An obligation model bridging access control policies and privacy policies

Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Volumn , Issue , 2008, Pages 133-142

  Ni, Qun ^a   Bertino, Elisa ^a   Lobo, Jorge ^b  

^a PURDUE UNIVERSITY   (United States)

^b IBM T J WATSON RESEARCH CENTER   (United States)

Author keywords

Obligation; Policy; Privacy; Role based access control

Indexed keywords

CONTROL SYSTEMS; SECURITY SYSTEMS;

ACCESS CONTROL POLICIES; CONDITIONAL OBLIGATIONS; DESIGN ISSUES; EFFICIENT ALGORITHMS; OBLIGATION; POLICY; PRIVACY; PRIVACY POLICIES; ROLE BASED ACCESS CONTROL; ROLE-BASED ACCESS CONTROLS;

ACCESS CONTROL;

EID: 57349158498     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1377836.1377857     Document Type: Conference Paper

References (30)

1. M. Backcs, B. Pfitzmann, and M. Schuntcr. A toolkit for managing enterprise privacy policies. In ESORICS, pages 162-180, 2003.
2. A. Barlh, A. Datta, J. C. Mitchell, and H. Nissenhaum. Privacy and contextualintegrity: Framework and applications. In S&P, pages 184-198. IEEE Computer Society, 2006.
3. E. Bertino, C. Bellini, E. Ferrari, and P. Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Trans. Database Syst, 23(3):231-285, 1998.
4. E. Bertino, P. A. Bonalli, and E. Ferrari. Trbae: A temporal role-based access control model. ACM Trans, Inf. Syst. Secur., 4(3):191-233, 2001.
5. C. Bellini, S. Jajodia, X. Wang, and D. Wijesekera. Obligation monitoring in policy management. In POLICY '02: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY'02), page 2, Washington, DC, USA, 2002. IEEE Computer Society.
6. C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekera. Provisions and obligations in policy management and security applications. In VLDB '02: Proceedings of the 28th international conference on Very Large Data Bases, pages 502-513. VLDB Endowment, 2002.
7. C. Bettini, S. Jajodia. X. S. Wang, and D. Wijesekera. Provisions and obligations in policy management and security applications. In VLDB, pages 502-513. Morgan Kaufmann, 2002.
8. C. Bettini, S. Jajodia. X. S. Wang, and D. Wijesekera. Provisions and obligations in policy rule management. J. Network Syst. Manage., 11(3), 2003.
9. M. A. Brown. Conditional obligation and positive permission for agents in time. Nordic Journal of Philosophical Logic, 5(2):83-l 12, 2000.
10. N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The ponder policy specification language. In M. Sloman, J. Lobo, and E. Lupu, editors, POLICY, volume 1995 of Lecture Notes in Computer Science, pages 18-38. Springer, 2001.
11. D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Obligations and their interaction with programs. In J. Biskup and J. Lopez, editors, ESORICS. volume 4734 of Lecture Notes in Computer Science, pages 375-389. Springer, 2007.
12. Federal Trade Commision. Children's online privacy protection act of 1998. Available at http://www.cdt.org/legislation/105lh/privacy/coppa.html.
13. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4(3):224-274, 2001.
14. J P. Garna and P. Ferreira. Obligation policies: An enforcement platform. In POLICY, pages 203-212. IEEE Computer Society, 2005.
15. M. Hilty, D. A. Basin, and A. Pretschner. On obligations. In S. D. C. di Vimereati, P. F. Syvcrson, and D. Gollmann, editors, ESORICS, volume 3679 of Lecture Notes in Computer Science, pages 98-117. Springer, 2005.
16. IBM Zurich Research Laboratory,Switzerland. The enterprise privacy authorization language(epal 1.1). Available at http://www.zurich.ibm.com/ security/enterprise-privacy/epal/.
17. K. Irwin, T. Yu, and W. H. Winsborough. On the modeling and analysis of obligations. In CCS '06: Proceedings of the 13th ACM conference on Computer and communications security, pages 134-143, New York, NY, USA, 2006. ACM.
18. J. Joshi, E. Bertino, U. Latif, and A. Ghafoor. A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng., 17(1):4-23, 2005.
19. L. Kagal, T. Finin, and A. Joshi. A policy language for a pervasive computing environment. In POLICY '03: Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, page 63, Washington, DC, USA, 2003. IEEE Computer Society.
20. Q- Ni, D. Lin, E, Bertino, and J. Lobo. Conditional privacy-aware role based access control. In ESORICS '07: Proceedings of the 12th European Symposium On Research In Computer Security, pages 72-89. Springer, 2007.
21. Q. Ni, A. Tromhetta. E. Bertino, and J. Lobo. Privcy aware role based access control. In SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies, New York, NY, USA, 2007. ACM Press.
22. OASIS, extensible access control markup language (xaeml) 2.0. Available at http://www.oasis-open.org/.
23. H. Prakken and M. J. Sergot. Contrary-to-duty obligations. Studia Logica, 57(1):91-115, 1996.
24. M. Sailer and M. Morciniec. Monitoring and execution for contract compliance. HPL-2001-261R1, HP LAB, HP. Available at http://www.hpl.hp.eom/ techreports/2001/HPL-2001-261Rl.htm.
25. P- Samarati, P. Y A. Ryan, D. Gollmann, and R. Molva, editors. Computer Security - ESORICS 2004, 9th European Symposium on Research Computer Security, Sophia Antipolis, France, September 13-15, 2004, Proceedings, volume 3193 of Lecture Notes in Computer Science. Springer, 2004.
26. R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38-47, 1996.
27. J. Skene, A. Skene, J. Cramplon, and W. Emmerich. The monitorabilily of service-level agreements for application-service provision. In V. Cortellessa, S. Uchitel, andD. Yankelevich, editors, WOSP, pages 3-14. ACM, 2007.
28. United State Department of Health. Health insurance portability and accountability act of 1996. Available at http://www.hhs.gov/ocr/hipaa/.
29. U.S. Senate Committee on Banking, Housing, and Urban Affairs. Information regarding the gramm-leach-bliley act of 1999. Available at http://banking. senate.gov/conf/.
30. A. Uszok, J. Bradshaw, R. Jeffers, N. Suri, P. Hayes, M. Breedy, L. Bunch, M. Johnson, S. Kulkarni, and J. Lott. Kaos policy and domain services: Toward a description-logic approach to policy representation, deconflietion, and enforcement, policy, 00:93, 2003.