Browse > Article

Extending Role-based Access Control for Privacy Preservation in Academic Affairs System  

Kim, Bo-Seon (한국교육학술정보원 교육행정정보센터)
Hong, Eui-Kyeong (서울시립대학교 컴퓨터과학부)
Publication Information
Journal of KIISE:Computing Practices and Letters / v.14, no.2, 2008 , pp. 171-179 More about this Journal
Abstract
RBAC(Role based Access Control) is effective way of managing user's access to information object in enterprise level and e-government system. The concept of RBAC is that the access right to object in a system is not directly assigned o users but assigned by being a member of a role which is defined in a organization. RBAC is utilized for controling access range of privacy but it does not support the personal legal right of control over information and right of limited access to the self. Nor it contains the way of observation of privacy flow that is guided in a legal level. In this paper, extended RBAC model for protecting privacy will be suggested and discussed. Two components of Data Right and Assigning Data Right are added to existed RBAC and the definition of each component is redefined in aspect of privacy preservation. Data Right in extended RBAC represents the access right to privacy data. This component provides the way of control over who can access which privacy and ensures limitation of access quantity of privacy. Based on this extended RBAC, implemented examples are presented and the evaluation is discussed by comparing existed RBAC with extended RBAC.
Keywords
Database Security; RBAC(Role based Access Control ); Privacy Preservation; Right of Control over Information; Right of Limited Access to the Self; E-government System;
Citations & Related Records
연도 인용수 순위
  • Reference
1 정영화, '인터넷상 개인정보보호 및 분쟁해결에 관한 연구', 인터넷법연구 제1호, 한국인터넷법학회. p.22, 2002
2 개인정보보호 정책 Forum, 정부혁신지방분권위원회, 2004. 6
3 이동희, 의료정보의 프라이버시 보호를 위한 확장 RBAC 설계, 박사학위논문, 충북대학교, 2006. 2
4 정찬모, '개인정보 오.남용 실태와 법제도적 대응방향', 정보역기능방지대회 공청회, 1999. 9
5 R. S. Sandhu, 'Role Hierarchies and Constraints for Lattice-based Access Control,' Proceedings of 4th European Symposium on Research in Computer Security (ESORICS), pp. 65-79, 1998
6 R. Chandramouli and R. S. Sandhu, 'Role Based Access Control Features in Commercial Database Management Systems,' 21st National Information Systems Security Conference, Crystal City, Virginia, Oct. 1998
7 D. F. Ferraiolo, R. S. Sandhu, S. Gavrila, D. R. Kuhn, Ramaswamy Chandramouli, 'Proposed NIST Standard for Role-based Access Control,' ACM Transactions on Information and System Security (TISSEC), Vol.4, Issue.3, pp. 224-274, Aug. 2001   DOI
8 R. S. Sandhu, E. J. Coyne, Hall. Feinstein, and Charles E. Youman, 'Role Based Access Control Models,' IEEE Computer Vol.29, No.2, pp. 38-47, Feb. 1996
9 R. S. Sandhu, D. F. Ferraiolo, and R. Kuhn, 'The NIST Model for Role-based Access Control: Towards a Unified Standard,' 5th ACM Workshop on Role-based Access Control, 2000
10 개인정보보호 정책 Forum, 정부혁신지방분권위원회, 2004. 6
11 Economic Impact of Role Based Access Control. Research Triangle Institute. NIST Planning Report 02-01. 2002
12 정재훈, '민간부문에서의 정보프라이버시보호', 정보법학회 세미나발표, 1997
13 소우영, '주요국가의 개인정보보호기관 운영상황 연구', 한국정보보호센터, 1998. 12
14 R. S. Sandhu, P. Samarati, 'Access Control Principles and Practice,' IEEE Communications Magazine, pp. 42-48, Sept. 1994
15 NIST, 'American National Standard for Information Technology - Role Based Access Control (Draft 4/4/2003),' American National Standard Institute Inc. 2003
16 D. F. Ferraiolo, J. F. Barkley, and R. Kuhn, 'A Role-based Access Control Model and Reference Implementation Within a Corporate Intranet,' ACM Transactions on Information and System Security, Vol.2, No.1, pp. 34-68, Feb. 1999   DOI
17 Barkley John F. and Anthony V. Cincotta, 'Managing Role/Permission Relationships Using Object Access Types,' Proceedings of the 3rd ACM Workshop on Role-based Access Control, ACM, pp. 73-80, Oct. 1998