3rd International ICST Symposium on Information Assurance and Security

Research Article

A Purpose-Based Access Control Model

  • @INPROCEEDINGS{10.1109/IAS.2007.29,
        author={ Naikuo Yang and Howard Barringer and  Ning  Zhang},
        title={A Purpose-Based Access Control Model},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        keywords={Access control  Authorization  Computer science  Computer security  Data privacy  Data security  Information security  Information systems  Information technology  Protection},
  • Naikuo Yang
    Howard Barringer
    Ning Zhang
    Year: 2007
    A Purpose-Based Access Control Model
    DOI: 10.1109/IAS.2007.29
Naikuo Yang1,*, Howard Barringer1,*, Ning Zhang1,*
  • 1: School of Computer Science University of Manchester Manchester, M13 9PL
*Contact email: yangn@cs.man.ac.uk, hbarringer@cs.man.ac.uk, nzhangg@cs.man.ac.uk


Achieving privacy preservation in a data-sharing computing environment is a challenging problem. The requirements for a privacy preserving data access policy should be formally specified in order to be able to establish consistency between the privacy policy and its purported implementation in practice. Previous work has shown that when specifying a privacy policy, the notion of purpose should be used as the basis for access control. A privacy policy should ensure that data can only be used for its intended purpose, and the access purpose should be compliant with the data's intended purpose. This paper presents a mechanism to specify privacy policy using VDM. The entities in the purpose-based access control model are specified, the invariants corresponding to the privacy requirements in privacy policy are specified, and the operations in the model and their proof obligations are defined and investigated.