, Mexico (2008)
Qui Ni, A., Trombetta, E., Bertino, J.: Privacy-aware Role Based Access Control. In: 12th ACM symposium on Access control models and technologies (2007)
Yang, N., Barringer, H., Zhang, N.: A Purpose-Based Access Control Model. Journal of Information Assurance and Security (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ajam, N., Cuppens-Boulahia, N., Cuppens, F. (2010). Contextual Privacy Management in Extended Role Based Access Control Model. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2009 2009. Lecture Notes in Computer Science, vol 5939. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11207-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-11207-2_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11206-5
Online ISBN: 978-3-642-11207-2
eBook Packages: Computer ScienceComputer Science (R0)