Skip to main content
Log in

A role-involved purpose-based access control model

  • Published:
Information Systems Frontiers Aims and scope Submit manuscript

Abstract

This paper presents a role-involved purpose-based access control (RPAC) model, where a conditional purpose is defined as the intention of data accesses or usages under certain conditions. RPAC allows users using some data for a certain purpose with Conditions (For instance, Tony agrees that his income information can be used for marketing purposes by removing his name). The structure of RPAC model is investigated after defining access purposes, intended purposes and conditional purposes. An algorithm is developed with role-based access control (RBAC) to achieve the compliance computation between access purposes (related to data access) and intended purposes (related to data objects). Access purpose authorization and authentication in the RPAC model are studied with the hierarchical purpose structure. According to the model, more information from data providers can be extracted while at the same time assuring privacy that maximizes the usability of consumers’ data. It extends role-based access control models to a further coverage of privacy preservation in database management systems by adopting purposes and conditional intended purposes and to achieve a fine-grained access control. The work in this paper helps enterprises to circulate a clear privacy promise, and to collect and manage user preferences and consent.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  • Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., & Xu, Y. (2005). Extending relational database systems to automatically enforce privacy policies. In 21st international conference on data engineering, Tokyo (pp. 1013–1022).

  • Agrawal, R., Kiernan, J., Srikant, R., & Xu, Y. (2002). Hippocratic databases. In 28th international conference on very large databases, Hong Kong (pp. 143–154).

  • Al-Fedaghi, S. S. (2007). Beyond purpose-based privacy access control. In 18th Australian database conference, Ballarat (pp. 23–32).

  • Barker, S., & Stuckey, P. N. (2003). Flexible access control policy specification with constraint logic programming. ACM Transaction on Information and System Security, 6(4), 501–546.

    Article  Google Scholar 

  • Bertino, E., Jajodia, S., & Samarati, P. (1995). Data-base security: Research and practice. Information Systems, 20(7), 537–556.

    Article  Google Scholar 

  • Byun, J. W., Bertino, E., & Li, N. (2005). Purpose based access control of complex data for privacy protection. In 10th ACM symposium on access control model and technologies, Stockholm (pp. 102–110).

  • Byun, J. W., Bertino, E., & Li, N. (2008). Purpose based access control for privacy protection in relational database systems. VLDB Journal, 17(4), 603–619.

    Article  Google Scholar 

  • Crook, R., Ince, D., & Nuseibeh, B. (2003). Modelling access policies using roles in requirements engineering. Information and Software Technology, 45, 979–991.

    Article  Google Scholar 

  • Denning, D., Lunt, T., Schell, R., Shockley, W., & Heckman, M. (1988). The seaview security model. In 1988 IEEE symposium on research in security and privacy, Oakland (pp. 218–233).

  • Farzad, F., Yu, E., & Hung, P. C. K. (2007). Role-based access control requirements model with purpose extension. In 10th workshop on requirements engineering, Toronto (pp. 207–216).

  • Ferraiolo, D. F., Barkley, J. F., & Kuhn, D. R. (1999). A role-based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security, 2(1), 34–64.

    Article  Google Scholar 

  • Forrester Research (2001). Privacy concerns cost e-commerce $15 billion. Technical report.

  • Hung, P. C. K. (2005). Towards a privacy access control model for e-healthcare services. In Third annual conference on privacy, security and trust, New Brunswick.

  • IBM. The Enterprise Privacy Authorization Language (EPAL). Available at http://www.zurich.ibm.com/security/enterprise-privacy/epal.

  • Kabir, M. E., & Wang, H. (2009). Conditional purpose based access control model for privacy protection. In 20th Australisian database conference, Wellington (pp. 137–144).

  • LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., & DeWitt, D. (2004). Disclosure in hippocratic databases. In 30th international conference on very large databases, Toronto (pp. 108–119).

  • Marchiori, M. (2002). The platform for privacy preferences 1.0 (P3P1.0) specification. Technical report, W3C.

  • Massacci, F., Mylopoulos, J., & Zannone, N. (2005). Minimal disclosure in hierarchical hippocratic databases with delegation. In 10th Europran symposium on research in computer security, Milan (pp. 438–454).

  • Ni, Q., Trombetta, A., Bertino, E., & Lobo, J. (2007). Privacy-aware role based access control. In 12th ACM symposium on access control models and technologies, Sophia Antipolis (pp. 41–50).

  • OASIS. Core and hierarchical role based access control (rbac) profile of xacml v2.0. Available at http://www.oasis-open.org/.

  • Peng, H., Gu, J., & Ye, X. (2008). Dynamic purpose-based access control. In IEEE international symposium on parallel and distributed processing with applications, Sydney (pp. 695–700).

  • Rizvi, S., Mendelzon, A. O., Sudarshan, S., & Roy, P. (2004). Extending query rewriting techniques for fine-grained access control. In ACM SIGMOD conference 2004, Paries (pp. 551–562).

  • Powers, C. S., Ashley, P., & Schunter, M. (2002). Privacy promises, access control, and privacy management. In 3rd international symposium on electronic commerce, North Carolina (pp. 13–21).

  • Sandhu, R., & Chen, F. (1998). The multilevel relational data model. ACM Transaction on Information and System Security, 1(1), 93–132.

    Article  Google Scholar 

  • Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29(2), 38–47.

    Article  Google Scholar 

  • Sandhu, R., & Jajodia, S. (1991). Toward a multilevel secure relational data model. In 1991 ACM transactional conference on management of data, Colorado (pp. 50–59).

  • World Wide Web Consortium (W3C). Platform for Privacy Preferences (P3P). Available at http://www.w3.org/P3P.

  • Yang, N., Barringer, H., & Zhang, N. (2007). A purpose-based access control model. In 3rd international symposium on information assurance and security, Manchester (pp. 143–148).

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Md. Enamul Kabir.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kabir, M.E., Wang, H. & Bertino, E. A role-involved purpose-based access control model. Inf Syst Front 14, 809–822 (2012). https://doi.org/10.1007/s10796-011-9305-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10796-011-9305-1

Keywords

Navigation