Access control model based on trust, purpose, and role for protecting the privacy

Data privacy is one of the fundamental needs of the people. In a computing environment, there are various issues of data privacy protection in the enterprise. To enforce the automation of privacy policies and law, access control has been one of the most devoted subjects which to protect customers' data by preventing unauthorized access to the resources of the system. A fine-grained access control called Role-based access control (RBAC) model has been proposed to protect customer's data. However, relying on role only is insufficient and inefficient to protect data especially sensitive attributes, and this may cause risks of privacy disclosure to unauthorized and untrusted users. We present a finer-grained access control called Trust, Purpose, and Role-Based Access Control (TPRBAC) model to efficiently protect data particularly sensitive attributes. In the proposed model, purpose and role is applied to permit access to data, while trust is applied to control access to sensitive attributes. A prototype system is developed and tested, and the result shows sensitive attributes are protected. Experiments are also conducted to validate the proposed model, and the results show that the proposed work is efficient and improved privacy protection. Therefore, the proposed model solves the issue of insufficient and inefficient access control mechanism in protecting data especially sensitive attributes.