Extending SQL to Allow the Active Usage of Purposes

  • Wynand van Staden
  • Martin S. Olivier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4083)


The protection of private information revolves around the protection of data by making use of purposes. These purposes indicate why data is stored, and what the data will be used for (referred to as specification/verification phases).

In this article, the active specification of purposes during access requests is considered. In particular it is argued that the subject that wishes to get access to data should explicitly specify their reason for wanting the data; as opposed to verification taking place by implicit examination of the subject’s profile. To facilitate this active specification extensions to the SQL data manipulation language is considered.


Access Control Access Control Model Access Request Role Base Access Control Purpose Lattice 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: Proceedings of the 28th VLDB Conference, Hong Kong, China (2002)Google Scholar
  2. 2.
    Ashley, P., Hada, S., Karjoth, G.: E-p3p privacy policies and privacy authorisation. In: WPES 2002, Washington (November 2002)Google Scholar
  3. 3.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorisation language (EPAL 1.1). Tech. rep., International Business Machines Corporation (2003)Google Scholar
  4. 4.
    Bertino, E.: Data security. Data and Knowledge Engineering 25(2), 199–216 (1998)zbMATHCrossRefGoogle Scholar
  5. 5.
    Byun, J.-W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: SACMAT 2005, Stockholm, Sweden. ACM, New York (2005)Google Scholar
  6. 6.
    Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: The platform for privacy preferences (P3P1.0) specification. Tech. rep., W3C (2002), available at :
  7. 7.
    Fischer-Hübner, S.: IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms. Springer, Heidelberg (2001)zbMATHGoogle Scholar
  8. 8.
    Fischer-Hübner, S., Ott, A.: From a formal privacy model to its implementation. In: 21st National Information Systems Security Conference, Arlington, VA, USA (October 1998)Google Scholar
  9. 9.
    Griffiths, P.P., Wade, B.W.: An authorization mechanism for a relational database system. ACM Transactions on Database Systems (TODS) 1(3), 242–255 (1976)CrossRefGoogle Scholar
  10. 10.
    Hes, R., Borking, J. (eds.): Privacy Enhancing Technologies: The Road to Anonimity, revised ed., Dutch DPA (1998)Google Scholar
  11. 11.
    LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D.: Limiting disclosure in hippocratic databases. In: 30th International Conference on Very Large Data Bases, Toronto, Canada (2004)Google Scholar
  12. 12.
    OASIS Access Control TC. OASIS extensible access control markup language (xacml) version 2.0. Tech. rep., OASIS (February 2005)Google Scholar
  13. 13.
    OECD: guidelines on the protection of privacy and transborder flows of personal data. Tech. rep., Organisation for Economic Co-operation and Development (1980)Google Scholar
  14. 14.
    Pirahesh, H., Hellerstein, J.M., Hasan, W.: Extensible/rule based query rewrite optimization in starburst. In: SIGMOD Conference on the Management of Data, San Diego, California. ACM, New York (1992)Google Scholar
  15. 15.
    Rosenthal, A., Sciore, E.: Extending SQL’s grant operation to limit privileges. In: Thuraisingham, B.M., van de Riet, R.P., Dittrich, K.R., Tari, Z. (eds.) Data and Application Security, Development and Directions, IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security, pp. 209–220. Kluwer, Dordrecht (2000)Google Scholar
  16. 16.
    van Staden, W.J., Olivier, M.S.: Purpose organisation. In: Proceedings of the Fifth Annual Information Security South Africa (ISSA) Conference, Sandton, Johannesburg, South Africa (June 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Wynand van Staden
    • 1
  • Martin S. Olivier
    • 1
  1. 1.Information and Computer Security Architecture Research GroupUniversity of PretoriaPretoriaSouth Africa

Personalised recommendations