Group-Based Discretionary Access Control in Health Related Repositories

Group-Based Discretionary Access Control in Health Related Repositories

João Zamite (LaSIGE, Faculty of Sciences, University of Lisbon, Lisbon, Portugal), Dulce Domingos (LaSIGE, Faculty of Sciences, University of Lisbon, Lisbon, Portugal), Mário J. Silva (IST/INESC-ID, University of Lisbon, Lisbon, Portugal) and Carlos Santos (LaSIGE, Faculty of Sciences, University of Lisbon, Lisbon, Portugal)
Copyright: © 2014 |Pages: 17
DOI: 10.4018/jitr.2014010106


The authors introduce a group-based discretionary access control with decentralized permission and group management for scientific repositories. Currently, access control approaches for repositories have inflexible centralized administrations, which do not scale well to large numbers of users. Moreover, discretionary access control is a legal standard for health-related resources. The proposed access control model, which is formalized using Barker's Unifying Meta-model, differentiates permissions for data and meta-data, enabling the sharing of meta-data while protecting sensitive data. The authors describe how the model was implemented, and what challenges were tackled, in the Epidemic Marketplace, an open software information platform for epidemic studies, designed to foster cooperative behavior and data sharing.
Article Preview

1. Introduction

Access control is an important component of information security to protect data from unauthorized access. It is therefore linked to trust, privacy and data integrity (Herzberg, Mass, Mihaeli, Naor, & Ravid, 2002).

The recent explosion in produced data in every field of science has resulted in the emergence of highly data-driven sciences. These sciences, in turn, also generate new data resources adding to the increasing complexity of storing, managing and sharing this data. Therefore, in order to cope with this ''data tsunami'', adequate information platforms are necessary that can deal with the increased volume, scale and complexity related to managing, preserving and sharing these data. In 2010, the Riding the Wave report identified the need for an e-infrastructure for data management enabling seamless access, re-use and trust of data (Wood et al., 2010). The authors present challenges to improve scientific discovery and support collaboration across disciplinary and geographical boundaries. These challenges include: data preservation and curation; linking people and data; describing data through adequate metadata and semantics for data discovery; enabling interoperability and data exchange across scientific domains; and establishing trust through adequate authentication and authorization platforms.

The Epidemic Marketplace (EM) is an information platform that aims to address the above challenges in the epidemiology domain (Lopes et al., 2010). It stores and manages health-related resources, including sensitive data, such as epidemic incidence datasets (see A major challenge to platforms like the Epidemic Marketplace is that the data is often sensitive in nature and must therefore be under adequate access control mechanisms. While some previous approaches hint towards giving resource owners more control over their resources, the standard practice for managing sensitive health-related resources is to give this responsibility to the resource owner. In some countries, this is also a legal requirement (European Commission, 1995, 2012). Therefore, there is the need to empower resource owners in the EM to control who has access to their resources.

Scientific communities, as other publishing communities, have previously adopted several approaches for access control. Some provide variations of Role-Based Access Control (Ferraiolo, Sandhu, Gavrila, Kuhn, & Chandramouli, 2001). However, such approaches are tailored to specific organizational needs and limited to administrator created roles. They do not adequately address the sharing needs of typical scientific resource creators, particularly in a vast user community where every user is potentially a dataset generator. Furthermore, permission and role assignment become increasingly complex as the number of roles required by users increase.

Other access control approaches explore the necessity of user-groups for larger granularity in user permissions (Chan, 2004; Kapica, 2014). However, while providing valuable insight into the problem of group-based access control, they continue to rely on administrators for the creation of user groups, and user-group assignments, in a similar way to POSIX access control lists (Grunbacher & Nuremberg, 2003). These group-based approaches vary on permission assignment, some of them demanding it to be done by users with administrative roles, while others give this responsibility to resource owners or creators.

We adopt a decentralized and discretionary approach over permission assignment as well as in the management of user groups. Additionally, our access control model includes an object structure that separates data from meta-data, enabling the search of resources without exposing sensitive data.

In this paper, we explore the implementation of access control mechanisms from these technologies enabling users to share their created resources while protecting sensitive data. We identify the access control requirements of an epidemiological resource repository and propose a group-based approach to access control over repository resources, which could also be used in similar scientific environments.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 12: 4 Issues (2019): 1 Released, 3 Forthcoming
Volume 11: 4 Issues (2018)
Volume 10: 4 Issues (2017)
Volume 9: 4 Issues (2016)
Volume 8: 4 Issues (2015)
Volume 7: 4 Issues (2014)
Volume 6: 4 Issues (2013)
Volume 5: 4 Issues (2012)
Volume 4: 4 Issues (2011)
Volume 3: 4 Issues (2010)
Volume 2: 4 Issues (2009)
Volume 1: 4 Issues (2008)
View Complete Journal Contents Listing