A Framework for Enforcement of Purpose Based Access Control

Author/Creator

Author/Creator ORCID

Date

2019-01-01

Department

Information Systems

Program

Information Systems

Citation of Original Publication

Rights

Distribution Rights granted to UMBC by the author.
Access limited to the UMBC community. Item may possibly be obtained via Interlibrary Loan thorugh a local library, pending author/copyright holder's permission.
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.

Subjects

Abstract

Current access control systems use static access control rules to enforce access to an object by checking appropriate permissions and then either granting or denying an access request. However, they are not flexible at all, therefore they are unable to incorporate and respond to a purpose of finer granularity, such as when a user may wish to automatically limit access to a database when individuals have some (one or more) suspected occurrences of mishandling personally identifiable information (PII) within an organization. The goal of this work is to create a purpose-based access control enforcement framework that adapts to changes in a system's environment based on the preferences of an information owner. This work enables an adaptive enforcement of access control in a system by adjusting and responding to changes in one's environment based on a set of user preferences. This work also enables accurate stateful characterization of access control enforcement rules and gives users a more fine-grained access control to a system compared to existing access control models. The impact of this work is an increase in the security outcomes of access control models and systems due to the incorporation of contextual personalization of the approach.