In this section, we review some definitions of access control and privacy, in order to crystalize their similarities and differences. Because the discussion of access control is shorter, we proceed with it first, followed by some definitions of privacy, and finally highlight their similarities and differences.
Access Control
Access control deals with controlling who has what kind of access to various resources. The resources can be physical (that is a computer system) or strictly deal with data. The data can describe documents, inventory, shipping requisitions for a large company, allocation of university courses to classrooms, the destination of an aircraft carrier, etc. In other words, although a lot of data concerns individuals, there is also a lot of other data dealing with other things. There are three well-known access control models. In the first, Discretionary Access Control (DAC), data is owned by the individual computer user (e.g. personal files in Unix); in Mandatory Access Control (MAC), control is centralized and it is assumed that the enterprise owns (and labels) all the data. The third is Role-based Access Control (RBAC), where permissions are grouped into roles and roles are assigned as a unit to users. RBAC has been shown to be able to simulate both MAC and DAC, Osborn, Sandhu, & Munawer, (2000).
The basic components of an RBAC system are users (U) or subjects, permissions (P) which are pairs (o, a) where “o” represents an object to be protected and “a”, an access mode on this object. Roles (R) consist of a set of permissions, represented by a permission-role assignment (PRA). Users' membership in roles is represented by a user-role assignment (URA). Roles can be arranged in a hierarchy such that a senior role inherits the permissions of its junior(s), and members of a senior role are also members of its juniors.