Abstract
Organizational Information Systems (IS) collect, store, and manage personal and business data. Due to regulation laws and to protect the privacy of users, clients, and business partners, these data must be kept private. This paper proposes a model and a mechanism that allows defining access control policies based on the user profile, the time period, the mode and the location from where data can be accessed. The proposed policy model is simple enough to be used by a business manager, yet it has the flexibility to define complex restrictions. At runtime, a protection layer monitors data accesses and enforces existing policies. A prototype tool was implemented to run an experimental evaluation, which showed that the tool is able to enforce access control with minimal performance impact, while assuring scalability both in terms of the number of users and the number of policies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bertino, E., Lin, D., Jiang, W.: A Survey of Quantification of Privacy Preserving Data Mining Algorithms. In: Aggarwal, C.C., Yu, P.S., Elmagarmid, A.K. (eds.) Privacy-Preserving Data Mining, vol. 34, pp. 183–205. Springer, US (2008)
Internet Engineering Task Force (IETF), http://www.ietf.org/ (accessed: September 07, 2012)
Bertino, E., Ghinita, G., Kamra, A.: Access Control for Databases: Concepts and Systems. Now Publishers Inc. (2011)
Sandhu, R.S.: Role-based Access Control. In: Advances in Computers, vol. 46, pp. 237–286. Elsevier (1998)
Ni, Q., Bertino, E., Lobo, J., Calo, S.B.: Privacy-Aware Role-Based Access Control. IEEE Security Privacy 7(4), 35–43 (2009)
OASIS eXtensible Access Control Markup Language (XACML) TC | OASIS, https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml (accessed: September 07, 2012)
Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and Implementation of the XACML Access Control Mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 60–74. Springer, Heidelberg (2012)
Bernard Stepien, S.M.: Advantages of a non-technical XACML notation in role-based models, pp. 193–200 (2011)
Samarati, P., de, S., di Vimercati, C.: Access Control: Policies, Models, and Mechanisms. In: Foundations of Security Analysis and Design (Tutorial Lectures), pp. 137–196 (2001)
Bernard Stepien, S.M.: Advantages of a non-technical XACML notation in role-based models, pp. 193–200 (2011)
Turkmen, F., Crispo, B.: Performance evaluation of XACML PDP implementations. In: Proceedings of the 2008 ACM Workshop on Secure Web Services, New York, NY, USA, pp. 37–44 (2008)
Michael Butler, J.: Extending Role Based Access Control - A SANS Whitepaper, http://www.sans.org/reading_room/analysts_program/access-control-foxt.pdf (accessed: February15, 2013)
P3P: The Platform for Privacy Preferences, http://www.w3.org/P3P/ (accessed: September 04, 2012)
Byun, J.-W., Li, N.: Purpose based access control for privacy protection in relational database systems. The VLDB Journal 17(4), 603–619 (2008)
Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Rjaibi, W.: Extending Relational Database Systems to Automatically Enforce Privacy Policies. In: Proceedings of the 21st International Conference on Data Engineering, Washington, DC, USA, pp. 1013–1022 (2005)
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: 28th Int’l Conference on Very Large Databases, Hong Kong (2002)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Arora, S., Song, E., Kim, Y.: Modified hierarchical privacy-aware role based access control model. In: Proceedings of the 2012 ACM Research in Applied Computation Symposium, New York, NY, USA, pp. 344–347 (2012)
Ni, Q., Bertino, E.: Conditional Privacy-Aware Role Based Access Control. Springer, Heidelberg (2007)
Beznosov, K.: Requirements for access control: US Healthcare domain. In: Proceedings of the Third ACM workshop on Role-based access control, New York, NY, USA (1998)
Bertino, E., Carminati, B., Ferrari, E.: Access control for XML documents and data. Inf. Secur. Tech. Rep., vol. 9, no 3, pp. 19–34 (July 2004)
Lu, Y., Zhang, L., Sun, J.: Task-activity based access control for process collaboration environments. Comput. Ind. 60(6), 403–415 (2009)
Tolone, W., Ahn, G.-J., Pai, T., Hong, S.-P.: Access control in collaborative systems. ACM Comput. Surv. 37(1), 29–41 (2005)
De Capitani di Vimercati, S., Samarati, P., Jajodia, S.: Policies, models, and languages for access control. In: Databases in Networked Information Systems, pp. 225–237 (2005)
Regina Lúcia de Oliveira Moraes, http://www.ft.unicamp.br/~regina/Gerais/Request-database-administrator-detailed.pdf (Accessed: April 9, 2013)
Sybase XML Modeling PowerDesigner® 15.3, http://wwwdownload.sybase.com/pdfdocs/pdd1100e/xmug.pdf (accessed: April 09, 2013])
Zhu, H., Lü, K.: Fine-grained access control for database management systems. In: Proceedings of the 24th British National Conference on Databases, Berlin, Heidelberg, pp. 215–223 (2007)
ROLE-BASED ACCESS CONTROL A Position Statement, http://profsandhu.com/misc_pubs/nist/n94rbac.pdf (accessed: January 29, 2013)
Miseldine, P.L.: Automated XACML Policy Reconfiguration for Evaluation Otimisation. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems (SESS 2008), pp. 1–8. ACM, New York (2008)
TPC-W, http://www.tpc.org/tpcw/ (accessed: January 08, 2013)
Oracle | Hardware and Software, Engineered to Work Together, http://www.oracle.com/index.html (accessed: January 29, 2013)
Apache JMeter - Apache JMeterTM, http://jmeter.apache.org/ (accessed: January 09, 2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Basso, T., Antunes, N., Moraes, R., Vieira, M. (2013). An XML-Based Policy Model for Access Control in Web Applications. In: Decker, H., Lhotská, L., Link, S., Basl, J., Tjoa, A.M. (eds) Database and Expert Systems Applications. DEXA 2013. Lecture Notes in Computer Science, vol 8056. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40173-2_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-40173-2_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40172-5
Online ISBN: 978-3-642-40173-2
eBook Packages: Computer ScienceComputer Science (R0)