The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

Privacy Control Using GRBAC In An Extended Role-Based Access Control Model

확장된 역할기반 접근제어 모델에서 GRBAC을 이용한 프라이버시 제어

  • 박종화 (세명대학교 소프트웨어학과) ;
  • 김지홍 (세명대학교 정보보호학과) ;
  • 김동규 (아주대학교 컴퓨터공학부)
  • Published : 2005.03.01
Download PDF
⟨ Previous Next ⟩

Abstract

Privacy enforcement has been one of the most important problems in IT area. Privacy protection can be achieved by enforcing privacy policies within an organization's online and offline data processing systems. Traditional security models are more or less inappropriate for enforcing basic privacy requirements, such as purpose binding. This paper proposes a new approach in which a privacy control model is derived from integration of an existing security model. To this, we use an extended role-based access control model for existing security mechanism, in which this model provides context-based access control by combining RBAC and domain-type enforcement. For implementation of privacy control model we use GRBAC(Generalized Role-Based Access Control), which is expressive enough to deal with privacy preference. And small hospital model is considered for application of this model.

최근 프라이버시 적용이 IT분야의 가장 중요한 문제의 하나로 대두되고 있다. 프라이버시 보호는 조직의 데이터 처리 시스템에 프라이버시 정책을 적용함으로써 달성될 수 있다. 전통적인 보안 모델은 목적 결합(purpose binding)과 같은 프라이버시의 기본적인 요구사항을 적용하기에 부적절하다. 본 논문은 기존의 보안모델에 통합하여 쉽게 적용할 수 있는 프라이버시 제어 모델을 제안한다. 이를 위하여 기존의 보안모델로 RBAC과 도메인-타입을 적용하여 문맥기반 접근제어를 제공하는 하나의 확장된 역할기반 접근제어 모델이 사용되었고, 프라이버시 제어 모델에서는 프라이버시 선호로 표현되는 목적 결합을 적용하기위해 GRBAC이 사용되었다. 또 이 모델의 응용을 위하여 작은 병원 모델이 고려되었다.

Keywords

References

  1. Calvin S. Powers, Paul Ashley, Matthias Schunter, 'Privacy Promises, Access Control, and Privacy Management,' Proc. of the 3rd International Symposium on Electronic Commerce, pp. 13-21, IEEE, 2002
  2. Ravi S. Sandhu, 'Lattice-Based Access Control Models,' IEEE Computer, Vol. 26 Issue 11, pp. 9-19, Nov. 1993 https://doi.org/10.1109/2.241422
  3. R. Sandhu, P. Samarati, 'Access Control: Principles and Practice,' IEEE Communications Magazine, Vol. 32 Issue 9, pp. 40-48, Sep. 1994
  4. Simone Fischer-Hubner, 'IT -Security and Privacy,' Lecture Notes in Computer Science 1958 (LNCS 1958), Springer-Verlag, 2001
  5. Ravi S. Sandhu, Edward J. Coyne, Hall L. Feinstein, Charles E. Youman,'Role-Based Access Control Models,' IEEE Computer, Vol 29 Issue 2, pp. 38-47, Feb. 1996
  6. Security and Electronic Signature Standards; Proposed Rule. Federal Register, Vol 63, No. 155, August 12,1998
  7. Ramaswamy Chandramouli, 'A Framework for Multiple Authorization Types in a Healthcare Application System,' Proc. of the 17th Annual Computer Security Applications Conference (ACSAC 2001), pp. 137-148, IEEE, 2001
  8. M. J. Moyer, M. Ahamad, 'Generalized role-based access control,' In Proceedings of 21 st International Conference on Distributed Computing Systems, pp. 391-398, 2001
  9. David F. Ferraiolo, Ravi Sandhu, Serban GavriaI, et al., 'Proposed NIST Standard for Role-Based Access Control,' ACM Transactions on Information and System Security, Vol 4 No.3, pp. 224-274, August 2001 https://doi.org/10.1145/501978.501980
  10. Ravi S. Sandhu, Edward J. Coyne, Hall L. Feinstein, Charles E. Youman,'Role-Based Access Control Models,' IEEE Computer, Vol 29 Issue 2, pp. 38-47, Feb. 1996
  11. Mavridis I., Pangalos G., Khair M., 'eMEDAC: Role-Based Access Control Supporting Discretionary and Mandatory Features,' Proceedings of 13th IFIP WG 11.3 Working Conference on Database Security, Seattle, Washington, USA, 1999
  12. Joon S. Park, Ravi Sandhu, Gail-Joon Ahn,'Role-Based Access Control on the Web,' ACM Transactions on Information and System Security, Vol 4 No.1. pp. 37-71, Feb.2001 https://doi.org/10.1145/383775.383777
  13. James B. D. Joshi, Walid G. Aref, Arif Ghafoor, Eugene H. Spafford, 'Security Models for Web-Based Applications,' Communications of the ACM, Vol 44 No.2, pp.38-44, Feb. 2001
  14. John Hoffman, 'Implementing RBAC on a Type Enforced System,' Proc. of the 13th Annual Computer Security Applications Conference, pp. 158-163, IEEE, 1997