Consent validation for personal data access control using ABAC

Resumo

To comply with personal data protection regulations, systems that handle personal data must ensure that they verify users’ consent to use their information for a specific purpose. Validating consent is not a simple task, as the purpose typically begins with a high-level definition that needs to be interpreted and modeled accurately for proper evaluation and validation. In this work, we examine the issues associated with consent validation and investigate the effectiveness of attribute-based access control (ABAC) mechanisms in addressing this challenge. Based on this analysis, we propose an ABAC-based approach to verify the information owner’s consent and the user’s access permissions when requesting access. We illustrate this approach with an experiment we have conducted on a well-known benchmark for access control mechanisms defined by NIST, showing how validation rules based on the proposed approach can be implemented.