Law-Aware Access Control: About Modeling Context and Transforming Legislation

  • Michael Stieghahn
  • Thomas Engel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6284)


Cross-border access to a variety of data defines the daily business of many global companies, including financial institutions. These companies are obliged by law and need to fulfill security objectives specified by legislation. Therefore, they control access to prevent unauthorized users from using data. Security objectives, for example confidentiality or secrecy, are often defined in the widespread eXtensible Access Control Markup Language that promotes interoperability between different systems.

In this paper, we show the necessity of incorporating the requirements of sets of legislation into access control. To this end, we describe our legislation model, various types of contextual information, and their interrelationship. We introduce a new policy-combining algorithm that respects the different precedence of laws of different controlling authorities. Finally, we demonstrate how laws may be transformed into policies using the eXtensible Access Control Markup Language.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: A Temporal Access Control Mechanism for Database Systems. IEEE Transactions on Knowledge and Data Engineering 8(1), 67–80 (1996)CrossRefGoogle Scholar
  2. 2.
    Damiani, M.L., Bertino, E., Catania, B., Perlasca, P.: GEO-RBAC: A Spatially Aware RBAC. ACM Trans. Inf. Syst. Secur. 10(1), 2 (2007)CrossRefGoogle Scholar
  3. 3.
    Dey, A.K., Abowd, G.D.: Towards a Better Understanding of Context and Context-Awareness. In: Computer Human Intraction 2000 Workshop on the What, Who, Where (1999)Google Scholar
  4. 4.
    Katayama, T.: Legal Engineering - An Engineering Approach to Laws in e-Society Age. In: Proceedings of the 1st International Workshop on JURISIN (2007)Google Scholar
  5. 5.
    Moses, T.: eXtensible Access Control Markup Language TC v2.0 (XACML). In: Organization for the Advancement of Structured Information Standards (OASIS) (February 2005)Google Scholar
  6. 6.
    Organization for the Advancement of Structured Information Standards (OASIS). XACML 3.0 Export Compliance-US (EC-US) Profile Version 1.0 (September 2009)Google Scholar
  7. 7.
    Schilit, B., Adams, N., Want, R.: Context-Aware Computing Applications. In: IEEE Workshop on Mobile Computing Systems and Applications, Santa Cruz, CA, US (1994)Google Scholar
  8. 8.
    Serban, C., Chen, Y., Zhang, W., Minsky, N.: The Concept of Decentralized and Secure Electronic Marketplace. Electronic Commerce Research 8(1-2), 79–101 (2008)CrossRefzbMATHGoogle Scholar
  9. 9.
    Stieghahn, M., Engel, T.: Law-aware Access Control for International Financial Environments. In: MobiDE 2009: Proceedings of the Eighth ACM International Workshop on Data Engineering for Wireless and Mobile Access, pp. 33–40. ACM, New York (2009)CrossRefGoogle Scholar
  10. 10.
    Stieghahn, M., Engel, T.: Using XACML for Law-aware Access Control. In: 3rd. International Workshop on Juris-informatics (JURISIN), pp. 118–129 (2009)Google Scholar
  11. 11.
    Strembeck, M., Neumann, G.: An Integrated Approach to Engineer and Enforce Context Constraints in RBAC Environments. ACM Trans. Inf. Syst. Secur. 7(3), 392–427 (2004)CrossRefGoogle Scholar
  12. 12.
    Tanaka, K., Kawazoe, I., Narita, H.: Standard structure of legal provisions - for the legal knowledge processing by natural language (in Japanese). IPSJ Research Report on Natural Language Processing, 79–86 (1993)Google Scholar
  13. 13.
    Ungureanu, V., Minsky, N.H.: Establishing Business Rules for Inter-Enterprise Electronic Commerce. In: Herlihy, M.P. (ed.) DISC 2000. LNCS, vol. 1914, pp. 179–193. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Michael Stieghahn
    • 1
  • Thomas Engel
    • 1
  1. 1.University of LuxembourgLuxembourg

Personalised recommendations