Qun Ni
Elisa Bertino
Jorge Lobo
ABSTRACT
Privacy has been acknowledged to be a critical requirement for many business (and non-business) environments. Therefore, the definition of an expressive and easy-to-use privacy related access control model, based on which privacy policies can be specified, is crucial. In this work we introduce a family of models (P-RBAC) that extend the well known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. We also compare our work with access control and privacy policy frameworks such as P3P, EPAL, and XACML.
- The enterprise privacy authorization language(epal 1.1). IBM Zurich Research Laboratory, Switzerland. Available at http://www.zurich.ibm.com/security/enterprise-privacy/epal/.Google Scholar
- Amazon.com. Amazon privacy notice. Available at http://www.amazon.com/exec/obidos/tg/browse/-/468496/102-8997954-0573735.Google Scholar
- A. H. Anderson. A comparison of two privacy policy languages: Epal and xacml. In SWS '06: Proceedings of the 3rd ACM workshop on Secure web services, pages 53--60, New York, NY, USA, 2006. ACM Press. Google ScholarDigital Library
- A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. In SP '06: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), pages 184--198, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- A. Barth, J. C. Mitchell, and J. Rosenstein. Conflict and combination in privacy policy languages. In WPES '04: Proceedings of the 2004 ACM workshop on Privacy in the electronic society, pages 45--46, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
- Blizzard.com. Blizzard entertainment online privacy policy. Available at http://www.blizzard.com/privacy.shtml.Google Scholar
- J.-W. Byun and N. Li. Purpose based access control for privacy protection in relational database systems. The VLDB Journal The International Journal on Very Large Data Bases, Sep 2006. Google ScholarDigital Library
- R. Chandramouli. A framework for multiple authorization types in a healthcare application system. In ACSAC '01: Proceedings of the 17th Annual Computer Security Applications Conference, page 137, Washington, DC, USA, 2001. IEEE Computer Society. Google ScholarDigital Library
- eBay.com. ebay privacy policy. Available at http://pages.ebay.com/help/policies/privacypolicy.html.Google Scholar
- Federal Trade Commision. Children's online privacy protection act of 1998. Available at http://www.cdt.org/legislation/105th/privacy/coppa.html.Google Scholar
- D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4(3):224--274, 2001. Google ScholarDigital Library
- S. Fischer-Hubner. IT-security and privacy: design and use of privacy-enhancing security mechanisms. Springer-Verlag New York, Inc., New York, NY, USA, 2001. Google ScholarDigital Library
- Q. He. Privacy enforcement with an extended role-based access control model. NCSU Computer Science Technical Report TR-2003-09, February 28,2003. Google ScholarDigital Library
- G. Karjoth and M. Schunter. A privacy policy model for enterprises. In CSFW, pages 271--281, 2002. Google ScholarDigital Library
- OASIS. Core and hierarchical role based access control (rbac) profile of xacml v2.0. Available at http://www.oasis-open.org/.Google Scholar
- OASIS. extensible access control markup language (xacml) 2.0. Available at http://www.oasis-open.org/.Google Scholar
- OASIS. Hierarchical resource profile of xacml v2.0. Available at http://www.oasis-open.org/.Google Scholar
- OASIS. Privacy policy profile of xacml v2.0. Available at http://www.oasis-open.org/.Google Scholar
- Organisation for Economic Co-operation and Development. Oecd guidelines on the protection of privacy and transborder flows of personal data of 1980. Available at http://www.oecd.org/.Google Scholar
- C. S. Powers. Privacy promises, access control, and privacy management. In ISEC '02: Proceedings of the Third International Symposium on Electronic Commerce, page 13, Washington, DC, USA, 2002. IEEE Computer Society. Google ScholarDigital Library
- E. B. J. L. Qun Ni, Alberto Trombetta. Privacy aware role-based access control. CERIAS Technical Report.Google Scholar
- R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E.Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996. Google ScholarDigital Library
- C. Shankar and R. Campbell. A policy-based management framework for pervasive systems using axiomatized rule-actions. In NCA '05: Proceedings of the Fourth IEEE International Symposium on Network Computing and Applications, pages 255--258, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- TRUSTe.org. An independent, nonprofit enabling trust based on privacy for personal information on the internet. Available at http://www.truste.org/.Google Scholar
- United State Department of Health. Health insurance portability and accountability act of 1996. Available at http://www.hhs.gov/ocr/hipaa/.Google Scholar
- U.S. Senate Committee on Banking, Housing, and Urban Affairs. Information regarding the gramm-leach-bliley act of 1999. Available at http://banking.senate.gov/conf/.Google Scholar
Index Terms
- Privacy-aware role based access control
Recommendations
Privacy-aware role-based access control
In this article, we introduce a comprehensive framework supporting a privacy-aware access control mechanism, that is, a mechanism tailored to enforce access control to data containing personally identifiable information and, as such, privacy sensitive. ...
Privacy-Aware Role-Based Access Control
A privacy-aware role-based access control model extends RBAC to express highly complex privacy-related policies, including consideration of such features as conditions and obligations. Because it's based on the RBAC model, the full-fledged P-RBAC ...
Practical Role-Based Access Control
This article presents access control from a general and a role-based perspective. The article's focus is role based Access Control from a practical vice a theoretical perspective. The article starts with some access control definitions and two secure ...
Comments