PuRBAC: Purpose-Aware Role-Based Access Control

Several researches in recent years have pointed out that for the proper enforcement of privacy policies within enterprise data handling practices the privacy requirements should be captured in access control systems. In this paper, we extend the role-based access control (RBAC) model to capture privacy requirements of an organization. The proposed purpose-aware RBAC extension treats purpose its a. Central entity in RBAC. The model assigns permissions to roles based oil purpose related to privacy policies. Furthermore, the use of purpose as a separate entity reduces the complexity of policy administration by avoiding complex rules and applying entity assignments, coherent, with the idea followed by RBAC. Our model also supports conditions (constraints and obligations) with clear semantics for enforcement. and leverages hybrid hierarchies for roles and purposes for enforcing fine grained purpose and role based access control to ensure privacy protection.