ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
An obligation model bridging access control policies and privacy policies
Full text PdfPdf (486 KB)
Source
Symposium on Access Control Models and Technologies archive
Proceedings of the 13th ACM symposium on Access control models and technologies table of contents
Estes Park, CO, USA
SESSION: Obligations table of contents
Pages 133-142  
Year of Publication: 2008
ISBN:978-1-60558-129-3
Authors
Qun Ni  Purdue University
Elisa Bertino  Purdue University
Jorge Lobo  IBM T.J. Watson
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 17,   Downloads (12 Months): 200,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1377836.1377857
What is a DOI?

ABSTRACT

In this paper, we present a novel obligation model for the Core Privacy-aware Role Based Access Control (P-RBAC), and discuss some design issues in detail. Pre-obligations, post-obligations, conditional obligations, and repeating obligations are supported by the obligation model. Interaction between permissions and obligations is discussed, and efficient algorithms are provided to detect undesired effects.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
M. Backes, B. Pfitzmann, and M. Schunter. A toolkit for managing enterprise privacy policies. In ESORICS, pages 162--180, 2003.
 
2
Adam Barth , Anupam Datta , John C. Mitchell , Helen Nissenbaum, Privacy and Contextual Integrity: Framework and Applications, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.184-198, May 21-24, 2006  [doi>10.1109/SP.2006.32]
3
Elisa Bertino , Claudio Bettini , Elena Ferrari , Pierangela Samarati, An access control model supporting periodicity constraints and temporal reasoning, ACM Transactions on Database Systems (TODS), v.23 n.3, p.231-285, Sept. 1998  [doi>10.1145/293910.293151]
4
Elisa Bertino , Piero Andrea Bonatti , Elena Ferrari, TRBAC: A temporal role-based access control model, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.191-233, August 2001  [doi>10.1145/501978.501979]
 
5
C. Bettini , S. Jajodia , X. Wang , D. Wijesekera, Obligation Monitoring in Policy Management, Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02), p.2, June 05-07, 2002
 
6
Claudio Bettini , Sushil Jajodia , X. Sean Wang , Duminda Wijesekera, Provisions and obligations in policy management and security applications, Proceedings of the 28th international conference on Very Large Data Bases, p.502-513, August 20-23, 2002, Hong Kong, China
 
7
Claudio Bettini , Sushil Jajodia , X. Sean Wang , Duminda Wijesekera, Provisions and obligations in policy management and security applications, Proceedings of the 28th international conference on Very Large Data Bases, p.502-513, August 20-23, 2002, Hong Kong, China
 
8
Claudio Bettini , Sushil Jajodia , X. Sean Wang , Duminda Wijesekera, Provisions and Obligations in Policy Rule Management, Journal of Network and Systems Management, v.11 n.3, p.351-372, September 2003  [doi>10.1023/A:1025711105609]
 
9
M. A. Brown. Conditional obligation and positive permission for agents in time. Nordic Journal of Philosophical Logic, 5(2):83--112, 2000.
 
10
Nicodemos Damianou , Naranker Dulay , Emil Lupu , Morris Sloman, The Ponder Policy Specification Language, Proceedings of the International Workshop on Policies for Distributed Systems and Networks, p.18-38, January 29-31, 2001
 
11
D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Obligations and their interaction with programs. In J. Biskup and J. Lopez, editors, ESORICS, volume 4734 of Lecture Notes in Computer Science, pages 375--389. Springer, 2007.
 
12
Federal Trade Commision. Children's online privacy protection act of 1998. Available at http://www.cdt.org/legislation/105th/privacy/coppa.html.
13
David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
 
14
Pedro Gama , Paulo Ferreira, Obligation Policies: An Enforcement Platform, Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, p.203-212, June 06-08, 2005  [doi>10.1109/POLICY.2005.18]
 
15
M. Hilty, D. A. Basin, and A. Pretschner. On obligations. In S. D. C. di Vimercati, P. F. Syverson, and D. Gollmann, editors, ESORICS, volume 3679 of Lecture Notes in Computer Science, pages 98--117. Springer, 2005.
 
16
IBM Zurich Research Laboratory,Switzerland. The enterprise privacy authorization language(epal 1.1). Available at http://www.zurich.ibm.com/security/enterprise-privacy/epal/.
17
Keith Irwin , Ting Yu , William H. Winsborough, On the modeling and analysis of obligations, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1180405.1180423]
 
18
James B. D. Joshi , Elisa Bertino , Usman Latif , Arif Ghafoor, A Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Knowledge and Data Engineering, v.17 n.1, p.4-23, January 2005  [doi>10.1109/TKDE.2005.1]
 
19
Lalana Kagal , Tim Finin , Anupam Joshi, A Policy Language for a Pervasive Computing Environment, Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p.63, June 04-06, 2003
 
20
Q. Ni, D. Lin, E. Bertino, and J. Lobo. Conditional privacy-aware role based access control. In ESORICS '07: Proceedings of the 12th European Symposium On Research In Computer Security, pages 72--89. Springer, 2007.
21
Qun Ni , Alberto Trombetta , Elisa Bertino , Jorge Lobo, Privacy-aware role based access control, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France  [doi>10.1145/1266840.1266848]
 
22
OASIS. extensible access control markup language (xacml) 2.0. Available at http://www.oasis-open.org/.
 
23
H. Prakken and M. J. Sergot. Contrary-to-duty obligations. Studia Logica, 57(1):91--115, 1996.
 
24
M. Sailer and M. Morciniec. Monitoring and execution for contract compliance. HPL-2001-261R1, HP LAB, HP. Available at http://www.hpl.hp.com/techreports/2001/HPL-2001-261R1.html.
 
25
P. Samarati, P. Y. A. Ryan, D. Gollmann, and R. Molva, editors. Computer Security - ESORICS 2004, 9th European Symposium on Research Computer Security, Sophia Antipolis, France, September 13-15, 2004, Proceedings, volume 3193 of Lecture Notes in Computer Science. Springer, 2004.
 
26
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
27
James Skene , Allan Skene , Jason Crampton , Wolfgang Emmerich, The monitorability of service-level agreements for application-service provision, Proceedings of the 6th international workshop on Software and performance, February 05-08, 2007, Buenes Aires, Argentina  [doi>10.1145/1216993.1216997]
 
28
United State Department of Health. Health insurance portability and accountability act of 1996. Available at http://www.hhs.gov/ocr/hipaa/.
 
29
U.S. Senate Committee on Banking, Housing, and Urban Affairs. Information regarding the gramm-leach-bliley act of 1999. Available at http://banking.senate.gov/conf/.
 
30
A. Uszok , J. Bradshaw , R. Jeffers , N. Suri , P. Hayes , M. Breedy , L. Bunch , M. Johnson , S. Kulkarni , J. Lott, KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement, Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p.93, June 04-06, 2003

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Access controls

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)


General Terms:
Management, Security, Standardization


Keywords:
obligation, policy, privacy, role based access control

Collaborative Colleagues:
Qun Ni: colleagues
Elisa Bertino: colleagues
Jorge Lobo: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player