• NORJIHAN ABDUL GHANI Faculty of Computer Science and Information Technology, University of Malaya, 50603 Kuala Lumpur, Malaysia
  • HARIHODIN SELAMAT Advanced Informatics School, Technology, University of Malaysia, Jalan Semarak, 54100 Kuala Lumpur, Malaysia
  • ZAILANI MOHAMED SIDEK Advanced Informatics School, Technology, University of Malaysia, Jalan Semarak, 54100 Kuala Lumpur, Malaysia


Wireless computing, specification, requirements, acceptance criteria


Web-based applications enable users to carry out their business transactions virtually at any time and place. They require users to disclose almost all their personal information. Organizations on the other hand will collect, process, and store a huge amount of this information, which results in a greater risk of information disclosure. Enforcing personal information protection in databases requires controlled access to systems and resources and is only granted to authorized users. Previous research on purpose-based access control does not fully support personal data protection, especially users’ rights and less user participation towards their personal data once it is released via web applications. This paper formulates a solution to control access while ensuring that personal data is protected and that users have full control over their own data. This model, which implements two-phase security involving user authentication using personal credential and data authorization based on purpose, is presented. The purpose of this model is to protect personal information that has been collected via web-based applications by using data access control.



Download data is not yet available.


Agrawal, R., Kiernan, J. and Srikant, R. (2002). Hippocratic Database. Proceedings of the 28th International Conference on Very Large Data Bases, 143-154.

Al-Fedaghi, S. (2007). Beyond Purpose-Based Privacy Access Control. 18th Australasian Database Conference (ADC 2007), Ballarat, Australia. Conferences in Research and Practice in Information Technology. 63.

Barker, S. (2010). Personalizing Access Control by Generalizing Access Control. Proceedings of the Seventh ACM Symposium on Access Control Models and Technologies. 149-158.

Bertino, E. (2005). Purpose Based Access Control for Privacy Protection in Database Systems. Database Systems for Advanced Applications. Lecture Notes in Computer Science, 3453, 1003-1007.

Bertino, E., Byun, J. W. and Li, N. (2005). Privacy-Preserving Database Systems. Foundations of Security Analysis and Design III, Lecture Notes in Computer Science. 3655: 178-206.

Bertino, E., Ghinita, G. and Kamra, A. (2011). Access Control for Databases: Concepts and Systems, Foundations and Trends in Databases. 3(1-2): 1-148.

Bertino, E. and Sandhu, R. (2005). Database Security-Concepts, Approaches, and Challenges. IEEE Transactions on Dependable and Secure Computing. 2(1): 2-19.

Braghin, S., Coen-Porisini, A., Colombo, P., Sicari, S. and Trombetta, A. (2008). Introducing Privacy in a Hospital Information System. Proceedings of The 4th International Workshop on Software Engineering for Secure Systems. 9-16.

Byun, J. W., Bertino, E. and Li, N. (2005). Purpose Based Access Control of Complex Data for Privacy Protection. Proceedings of 10th ACM Symposium on Access Control Models and Technologies. 102-110.

Byun, J.-W. and Li, N. (2008). Purpose Based Access Control for Privacy Protection in Relational Database Systems. The International Journal on Very Large Data Bases, 17(4), 603 - 619.

Camenisch, J., Modersheim, S., & Neven, G. (2009). Credential-Based Access Control Extensions to XACML,

Chauduri, S., Kaushik, R., and Ramamurthy, R. (2011). Database Access Control & Privacy: Is There A Common Ground. Proceedings of the 5th BiennialConference on Innovative Data Systems Research. January 9-12. Asilomar, California, USA, 2010. 96-103.

Dagdee, N., and Vijaywargiya, R. (2009a). Access Control Methodology for Sharing of Open and Domain Confined Data using Standard Credentials. International Journal on Computer Science and Engineering. 1(3), 148-155.

Dagdee, N. and Vijaywargiya, R. (2009b). Credential Based Hybrid Access Control Methodology for Shared Electronic Health Records. International Conference on Information Management and Engineering. 3-5 April. S.D. Bansal Coll. of Technol., Indore. 624-628.

Di Vimercati, S. D. C., Foresti, S. and Samarati, P. Authorization and Access Control. In: Petkovic, M and Jonker, W. Security, Privacy, and Trust in Modern Data Management. Berlin/DE. Springer-Verlag Berlin and Heidelberg GmbH & Co. KG. 39; 2010.

Kabir, M. E., and Wang, H. (2009). Conditional Purpose Based Access Control Model for Privacy Protection. Proc. 20th Australasian Database Conference. 92, 135-142.

Kabir, M. E., Bertino, E. (2011). A Conditional Purpose Based Access Control Model with Dynamic Roles for Privacy Protection. Expert Systems with Applications. 38(2011), 1482-1485.

Kabir, M. E., Wang, H. and Bertino, E. (2012). A Role-involved Purpose-based Access Control Model. Information System Frontiers. 14, 809-822).

LeFevre, K., Agrawal, R., Ercegovac, V. and Ramakrishnan, R. (2004). Limiting Disclosure in Hippocratic Databases. Proceedings of the Thirtieth International Conference on Very Large Data Bases. 30, 108-119.

Masoumzadeh, A. and Joshi, J.B.D. (2008) PuRBAC: Purpose-Aware Role-Based Access Control. Proceedings of the OTM 2008 Confederated International Conferences. 1104-1121.

Peng, H., Gu, J., & Ye, X. 2008. Dynamic Purpose-Based Access Control. Proceedings of the International Symposium on Parallel and Distributed Processing with Applications 08. 695-700.

Stoupa, K., Simeoforidis, Z., and Vakali, A. (2006). Credential-Based Policies Management in an Access Control Framework Protecting XML Resources. , Lecture Notes in Computer Science. 4263, 603-612.

Sun, L. and Wang, H. (2010). Dynamic Purpose Based Usage Access Control. World Academy of Science, Engineering and Technology 2010. 619-624.