Abstract
Access control is used in computer systems to control access to confidential
data. In this thesis we focus on access control for dynamic collaborative
environments where multiple users and systems access and exchange data
in an ad hoc manner. In such environments it is difficult to protect confidential
data using conventional access control systems, because users act in
unpredictable ways.
In this thesis we propose a new access control framework, called Auditbased
Compliance Control (AC2). In AC2 user actions are not checked
immediately (a-priori), like in conventional access control, but users must
account for their actions at a later time (a-posteriori), by providing machinecheckable
justification proofs to auditors. The logical proofs are based on
policies received from other users, and other logged actions. AC2 has a rich
policy language based on first-order logics, and it features an automated
audit procedure. AC2 allows users to exchange and access confidential data
in an ad hoc manner, and thus collaborate more easily. Applied in a medical
setting, for example, doctors would be able to continue their work, regardless
of authorization issues such as missing patient consent, and missing or
outdated policies. Doctors can deal with these issues at a later time. Although
this unconventional approach may seem, at first sight, inappropriate
for practical applications, recently a similar design choice has been made
for the Dutch national infrastructure for the exchange of electronic health
records (AORTA).
At the same time we are aware of the fact that it is a big step for
organizations to change from a conventional access control mechanism (apriori)
to a new mechanism. In this thesis we also take a more conventional
approach by proposing two extensions to Role-based Access Control (RBAC)
- an existing and widely used access control model. These extensions give
users more ways of authorizing and deploying RBAC policy changes, thus
favoring dynamic collaboration between users.
Original language | Undefined |
---|---|
Awarding Institution |
|
Supervisors/Advisors |
|
Thesis sponsors | |
Award date | 2 Dec 2009 |
Place of Publication | Enschede |
Publisher | |
Print ISBNs | 978-90-365-2950-1 |
DOIs | |
Publication status | Published - 2 Dec 2009 |
Keywords
- IR-68610
- METIS-264186
- EWI-16909