A Role-Involved Conditional Purpose-Based Access Control Model

  • Md. Enamul Kabir
  • Hua Wang
  • Elisa Bertino
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 334)


This paper presents a role-involved conditional purpose-based access control (RCPBAC) model, where a purpose is defined as the intension of data accesses or usages. RCPBAC allows users using some data for certain purpose with conditions. The structure of RCPBAC model is defined and investigated. An algorithm is developed to achieve the compliance computation between access purposes (related to data access) and intended purposes (related to data objects) and is illustrated with role-based access control (RBAC) to support RCPBAC. According to this model, more information from data providers can be extracted while at the same time assuring privacy that maximizes the usability of consumers’ data. It extends traditional access control models to a further coverage of privacy preserving in data mining environment as RBAC is one of the most popular approach towards access control to achieve database security and available in database management systems. The structure helps enterprises to circulate clear privacy promise, to collect and manage user preferences and consent.


Access control Conditional Purpose Privacy 


  1. 1.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: 28th International Conference on Very Large Databases, Hong Kong, pp. 143–154 (2002)Google Scholar
  2. 2.
    Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Xu, Y.: Extending relational database systems to automatically enforce privacy policies. In: 21st International Conference on Data Engineering, Tokyo, pp. 1013–1022 (2005)Google Scholar
  3. 3.
    Al-Fedaghi, S.S.: Beyond Purpose-based privacy access control. In: 18th Australian Database Conference, Ballarat, pp. 23–32 (2007)Google Scholar
  4. 4.
    Barker, S., Stuckey, P.N.: Flexible access control policy specification with constraint logic programming. ACM Transaction on Information and System Security 6(4), 501–546 (2003)CrossRefGoogle Scholar
  5. 5.
    Bertino, E., Jajodia, S., Samarati, P.: Data-base security: Research and practice. Information Systems 20(7), 537–556 (1995)CrossRefGoogle Scholar
  6. 6.
    Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: 10th ACM Symposium on Access Control Model And Technologies, Stockholm, pp. 102–110 (2005)Google Scholar
  7. 7.
    Byun, J.W., Bertino, E., Li, N.: Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4), 603–619 (2008)CrossRefGoogle Scholar
  8. 8.
    Denning, D., Lunt, T., Schell, R., Shockley, W., Heckman, M.: The seaview security model. In: 1988 IEEE Symposium on Research in Security and Privacy, Oakland, pp. 218–233 (1988)Google Scholar
  9. 9.
    Forrester Research: Privacy concerns cost e-commerce $15 billion. Technical report (2001)Google Scholar
  10. 10.
    IBM. The Enterprise Privacy Authorization Language (EPAL), http://www.zurich.ibm.com/security/enterprise-privacy/epal
  11. 11.
    Kabir, M.E., Wang, H.: Conditional Purpose Based Access Control Model for Privacy Protection. In: 20th Australisian Database Conference, Wellington, pp. 137–144 (2009)Google Scholar
  12. 12.
    LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D.: Disclosure in Hippocratic databases. In: 30th International Conference on Very Large Databases, Toronto, pp. 108–119 (2004)Google Scholar
  13. 13.
    Marchiori, M.: The platform for privacy preferences 1.0 (P3P1.0) specification. Technical report, W3C (2002)Google Scholar
  14. 14.
    Massacci, F., Mylopoulos, J., Zannone, N.: Minimal Disclosure in Hierarchical Hippocratic Databases with Delegation. In: 10th Europran Symposium on Research in Computer Security, Milan, pp. 438–454 (2005)Google Scholar
  15. 15.
    Rizvi, S., Mendelzon, A.O., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: ACM SIGMOD Conference 2004, Paries, pp. 551–562 (2004)Google Scholar
  16. 16.
    Powers, C.S., Ashley, P., Schunter, M.: Privacy promises, access control, and privacy management. In: 3rd International Symposium on Electronic Commerce, North Carolina, pp. 13–21 (2002)Google Scholar
  17. 17.
    Sandhu, R., Jajodia, S.: Toward a multilevel secure relational data model. In: 1991 ACM Transactional Conference on Management of Data, Colorado, pp. 50–59 (1991)Google Scholar
  18. 18.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  19. 19.
    Sandhu, R., Chen, F.: The multilevel relational data model. ACM Transaction on Information and System Security 1(1), 93–132 (1998)CrossRefGoogle Scholar
  20. 20.
    World Wide Web Consortium (W3C).: Platform for Privacy Preferences (P3P), http://www.w3.org/P3P
  21. 21.
    Yang, N., Barringer, H., Zhang, N.: A Purpose-Based Access Control Model. In: 3rd International Symposium on Information Assurance and Security, Manchester, pp. 143–148 (2007)Google Scholar
  22. 22.
    Peng, H., Gu, J., Ye, X.: Dynamic Purpose-Based Access Control. In: IEEE International Symposium on Parallel and Distributed Processing with Applications, Sydney, pp. 695–700 (2008)Google Scholar
  23. 23.
    Hung, P.C.K.: Towards a Privacy Access Control Model for e-Healthcare Services. In: Third Annual Conference on Privacy, Security and Trust, New Brunswick (2005)Google Scholar

Copyright information

© IFIP 2010

Authors and Affiliations

  • Md. Enamul Kabir
    • 1
  • Hua Wang
    • 1
  • Elisa Bertino
    • 2
  1. 1.Department of Mathematics & ComputingUniversity of Southern QueenslandToowoombaAustralia
  2. 2.Department of Computer Science and CERIASPurdue UniversityWest LafayetteUSA

Personalised recommendations