Skip to main content
SpringerLink
Log in

Purpose based access control for privacy protection in relational database systems

  • Regular Paper
  • Published:
The VLDB Journal Aims and scope Submit manuscript

Abstract

In this article, we present a comprehensive approach for privacy preserving access control based on the notion of purpose. In our model, purpose information associated with a given data element specifies the intended use of the data element. A key feature of our model is that it allows multiple purposes to be associated with each data element and also supports explicit prohibitions, thus allowing privacy officers to specify that some data should not be used for certain purposes. An important issue addressed in this article is the granularity of data labeling, i.e., the units of data with which purposes can be associated. We address this issue in the context of relational databases and propose four different labeling schemes, each providing a different granularity. We also propose an approach to represent purpose information, which results in low storage overhead, and we exploit query modification techniques to support access control based on purpose information. Another contribution of our work is that we address the problem of how to determine the purpose for which certain data are accessed by a given user. Our proposed solution relies on role-based access control (RBAC) models as well as the notion of conditional role which is based on the notions of role attribute and system attribute.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic . In: Proceedings of the 28th International Conference on Very Large Databases (VLDB) (2002)

  2. ANSI: American national standard for information technology—role based access control. ANSI INCITS 359–2004 (2004)

  3. Ashley, P., Powers, C.S., Schunter, M.: Privacy promises, access control, and privacy management. In: Third International Symposium on Electronic Commerce (2002)

  4. Barker S., Stuckey P.J. (2003). Flexible access control policy specification with constraint logic programming. ACM Trans. Inf. Syst. Secu. 6(4):501–546

    Article  Google Scholar 

  5. Bell, D.E., LaPadula, L.J.: Secure computer systems: mathematical foundations and model Technical report, MITRE Corporation (1974)

  6. Bertino E., Jajodia S., Samarati P. (1995). Database security: research and practice. Inf. Syst. 20(7):537–556

    Article  Google Scholar 

  7. Bitton, D., DeWitt, D.J., Turbyfill, C.: Benchmarking database systems: a systematic approach. In: Ninth International Conference on Very Large Data Bases (1983)

  8. Chen, F., Sandhu, R.: Constraints for role-based access control. In: The first ACM Workshop on Role-based access control (1996)

  9. Denning, D., Lunt, T., Schell, R., Shockley, W., Heckman, M.: The seaview security model. In: The IEEE Symposium on Research in Security and Privacy (1988)

  10. Dong, X., Halevy, A., Madhavan, J., Nemes, E.: Reference reconciliation in complex information spaces. In: ACM International Conference on Management of Data (SIGMOD) (2005)

  11. Federal Trade Commision: Children’s online privacy protection act of 1998. Available at www.cdt.org/legislation/105th/privacy/ coppa.html

  12. Federal Trade Commission: Privacy online: fair information practices in the electronic marketplace: a report to congress, May 2000. Available at www.ftc.gov/reports/privacy2000/privacy2000.pdf

  13. Fellegi, I.P., Sunter, A.B.: A theory for record linkage. J. Am. Stat. Assoc. (1969)

  14. Ferraiolo, D.F., Richard Kuhn, D., Chandramouli, R.: Role-Based Access Control. Artech House (2003)

  15. Ferraiolo D.F., Sandhu R.S., Gavrila S., Kuhn D.R., Chandramouli R. (2001). Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Sec. 4(3):224–274

    Article  Google Scholar 

  16. Goh, C., Baldwin, A.: Towards a more complete model of role. In: The 3rd ACM workshop on Role-based access control. (1998)

  17. IBM: The Enterprise Privacy Authorization Language (EPAL). Available at www.zurich.ibm.com/security/enterprise-privacy/epal

  18. Jajodia, S., Sandhu, R.: Toward a multilevel secure relational data model. In: ACM International Conference on Management of Data (SIGMOD) pp. 50–59. ACM Press, New York (1991)

  19. Karjoth, G., Schunter, M., Waidner, M.: Platform for enterprise privacy practice: Privacy-enabled management of customer data. In: The 2nd Workshop on Privacy Enhancing Technologies (PET 2002) (2002)

  20. Kobsa A. (2002). Personalized hypermedia and international privacy. Communic ACM. 45(5):64–67

    Google Scholar 

  21. Kumar A., Karnik N., Chafle G. (2002). Context sensitivity in role-based access control. ACM SIGOPS Oper. Syst. Rev. 36(3):53–66

    Article  Google Scholar 

  22. LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D.: Disclosure in hippocratic databases. In: The 30th International Conference on Very Large Databases (VLDB) (2004)

  23. Oracle Corporation: The Virtual Private Database in Oracle9iR2: An Oracle Technical White Paper, January 2002. Available at www.oracle.com.

  24. Oracle Corporation: The Oracle Database SQL References, December 2003. Availabe at www.oracle.com.

  25. Sandhu R., Chen F. (1998). The multilevel relational data model. ACM Trans. Inf. Syst. Secu. 1(1):93–132

    Article  Google Scholar 

  26. Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-Based Access Control (RBAC 2000), pp. 47–63 (2000)

  27. Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E. (1996). Role-based access control models. IEEE Comput. 29(2):38–47

    Google Scholar 

  28. Sarawagi, S., Bhamidipaty, A.: Interactive deduplication using active learning. In: ACM International conference on Knowledge discovery and data mining (SIGKDD) (2002)

  29. Stonebraker, M., Wong, E.: Access control in a relational data base management system by query modification. In: ACM CSC-ER Proceedings of the 1974 Annual Conference (1974)

  30. World Wide Web Consortium (W3C): A P3P Preference Exchange Language 1.0 (APPEL 1.0). Available at www.w3.org/TR/P3P-preferences

  31. World Wide Web Consortium (W3C): Platform for Privacy Preferences (P3P). Available at www.w3.org/P3P.

Download references

Author information

Authors and Affiliations

  1. CERIAS and Department of Computer Science, Purdue University, West Lafayette, IN, USA

    Ji-Won Byun & Ninghui Li

Authors
  1. Ji-Won Byun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ninghui Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ji-Won Byun.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Byun, JW., Li, N. Purpose based access control for privacy protection in relational database systems. The VLDB Journal 17, 603–619 (2008). https://doi.org/10.1007/s00778-006-0023-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00778-006-0023-0

Keywords

Search

Navigation