We present a discretionary access control framework that can be used to control a principal’s ability to link information from two or more audit records and compromise a user’s privacy. While the traditional Chinese Wall (CW) access control model is sufficient to enforce this type of unlinkability, in distributed environments CW is inefficient because its semantics requires knowledge of a user’s access history. We propose a restricted version of the CW model in which policies are easy to enforce in a decentralized manner without the need for an access history. Our architecture analyzes system policies for potential linkability conflicts. Users can identify specific threats to their privacy, typically in terms of trusted and untrusted roles in the context of RBAC (role based access control), following which the system attaches automatically generated policy constraints to the audit records. When these constraints are enforced appropriately, they implement unlinkability policies...
Apu Kapadia, Prasad Naldurg, Roy H. Campbell