Abstract
European data protection regulation states that organisations must have data subjects’ consent to use their personally identifiable information (PII) for a variety of purposes. Solutions have been proposed which generally handle consent in a coarse-grained way, by means of opt in/out choices. However, we believe that consent’s representation should be extended to allow data subjects to express a rich set of conditions under which their PII can be used. In this paper we introduce and discuss an approach enabling the representation of consent as fine-grained preferences. To enforce such consent, we leverage and extend the current standard XACML architecture and framework. As data collectors maintain links between PII and associated preferences, preferences should also be considered as part of this PII. Therefore our solution prevents access control components from directly accessing any PII.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
UK Parliament: Data Protection Act 1998 (1998), http://www.opsi.gov.uk/acts/acts1998/ukpga19980029en1 (accessed October 1, 2009)
The European Parliament and the Council of 24 October 1995: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995), http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML (accessed October 1, 2009)
W3C: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification (2002), http://www.w3.org/TR/P3P/ (accessed October 2, 2009)
Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practices: Privacy-enabled management of customer data. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 69–84. Springer, Heidelberg (2003)
OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0 (February 2005), http://docs.oasis-open.org/xacml/2.0/accesscontrol-xacml-2.0-core-spec-os.pdf (accessed September 29, 2009)
Prime project: Prime project website, https://www.prime-project.eu/ (accessed March 26, 2010)
EnCoRe Project: EnCoRe project website, http://www.encore-project.info/ (accessed October 26, 2009)
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic Databases. In: Proceedings of the 28th VLDB Conference, Hong Kong, China, pp. 143–154 (2002), http://www.almaden.ibm.com/cs/projects/iis/hdb/Publications/papers/vldb02hippocratic.pdf (accessed October 2, 2009)
Byun, J.W., Li, N.: Purpose based access control for privacy protection in relational database systems. The VLDB Journal 17(4), 603–619 (2008)
IBM: The Enterprise Privacy Authorization Language (EPAL), EPAL 1.2 specification, http://www.zurich.ibm.com/security/enterprise-privacy/epal/Specification/index.html (accessed October 2, 2009)
Anderson, A.H.: A comparison of two privacy policy languages: EPAL and XACML. In: SWS ’06: Proceedings of the 3rd ACM Workshop on Secure Web Services, pp. 53–60. ACM, New York (2006)
OASIS: Privacy policy profile of XACML v2.0 (February 2005), http://docs.oasis-open.org/xacml/2.0/accesscontrol-xacml-2.0-privacyprofile-spec-os.pdf (accessed September 29, 2009)
Casassa Mont, M., Thyne, R., Bramhall, P.: Privacy Enforcement with HP Select Access for Regulatory Compliance (2005), http://www.hpl.hp.com/techreports/2005/HPL-2005-10.html (accessed October 2, 2009)
Kolter, J., Schillinger, R., Pernul, G.: A privacy-enhanced attribute-based access control system. In: DBSec, pp. 129–143 (2007)
Liberty Alliance Project: Identity Governance web page, http://www.projectliberty.org/strategic_initiatives/identity_governance (accessed September 29, 2009)
Hunt, P., Levinson, R.: AAPML: Attribute Authority Policy Markup Language (November 2006), http://www.oracle.com/technology/tech/standards/idm/igf/pdf/IGF-AAPML-spec-08.pdf (accessed September 30, 2009)
Pohlman, M.B.: Oracle Identity Management Governance, Risk, and Compliance Architecture, 3rd edn. Auerbach Publications (2008)
Yavatkar, R., Pendarakis, D., Guerin, R.: A Framework for Policy-based Admission Control. RFC 2753 (Informational), Internet Engineering Task Force (January 2000), http://tools.ietf.org/pdf/rfc2753.pdf (accessed September 29, 2009)
Zeilenga, K.: Lightweight Directory Access Protocol version 3 (LDAPv3): All Operational Attributes. RFC 3673, http://www.ietf.org/rfc/rfc3673.txt (accessed February 1, 2010)
Chamberlin, D.D., Boyce, R.F.: A structured English query language. In: FIDET ’74: Proceedings of the 1974 ACM SIGFIDET (now SIGMOD) Workshop on Data Description, Access and Control, pp. 249–264. ACM, New York (1974)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kounga, G., Mont, M.C., Bramhall, P. (2010). Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation. In: Katsikas, S., Lopez, J., Soriano, M. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2010. Lecture Notes in Computer Science, vol 6264. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15152-1_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-15152-1_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15151-4
Online ISBN: 978-3-642-15152-1
eBook Packages: Computer ScienceComputer Science (R0)