Business Process-Based Legitimacy of Data Access Framework for Enterprise Information Systems Protection

  • Hind BenfenatkiEmail author
  • Frédérique Biennier
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 327)


Nowadays European context is introducing a new directive for data protection, which imposes new constraints to business owners which manipulate personal data. Among imposed constraints, we find that while a disclosure occurs on user’s personal data, the burden of proof is now in the charge of business owners. In this context, data access has to be managed according to what is mentioned in Terms of Service and logged in a way to prove the occurrence of a disclosure or not. This work, part of Personal Information Controller Service project proposes a data-driven privacy control system, based on Collaborative Usage Control (CUCON), allows organizations to manage the access authorizations they provide to stakeholders. The proposed system intervenes in two contexts, which are ad-hoc business processes and while using big data techniques. In fact, new data usage introduces changes in usage-based models since used systems are usually distributed and involving several organizations which can have different definitions for a given role. This framework manages the consistency between already allowed data access rights and potential given rights to a given business stakeholder according to business process’s activity affected to him/her. It also warns when a conflict occurs and when the aggregation of the rights granted to a given stakeholder lead to having rights to a sensitive data.


Usage-based access control General data protection regulation Ad-hoc business process Big data analytics Legitimacy of data access 



This work is partly supported by the Personal Information Controler Service (PICS) project, co-sponsored by the French Secrétariat Général pour l’Investissement, the French Direction Générale des Entreprises and Bpifrance under the “Investissement d’avenir - Protection des données personnelles” grant. Open image in new window


  1. 1.
  2. 2.
    Cate, F.H., Kuner, C., Millard, C., Svantesson, D.J.B.: The Challenge of “Big Data” for Data Protection (2012). chez Articles by Maurer Faculty. 2620Google Scholar
  3. 3.
    Sullivan, K.M.: Under a watchful eye: incursions on personal privacy. In: The War on Our Freedoms: Civil Liberties in an Age of Terrorism, New York (2003)Google Scholar
  4. 4.
    Becker, T.: Big data usage. In: Cavanillas, J., Curry, E., Wahlster, W. (eds.) New Horizons for a Data-Driven Economy, pp. 143–165. Springer, Heidelberg (2016). Scholar
  5. 5.
    Tene, O., Polonetsky, J.: Big data for all: privacy and user control in the age of analytics. Northwestern J. Technol. Intell. Property 11(5) (2013)Google Scholar
  6. 6.
    Padova, Y., Schönberger, V.M.: Regime Change? Enabling Big Data through Europe’s New Data Protection Regulation. Columbia Science and Technology Law Review, pp. 317–339 (2016)Google Scholar
  7. 7.
    Gromoff, A., Stavenko, Y., Evina, K., Kazantsev, N.: Ad-hoc business process management in enterprises as expert communities. In: Chiu, D.K.W., Wang, M., Popescu, E., Li, Q., Lau, R. (eds.) ICWL 2012. LNCS, vol. 7697, pp. 251–260. Springer, Heidelberg (2014). Scholar
  8. 8.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)Google Scholar
  9. 9.
    American National Standard for Information Technology: Role Based Access Control, ANSI INCITS 359-2004 (2004)Google Scholar
  10. 10.
    Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. IEEE Comput. 43(16), 79–81 (2010)Google Scholar
  11. 11.
    Hashem, I.A.T., Yaqoob, I., Anuar, N.B., Mokhtar, S., Gani, A., Khan, S.U.: The rise of “big data” on cloud computing: review and open research issues. Inf. Syst. 47, 98–115 (2015)Google Scholar
  12. 12.
    Zhou, L., Varadharajan, V., Hitchens, M.: Enforcing role-based access control for secure data storage in the cloud. Comput. J. 54(10), 1675–1687 (2011)Google Scholar
  13. 13.
    Su, Z.: Applying Digital Rights Management to Corporate Information Systems, Lyon (2012)Google Scholar
  14. 14.
    Hu, V.C., Grance, T., Ferraiolo, D.F., Kuhn, D.R.: An access control scheme for big data processing. In: International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom) (2014)Google Scholar
  15. 15.
    Bolognini, L., Bistolfi, C.: Pseudonymization and impacts of Big (personal/anonymous) Data processing in the transition from the Directive 95/46/EC to the new EU General Data Protection Regulation. Comput. Law Secur. Rev. 33(2), 171–181 (2017)Google Scholar
  16. 16.
    Samuel, A., Sarfraz, M.I., Haseeb, H., Basalamah, S., Ghafoor, A.: A framework for composition and enforcement of privacy-aware and context-driven authorization mechanism for multimedia big data. IEEE Trans. Multimedia 17(9), 1484–1494 (2015)Google Scholar
  17. 17.
    Yang, Y., Zheng, X., Guo, W., Liu, X., Chang, V.: Privacy-preserving smart IoT-based healthcare big data storage and self-adaptive access control system. Inf. Sci. 21(8), 1–26 (2018)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.University of Lyon, CNRS, INSA-Lyon, LIRIS UMR 5205LyonFrance

Personalised recommendations