Is It Privacy or Is It Access Control?

Is It Privacy or Is It Access Control?

Sylvia L. Osborn
Copyright: © 2014 |Pages: 8
DOI: 10.4018/978-1-4666-6158-5.ch004
(Individual Chapters)
No Current Special Offers


With the widespread use of online systems, there is an increasing focus on maintaining the privacy of individuals and information about them. This is often referred to as a need for privacy protection. The author briefly examines definitions of privacy in this context, roughly delineating between keeping facts private and statistical privacy that deals with what can be inferred from data sets. Many of the mechanisms used to implement what is commonly thought of as access control are the same ones used to protect privacy. This chapter explores when this is not the case and, in general, the interplay between privacy and access control on the one hand and, on the other hand, the separation of these models from mechanisms for their implementation.
Chapter Preview

Privacy Vs. Access Control In Computer Systems

In this section, we review some definitions of access control and privacy, in order to crystalize their similarities and differences. Because the discussion of access control is shorter, we proceed with it first, followed by some definitions of privacy, and finally highlight their similarities and differences.

Access Control

Access control deals with controlling who has what kind of access to various resources. The resources can be physical (that is a computer system) or strictly deal with data. The data can describe documents, inventory, shipping requisitions for a large company, allocation of university courses to classrooms, the destination of an aircraft carrier, etc. In other words, although a lot of data concerns individuals, there is also a lot of other data dealing with other things. There are three well-known access control models. In the first, Discretionary Access Control (DAC), data is owned by the individual computer user (e.g. personal files in Unix); in Mandatory Access Control (MAC), control is centralized and it is assumed that the enterprise owns (and labels) all the data. The third is Role-based Access Control (RBAC), where permissions are grouped into roles and roles are assigned as a unit to users. RBAC has been shown to be able to simulate both MAC and DAC, Osborn, Sandhu, & Munawer, (2000).

The basic components of an RBAC system are users (U) or subjects, permissions (P) which are pairs (o, a) where “o” represents an object to be protected and “a”, an access mode on this object. Roles (R) consist of a set of permissions, represented by a permission-role assignment (PRA). Users' membership in roles is represented by a user-role assignment (URA). Roles can be arranged in a hierarchy such that a senior role inherits the permissions of its junior(s), and members of a senior role are also members of its juniors.

Complete Chapter List

Search this Book: