32,475 research outputs found
DTD level authorization in XML documents with usage control
[Summary]: In recent years an increasing amount of semi-structured data has become important to humans and programs. XML promoted by the World Wide Web Consortium (W3C) is rapidly emerging as the new standard language for semi-structured data representation and exchange on the Internet. XML documents may contain private information that cannot be shared by all user communities. So securing XML data is becoming increasingly important and several approaches have been designed to protect information in a website. However, these approaches typically are used at file system level, rather than for the data in XML documents. Usage control has been considered as the next generation access control model with distinguishing properties of decision continuity. Usage control enables finer-grained control
over usage of digital objects than that of traditional access control policies and models.
In this paper, we present a usage control model to protect
information distributed on the web, which allows the access
restrictions directly at DTD-level and XML document-level.
Finally, comparisons with related works are analysed
Recommended from our members
Military Construction, Veterans Affairs, and Related Agencies: FY2015 Appropriations
[Excerpt] The Military Construction, Veterans Affairs, and Related Agencies appropriations bill provides funding for the planning, design, construction, alteration, and improvement of facilities used by active and reserve military components worldwide. It capitalizes military family housing and the U.S. share of the NATO Security Investment Program and finances the implementation of installation closures and realignments. It underwrites veterans benefit and health care programs administered by the Department of Veterans Affairs (VA), provides for the creation and maintenance of U.S. cemeteries and battlefield monuments within the United States and abroad, and supports the U.S. Court of Appeals for Veterans Claims, Armed Forces Retirement Homes, and Arlington National Cemetery. The bill also funds advance appropriations for veteransā medical services
A Typed Model for Dynamic Authorizations
Security requirements in distributed software systems are inherently dynamic.
In the case of authorization policies, resources are meant to be accessed only
by authorized parties, but the authorization to access a resource may be
dynamically granted/yielded. We describe ongoing work on a model for specifying
communication and dynamic authorization handling. We build upon the pi-calculus
so as to enrich communication-based systems with authorization specification
and delegation; here authorizations regard channel usage and delegation refers
to the act of yielding an authorization to another party. Our model includes:
(i) a novel scoping construct for authorization, which allows to specify
authorization boundaries, and (ii) communication primitives for authorizations,
which allow to pass around authorizations to act on a given channel. An
authorization error may consist in, e.g., performing an action along a name
which is not under an appropriate authorization scope. We introduce a typing
discipline that ensures that processes never reduce to authorization errors,
even when authorizations are dynamically delegated.Comment: In Proceedings PLACES 2015, arXiv:1602.0325
Securities-Stocklist Authorizations-Solicitation of Stocklist Authorizations Is Within the Proxy Regulations of the Securities Exchange Act-\u3cem\u3eStudebaker--Corp. v. Gittlin\u3c/em\u3e
Gittlin, a shareholder of the Studebaker Corporation, planned to solicit proxies for the election of directors in opposition to the existing management. As an initial step in the implementation of this plan, he sought to obtain a stockholder\u27s list and accordingly initiated proceedings in a New York court under section 1315(a) of the New York Business Corporation Law which grants a right of access to a shareholder who has obtained authorizations in writing from the holders of at least five per cent of the outstanding shares of the corporation. In order to meet the five per cent requirement, Gittlin had solicited and obtained authorizations from forty-two shareholders. Studebaker appeared before the Federal Distrist Court for the Southern District of New York to secure an injunction against the use of these authorizations in the state court, and the injunction was issued since the court found that Gittlin had obtained the authorizations without complying with Securities Exchange Act Regulations 14a-3 and 14a-6. Gittlin, asserting that these proxy regulations do not apply to authorizations to obtain a stocklist in a state court proceeding, appealed to the Court of Appeals for the Second Circuit. On appeal, held, affirmed. Since the authorizations were obtained as a part of a continuous plan intended to end in the solicitation of proxies, and were designed to prepare the way for such a solicitation, they are within the scope of the proxy regulations and therefore, absent compliance therewith, they are invalid
Recommended from our members
Expressive Policy Analysis with Enhanced System Dynamicity
Despite several research studies, the effective analysis of policy based systems remains a significant challenge. Policy analysis should at least (i) be expressive (ii) take account of obligations and authorizations, (iii) include a dynamic system model, and (iv) give useful diagnostic information. We present a logic-based policy analysis framework which satisfies these requirements, showing how many significant policy-related properties can be analysed, and we give details of a prototype implementation. Copyright 2009 ACM
Authorization and access control of application data in Workflow systems
Workflow Management Systems (WfMSs) are used to support the modeling and coordinated execution of business processes within an organization or across organizational boundaries. Although some research efforts have addressed requirements for authorization and access control for workflow systems, little attention has been paid to the requirements as they apply to application data accessed or managed by WfMSs. In this paper, we discuss key access control requirements for application data in workflow applications using examples from the healthcare domain, introduce a classification of application data used in workflow systems by analyzing their sources, and then propose a comprehensive data authorization and access control mechanism for WfMSs. This involves four aspects: role, task, process instance-based user group, and data content. For implementation, a predicate-based access control method is used. We believe that the proposed model is applicable to workflow applications and WfMSs with diverse access control requirements
Audit-based Compliance Control (AC2) for EHR Systems
Traditionally, medical data is stored and processed using paper-based files. Recently, medical facilities have started to store, access and exchange medical data in digital form. The drivers for this change are mainly demands for cost reduction, and higher quality of health care. The main concerns when dealing with medical data are availability and confidentiality. Unavailability (even temporary) of medical data is expensive. Physicians may not be able to diagnose patients correctly, or they may have to repeat exams, adding to the overall costs of health care. In extreme cases availability of medical data can even be a matter of life or death. On the other hand, confidentiality of medical data is also important. Legislation requires medical facilities to observe the privacy of the patients, and states that patients have a final say on whether or not their medical data can be processed or not. Moreover, if physicians, or their EHR systems, are not trusted by the patients, for instance because of frequent privacy breaches, then patients may refuse to submit (correct) information, complicating the work of the physicians greatly. \ud
\ud
In traditional data protection systems, confidentiality and availability are conflicting requirements. The more data protection methods are applied to shield data from outsiders the more likely it becomes that authorized persons will not get access to the data in time. Consider for example, a password verification service that is temporarily not available, an access pass that someone forgot to bring, and so on. In this report we discuss a novel approach to data protection, Audit-based Compliance Control (AC2), and we argue that it is particularly suited for application in EHR systems. In AC2, a-priori access control is minimized to the mere authentication of users and objects, and their basic authorizations. More complex security procedures, such as checking user compliance to policies, are performed a-posteriori by using a formal and automated auditing mechanism. To support our claim we discuss legislation concerning the processing of health records, and we formalize a scenario involving medical personnel and a basic EHR system to show how AC2 can be used in practice. \ud
\ud
This report is based on previous work (Dekker & Etalle 2006) where we assessed the applicability of a-posteriori access control in a health care scenario. A more technically detailed article about AC2 recently appeared in the IJIS journal, where we focussed however on collaborative work environments (Cederquist, Corin, Dekker, Etalle, & Hartog, 2007). In this report we first provide background and related work before explaining the principal components of the AC2 framework. Moreover we model a detailed EHR case study to show its operation in practice. We conclude by discussing how this framework meets current trends in healthcare and by highlighting the main advantages and drawbacks of using an a-posteriori access control mechanism as opposed to more traditional access control mechanisms
- ā¦