Privacy-aware role based access control

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Privacy-aware role based access control

Full text

Pdf (228 KB)

Source

Symposium on Access Control Models and Technologies archive
Proceedings of the 12th ACM symposium on Access control models and technologies table of contents

Sophia Antipolis, France

SESSION: Privacy management table of contents

Pages: 41 - 50

Year of Publication: 2007

ISBN:978-1-59593-745-2

Authors

Qun Ni	Purdue University
Alberto Trombetta	Insubria University, Italy
Elisa Bertino	Purdue University
Jorge Lobo	IBM T.J. Watson

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 17, Downloads (12 Months): 245, Citation Count: 4

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1266840.1266848 What is a DOI?

ABSTRACT

Privacy has been acknowledged to be a critical requirement for many business (and non-business) environments. Therefore, the definition of an expressive and easy-to-use privacy related access control model, based on which privacy policies can be specified, is crucial. In this work we introduce a family of models (P-RBAC) that extend the well known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. We also compare our work with access control and privacy policy frameworks such as P3P, EPAL, and XACML.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	The enterprise privacy authorization language(epal 1.1). IBM Zurich Research Laboratory, Switzerland. Available at http://www.zurich.ibm.com/security/enterprise-privacy/epal/.
	2	Amazon.com. Amazon privacy notice. Available at http://www.amazon.com/exec/obidos/tg/browse/-/468496/102-8997954-0573735.
	3	Anne H. Anderson, A comparison of two privacy policy languages: EPAL and XACML, Proceedings of the 3rd ACM workshop on Secure web services, November 03-03, 2006, Alexandria, Virginia, USA [doi>10.1145/1180367.1180378]
	4	Adam Barth , Anupam Datta , John C. Mitchell , Helen Nissenbaum, Privacy and Contextual Integrity: Framework and Applications, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), p.184-198, May 21-24, 2006 [doi>10.1109/SP.2006.32]
	5	Adam Barth , John C. Mitchell , Justin Rosenstein, Conflict and combination in privacy policy languages, Proceedings of the 2004 ACM workshop on Privacy in the electronic society, October 28-28, 2004, Washington DC, USA [doi>10.1145/1029179.1029195]
	6	Blizzard.com. Blizzard entertainment online privacy policy. Available at http://www.blizzard.com/privacy.shtml.
	7	J.-W. Byun and N. Li. Purpose based access control for privacy protection in relational database systems. The VLDB Journal The International Journal on Very Large Data Bases, Sep 2006.
	8	R. Chandramouli, A Framework for Multiple Authorization Types in a Healthcare Application System, Proceedings of the 17th Annual Computer Security Applications Conference, p.137, December 10-14, 2001
	9	eBay.com. ebay privacy policy. Available at http://pages.ebay.com/help/policies/privacypolicy.html.
	10	Federal Trade Commision. Children's online privacy protection act of 1998. Available at http://www.cdt.org/legislation/105th/privacy/coppa.html.
	11	David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001 [doi>10.1145/501978.501980]
	12	Simone Fischer-Hubner, IT-security and privacy: design and use of privacy-enhancing security mechanisms, Springer-Verlag New York, Inc., New York, NY, 2001
	13	He, Q, Privacy Enforcement with an Extended Role-Based Access Control Model, North Carolina State University at Raleigh, Raleigh, NC, 2003
	14	Günter Karjoth , Matthias Schunter, A Privacy Policy Model for Enterprises, Proceedings of the 15th IEEE workshop on Computer Security Foundations, p.271, June 24-26, 2002
	15	OASIS. Core and hierarchical role based access control (rbac) profile of xacml v2.0. Available at http://www.oasis-open.org/.
	16	OASIS. extensible access control markup language (xacml) 2.0. Available at http://www.oasis-open.org/.
	17	OASIS. Hierarchical resource profile of xacml v2.0. Available at http://www.oasis-open.org/.
	18	OASIS. Privacy policy profile of xacml v2.0. Available at http://www.oasis-open.org/.
	19	Organisation for Economic Co-operation and Development. Oecd guidelines on the protection of privacy and transborder flows of personal data of 1980. Available at http://www.oecd.org/.
	20	C. S. Powers, Privacy Promises, Access Control, and Privacy Management, Proceedings of the Third International Symposium on Electronic Commerce, p.13, October 18-19, 2002
	21	E. B. J. L. Qun Ni, Alberto Trombetta. Privacy aware role-based access control. CERIAS Technical Report.
	22	Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996 [doi>10.1109/2.485845]
	23	Chetan Shankar , Roy Campbell, A Policy-based Management Framework for Pervasive Systems using Axiomatized Rule-Actions, Proceedings of the Fourth IEEE International Symposium on Network Computing and Applications, p.255-258, July 27-29, 2005 [doi>10.1109/NCA.2005.3]
	24	TRUSTe.org. An independent, nonprofit enabling trust based on privacy for personal information on the internet. Available at http://www.truste.org/.
	25	United State Department of Health. Health insurance portability and accountability act of 1996. Available at http://www.hhs.gov/ocr/hipaa/.
	26	U.S. Senate Committee on Banking, Housing, and Urban Affairs. Information regarding the gramm-leach-bliley act of 1999. Available at http://banking.senate.gov/conf/.

CITED BY 4

	Stefano Braghin , Alberto Coen-Porisini , Pietro Colombo , Sabrina Sicari , Alberto Trombetta, Introducing privacy in a hospital information system, Proceedings of the fourth international workshop on Software engineering for secure systems, p.9-16, May 17-18, 2008, Leipzig, Germany
	Qun Ni , Elisa Bertino , Jorge Lobo, An obligation model bridging access control policies and privacy policies, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA
	Makoto Hatakeyama , Shigeyoshi Shima, Privilege federation between different user profiles for service federation, Proceedings of the 4th ACM workshop on Digital identity management, October 31-31, 2008, Alexandria, Virginia, USA
	Georgia M. Kapitsaki , Iakovos S. Venieris, PCP: privacy-aware context profile towards context-aware application development, Proceedings of the 10th International Conference on Information Integration and Web-based Applications & Services, November 24-26, 2008, Linz, Austria