IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg.

332-340

International Journal of Research in Information Technology

(IJRIT)
www.ijrit.com

ISSN 2001-5569

Purpose Based Access Control; an Approach towards

Privacy Preserving In Relational Database
MD Arif, Pushpalatha S, Henin Roland Karkada, Sunil Saumya, Shilpa V
M.Tech in Computer Network & Engineering
Center for PG Studies VTU, Belgaum, Karnataka, India
arifmohammed2012@gmail.com
Professor, Department of Computer Network & Engineering
Center for PG Studies VTU, Belgaum, Karnataka, India
pushpalatha@vtu.ac.in
M.Tech Student, Department of Computer Science and Engineering
Center for PG Studies VTU, Belgaum, Karnataka, India
henin.roland@gmail.com
M.Tech in Computer Network & Engineering
Center for P.G Studies VTU, Belgaum, Karnataka, India
sunil.saumya@gmail.com
M.Tech in Computer Network & Engineering
Center for PG Studies VTU, Belgaum, Karnataka, India
shilpav92@gmail.com

Abstract
Ever since the evolution of internet, privacy of information is the main concern and the access of this
information is the most important issue in privacy preserving. The existing system provides just access
based on roles. To overcome the issue of excess use of data by the subjects Purpose Based Access Control
has been proposed. This system also allows client to restrict the exposure of personal information to the
different subjects who request the information to process the query. This system can be considered as the
next generation access control. It enables the Finer-grained access control for the subjects who wants to
access the information and provides access based upon the purpose for what they need to access the data.
This work provides a foundation for developing appropriate security solutions for organizations secures
information and contributes to the highest security.
Keywords: IP, AIP, PIP, Access, Policy, Purpose.

1. Introduction
The current information technologies allows users to perform their business task virtually anytime and
anywhere and also allows to store all kinds of information which client reveals during their activities.
Nowadays the demand is increasing for more effective healthcare services, since these E-Healthcare service
portals contains a lot of useful and sensitive information about the user. The fact that this private
MD Arif,

IJRIT

332

IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340

information of user can be attacked by a false user and can be collected and stored. And this information
can be used against the user without even his consent. E-healthcare centers provide very good information
to the user about medical issues but it is very risky since it contains very large or huge amount of data
internationally to provide accurate service. The risk also increases with it, especially when the patients
information is concerned as the most private information. Securing the privacy is a very big concern. In this
proposed system the privacy is maintained according to the purpose defined by the service provider. The
policies should be created in such a manner that no particular single user of the data information can make
out any private information from the data.

1.1 Purpose Based Access Control Model

In general access control is used for permitting access to resources according to their identities
authentication and associated privileges authorization. A brief description about access control and
different models of authorization is discussed. The traditional access control model only checks whether the
user have the authorization rights for the particular data object or resource.

1.2 Defining Purpose

The intent of purpose is defined as a policy which specially deals with the kind of data to be used with
which particular purpose. And a purpose itself directly dictates how the access to particular data object is
controlled. The purpose usually has hierarchical relationship between them which helps in organization of
the purposes and also simplifies the management of the purposes.

1.3 Core components of the proposed model

Subject, Subject attribute, Object, Object attributes Rights, Obligations, Authorization and Condition. The
Authorization, Obligation and Condition are control decision components as shown in below Figure1.
Based on subject and object attribute the control decision of proposed system will permit or deny the
authorization rights for the particular user. Obligation provides the requirements to be produced by the user
either at the beginning or during the process. There is a Condition which specifies the restriction given by
the system environment for security purpose.

Figure.1 Components of Purpose Based Access Control Model

1.4 Problem Statement

The existing systems provide access to the employees based on the role based access control. The
employees get access to more data than required to process/perform specific task. Even though the clients
sign SLA with the service provider, still they dont have guarantee of whether their data is preserved or not.
The clients should be able to know how much their data is being exposed to the employees.

MD Arif,

IJRIT

333

IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340

1.5 Objective
In this paper the data users (employees) are restricted according to the purpose defined by the Admin of the
service provider in order to process respective query of the client. Even the client should also be able to
restrict these employees from how much they can access the data of client.

2. Proposed System
The System proposes a Purpose Based Access Control which gives user or the customers the option to
restrict their personal data according to their own policy Privacy Policy. The Admin then decides the
access policies for the employees. The admin also defines the purpose definition; which purpose needs how
much data to be accessed.
And based upon these three things that is, IP (Intended purpose/purpose definition), AIP (Allowed intended
purpose/Access policy) and PIP (Prohibited intended Purpose/privacy policy). A compliance check
happens between these three things and finally employees get the access to only what remains; in this way
the clients privacy is preserved to a large extent.

2.1 Advantages of Proposed system

It is a finer grained access control system. The user can keep control over his privacy policy. The user can
himself directly control the usage of his access by the employees of service provider. The admin defines the
access policy for each type of employee and finally defines the purpose. Employee gets access according to
the compliance check.

2.2 Algorithm
Input: Subject s needs to access right on object o with access purpose (pu)
Output: Accept or deny accesses
Method
1) Verify the compliance between ip and pu, If ip aip and ip pip go to the next step; otherwise the
access purpose is not compliant and the ACCESS is denied;
2) endif;
3) Verify pre-Authorization;
4) if preA(ATT(s), r) = false; The process in pre-Authorization is not successful
5) ACCESS denied;
6) endif;
7) SOP SP IP (subject object purpose) ; Subjects with the access purpose can access the private
Information.
8) ACCESS accepted
Verify ongoing Authorization
9) if onA(ATT(s), ATT(o),ip, r) = false; The process in Authorization is failed, don't need further
verification;
10) Application denied;
11) endif;
12) if ip > Pu
ap is not compliant to pu any longer
13) Application denied;
Subjects with access purpose can continue to access the private information.
The above algorithm shows how the access of the object can be controlled or restricted based upon the
purpose for which the subject wants to access the data/object.

2.3 Modules
1) Authorization
2) Cryptography
3) Purpose definition
4) Policies
5) Compliance check.

MD Arif,

IJRIT

334

IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340

1) Authorization
Whenever any subject needs access to the data the authorization will be provided to the subject based upon
the compliance check.
2) Cryptography
Cryptography usually consists of encryption and decryption. Hence AES (Advanced Encryption Standards)
is the technique used here for encryption and decryption.
3) Purpose definition
The admin defines the purpose which means the access rights required to process the particular data or
query which is also known as the intended purpose (IP).
4) Policies
Policies are the set of protocols or rules which needs to be applied in order to achieve the planned outcome.
Here two types of policies being used in this system:
Access policy
Privacy policy
Access policy (AIP) is defined by the Admin like which employee of its organization can use how much of
the data from his database.
Privacy policy (PIP) is defined by the client himself. This is done to restrict the usage of his personal data
in order to provide the service.
5) Compliance check
Once the IP, AIP and PIP is defined then before giving authorization to the employee; compliance check
happens which checks whether the employee is authorized or not based upon the algorithm mentioned
above.

3. Results and Discussions

This chapter presents the results obtained from the developed system and discusses the same. There is a
main page in GUI where the user needs to enter the details to register. After figure after login client can see
his profile and can select following menus given in the grid form like query, past details, privacy policy, get
results etc.

Figure.2 User Query Submission

MD Arif,

IJRIT

335

IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340

Figure.3 Privacy Policy

The user is allowed to provide his own privacy policy like which employee can access how much of his
data. The admin can see his profile after login and can perform the following task like he can assign access
policy, define purpose sign out etc.

Figure.4 Encrypted Text

As shown in the Figure 4, the admin will not be able to see the details of the user. As soon as the user
enters his details it gets encrypted and stored.

Figure.5 Access Policy

MD Arif,

IJRIT

336

IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340

As shown in Figure 5, the admin can define the access policy for each of his employee of what details can
they access and till what extent they can access those.

Figure.6 Define Purpose

The purpose definition is the main process, hence Admin needs to be very clear like what access he is
defining and should be given in a manner that it should not hinder the privacy and access policies.
An employee after login can view his profile to see what he is allotted.

Figure.7 Allowed Access to Employee

Whenever the employee selects any purpose compliance; check happens in the background, and he will get
access only to the data for which he is allowed for.

Figure.8 Decrypted Text

As shown in Figure 8, if the employee has the read access for some particular data than he will be able to
decrypt it, and read the contents of it.

MD Arif,

IJRIT

337

IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340

Figure.9 File downloading by employee high end privilege needs condition

As shown in Figure 9, whenever an employee wants to download the past details file of the user which is
marked as the high end privilege; as it may contain the sensitive data, so the employee needs to satisfy
some condition and can be able to download the file.
Finally the employee uploads the processed file to the user, and user downloads the file and gets his result.

4. Conclusions and Future Work

In this paper, it is demonstrated that the subject who wants to access the data should get the access
depending upon the purpose for which they wants to access the data. The user or client should be able to
prevent or able to control the exposure of his data to others. Purpose based access control provides an
approach for the next generation of access control. This topic is the extension to the old and very popular
access control which is role based access control. The results shows that definitely this topic is better than
role based access control, since it is the extension to role based access control and makes use of role based
mechanism.
There are lots of opportunities for future work in this topic as it is very new in the field of access control
hence a lot of future wok can be done in order to get better performance and ease of access and before these
models can be used in practice.

References
[1] Challenges in eHealth From Enabling to Enforcing Privacy Naipeng Dong, Hugo Jonker, and Jun
Pang Faculty of Sciences, Technology and Communication, University of Luxembourg, Luxembourg.
[2] Int. J. Internet and Enterprise Management, Vol. 6, No. 4, 2010, Inderscience Enterprises Ltd.
Information security and privacy in healthcare current state of research Ajit Appari and M. Eric Johnson
[3] Access Control Requirements for Processing Electronic Health Records Bandar Alhaqbani and Colin
Fidge.
[4] Setting Access Permission through Transitive Relationship in Web-based Social Networks Dan Hong
and Vincent Y. Shen.
[5] Extensions to the Role Based Access Control Model for Newer Computing Paradigms Ramadan
Abdunabi and Indrajit Ray Colorado State University Computer Science Department.
[6] Privacy and Security in Electronic Health Dr. Stefan Brands Credentica Inc. brands@credentica.com
Version 1.0 of March 10, 2003
[7] A Role-based Access Control Security Model for Workflow Management System in an E-healthcare
Enterprise by Lang Zhao ,2008.
[8] Hung, P. C. K., "Towards a privacy access control model for e-Healthcare services", In Proceedings of
the third annual conference on privacy, security and trust, October pp. 12-14, 2005.
[9] Motta, G. H. M. B., Furuie, S. S., "A contextual role-based access control authorization model for
electronic patient record", IEEE Transactions on Information Technology in Biomedicine, vol. 7, no. 3,
pages 202- 207, 2003.
[10] Park, J., Sandhu, R., "Towards usage control models beyond traditional access control", In
Proceedings of the seventh ACM symposium on Access control models and technologies, ACM Press,
page 57-64. 2002.
[11] Park, J., Sandhu, R., Schifalacqua, J., "Security architectures for controlled digital information
dissemination", In Proceedings of 16th Annual Computer Security Application Conference, December
2003.
MD Arif,

IJRIT

338

IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340

Authors Profile
.

MD Arif is currently pursuing M.Tech in Computer Network Engineering at Center for PG Studies, (VTU), Belgaum.
He received his Bachelor of Engineering in Computer Science from Dr. AIT Bengaluru. His areas of interests include
Cryptography and Mobile Computing.
arifmohammed2012@gmail.com
Mrs. Pushpalatha S is currently working as a Professor in Dept. of Computer Network and Engineering, Center for
PG Studies, VTU Belgaum. She has completed her Masters in Computer Network Engineering from the National
Institute of Engineering, Mysore, Karnataka and her Bachelors of Engineering in Electronics and Communication and
Engineering from Coorg Institution of Technology, Kodagu, Karnataka. She has an overall of 7 years of teaching
experience and handled subjects like Network Security, Computer Networks, Wireless Communication and Digital
Communication. Her recent interests include Network Security and Cryptography.
pushpalatha@vtu.ac.in

Henin Roland Karkada is currently pursuing M.Tech in Computer Science at Center for PG Studies, (VTU),
Belgaum. He received his Bachelor of Engineering in Computer Science from Mangalore Institute of Technology
(MITE) Mangalore. His areas of interests include Content Based image Retrieval, Cloud Computing, Cryptography and
Semantic Web.
henin.roland@gmail.com

Sunil Saumya is currently pursuing M.Tech in Computer Network Engineering at Center for PG Studies, (VTU),
Belgaum. He received his Bachelor of Engineering in Computer Science from Lovely Professional University, Punjab.
His areas of interests include Cryptography and Mobile Computing.
sunil.saumya007@gmail.com

MD Arif,

IJRIT

339

IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340

Shilpa V is currently pursuing M.Tech in Computer Network Engineering at Center for PG Studies, (VTU), Belgaum.
She received her Bachelor of Engineering in Electronics and Communications from Dr. SMCE, Byranayakanahalli,
Bengaluru. Her areas of interests include Cryptography and Mobile Computing.
shilpav92 @gmail.com

MD Arif,

IJRIT

340