Modern information systems are able to store, retrieve an process vast amounts of data. Further extended by networking capabilities and driven by the increased personal use of information technology a wide range of data can be collected and combined to form new processable content. The collection of data can be critical without means of regulating access to it when requests for provisioning or processing are made. With respect to the actual use-case, data can be considered as e.g., con dential according to its content or sensitive in terms of identifying individual persons.

In a common use-case scenario a person responsible for security matters, like an administrator, de nes access control policies which constitute appropriate security measures for all protected resources. In the case of person-identifying information, such policies do not necessarily re ect the conception of the identied individual on how to access-protect these information. By declaring privacy as a right about information self-determination, e.g., within the European Data

Protection Directive1 an individual user is awarded a distinguished role within privacy management processes. This can be interpreted as the required ability of a user to in uence the de nition of enforceable access control policies which constitute data privacy related to the user's personal conception. 1.1

Use-case: Patient-centric Electronic Health-care We consider a use-case from the Austrian e-Health initiative which started in 2006 as a governmental workgroup. A central goal of this initiative is the establishment of a distributed shared electronic health-record for all citizens of Austria. It has been shown that a holistic medical history of a patient improves the health-care infrastructure from an economical perspective as well as from a viewpoint of e ectiveness regarding medical treatments. Still, because of the high degree of sensitivity which is observed in most medical data, privacy is a concern of utmost importance to be tackled. In the context of this initiative we want to contribute methods with a strong focus on patient-centricity by establishing personal control over privacy-relevant health data. 2

A general problem question can be raised as follows: How can a user, considered a non-security and non-domain expert, be supported during the declaration of access control policies in a way that she/he is aware about consequences to certain evaluation criteria, rst and foremost personal privacy and e.g., the e ectiveness of the information system. Two potential user actions can be derived from this problem question. First, a user has to be provided with tools to create access control policies and second a currently active policy has to be visualized in a way that the user can understand how it in uences the information ow of the system. Visualizing active policies is especially important to allow a user to reconsider the policies' appropriateness. Therefore a user is able to adjust a policy in a way so that it ts her/his personal conception of access control. 3

We contribute a framework using domain characteristics to develop user interfaces for access control policy authoring. Further this framework includes a policy analysis component capable of providing users with feedback during their actions within the policy authoring process. A central step to be performed is therefore the modeling of domain entities and their relationships as well as the annotation of the domain model with attributes from the access control domain. In the context of our use-case we identify e.g., a medical practitioner or pharmacist as subjects of access control, whereas medical records or referrals are considered 1see Directive 95/46/EC, http://ec.europa.eu/justice/policies/privacy/ law/index_en.htm resources to be protected by access control. A basic API to work with domain entities and access control policy elements can be generated from that model.

Based on this model we designed a generic authoring process [ 10 ] that leads to the creation of access control policies. This process allows for policy creation and adaptation, which can be triggered by the user.

In this work we want to emphasize two research directions in order to reach our objective of providing a non-expert user with access control authoring tools to establish privacy policies. These are described in the following sections. 3.1

Scenario-based Access Control Policy Authoring John Carroll [ 3 ] coined the term scenarios as stories about people and their activities, e.g., related to the tasks of their work. We propose scenario-based authoring as a method to create and further visualize access control policies in a usable way. This is important as users typically lack of knowledge about the underlying access control concepts and therefore have to be supported during the authoring process [ 12, 2 ].

The rst step of our approach regards the elicitation of typical working activities of the domain. Only working activities which involve information processing in an arbitrary way are considered as they can be related to access control. In our context we tackled this step by performing a case-study about stakeholders and some of their activities in the domain of electronic health records in Austria [ 9 ]. Next the selected working activities have to be translated to our template language. A template consists of the attributes identifying and describing the working activity in natural language and further a set of access control rules which are written to the user policy once a template instance is executed. User control is established via user interface form input elds which represent domain and environment information (e.g. time, date, location or cardinalities) and are bound to variables used within the policy rules of the template. Fig. 1 shows a basic scenario from our electronic health-care use-case, namely, the selection of a family practitioner performed by a citizen stakeholder. In this example two inputs are provided, the name of the family practitioner and whether all documents (i.e. also all future ones) shall be accessible or only the ones currently stored about a patient. By executing a template instance one permit-rule is created allowing the selected practitioner (i.e. the subject of the access control target) to access patient health records. Similarly a query can be formed to visualize a selected family practitioner to the user by asking who is permitted to read all documents.

The template language including access control rules and queries are currently developed and described in a formal way. With this work we target the eld of usable security. 3.2

Domain-based Access Control Policy Analysis We see two situations where a user may be encouraged to reconsider her/his access control settings and to adjust them if necessary. First, if the representation of currently active settings can be provided in a readable way the user is able to detect di erences between these settings and her/his intended settings. Therefore we propose to use scenario-based policy templates (see Section 3.1) to increase understandability of a user policy.

Besides a user adjusting her/his policy based on a manual interpretation, policies may also carry con icts or in uence arbitrary system properties and the user in a negative way. Therefore we identify a second situation for adjusting a policy, namely triggered by feedback of a performed policy analysis. In general policy analysis is extensively discussed in literature (see e.g., [ 7, 8, 1 ]), but mainly based on con ict detection regarding the interplay of di erent policy rules. Work, as e.g., done by Michael LeMay [ 6 ] and Katie Fisler [ 4 ] consider a policy model together with the domain where policies are deployed on. Based on these works we propose the de nition of high-level evaluation criteria which interact. These criteria can be attached to the policy authoring activity leading to a balancing act during access control con guration in order to satisfy best all evaluation criteria. In our previous work [ 9 ] we considered privacy and information system e ectiveness as evaluation criteria to be balanced. There, based on a domain model and models for each evaluation criteria, domain-aware analysis rules integrating all evaluation aspects can be generated.

For our use-case we de ned a trivial privacy model consisting of permissions and restrictions and an information system e ectiveness model. This e ectiveness model consists of personal relationships between subjects and needs-to-know relations between subjects and protected resources (see Fig. 2). Regarding privacy the lack of a permission can be interpreted as increased privacy. On the other hand the absence of one or both the personal relationship or the needsto-know relation decreases the need of the information system to be e ective towards these attributes. E.g. a family practitioner earns an associated personal relationship connecting her/him to the patient, further needs-to-know relations to all patient's data are established. Now, a patient restricting this practitioner from reading any data would obviously contribute to the her/his privacy, still the health-care information system would not e ectively operate anymore. An e ectiveness warning with detailed information about its reasons is provided to the user, which in turn may react on it by adjusting her/his settings.

<<stereotype>> Personal relationship [Association, Class] from

to <<stereotype>> Subject [Class] Core policy entities defined for <<stereotype>> Resource [Class] <<stereotype>>

Access target defined by defined by defined by Effectiveness model <<stereotype>> Needs to know [Association] references refined by <<stereotype>>

Action [Class] based on e.g. conditions, obligations, etc. <<enumeration>> Access decision Permit Deny In an ongoing project with our industry partner ITH-icoserve for healthcare technology, a subsidiary company of Siemens and a local hospital provider, we are developing an access control policy authoring application based on a secured IHE-based infrastructure 2 for shared patient health-records.

Currently we have considered access control enforcement based on IHE XDS2 and auxiliary pro les [ 5, 10 ], for which our industry partner is an implementer and tested for conformity and interoperability. Further a prototypical authoring portal application was developed [ 9 ]. In order to let the policy authoring re ect the actual domain, we employ a model-driven process which generates a policy API based on a domain and access control model [ 11 ]. Our approach for domain-aware policy analysis, which is based on balancing of evaluation criteria will also build upon the policy API. Evaluation criteria we currently consider is the correlation between permitted or restricted access, personal relationships between stakeholders and the importance to have certain data available to speci c stakeholders. In future work we also want to study other criteria, e.g., the purpose-relatedness of permitted data accesses.

2see IHE IT-Infrastructure Technical_Framework/index.cfm#IT