Enforcing purpose of access for privacy-aware policies based on user roles, purpose dependencies, contextual data, and access history

This paper addresses the issue of purpose enforcement for privacy-aware policy. We propose an approach to enforce purpose of access in access control system based on user roles, contextual data, purpose dependencies 1, and past access history of user. Enforcing purpose of access based only on role of user has been introduced. However, this method is not so reliable and it is criticized to be inefficient in capturing purpose of an action since roles and purposes are not always aligned and members of the same organizational role may practice different purposes in their actions. Thus, we propose our approach and we argue that by using the combination of user roles, contextual data related to purpose, relationship between purposes, and past access history of user for enforcing purpose of access, we can get a more re- liable purpose enforcement technique. Furthermore, in this paper, we also propose an access control system architecture supporting purpose enforcement and a prototype implementation in Java as the proof-of-concept for our proposed enforcement technique.