Towards application-layer purpose-based access control

In this paper, we propose an architecturally novel approach to implementing purpose-based access control in practice. Different from previous proposals, our approach resides on the application instead of the data(base) layer. This allows for significantly better integration with established architectures and practices of real-world application engineering and to achieve database independence. To validate practical applicability, we provide two exemplary implementations and briefly assess the introduced overhead in matters of achievable throughputs. Results significantly depend on data and query type but basically suggest bearable overheads for realistic applications even though possible performance optimizations have not been implemented in our proofs-of-concept yet. Our approach thus proposes significantly better practical feasibility than previous ones and exhibits reasonable overheads. It therefore paves the way for purpose-based access control to be actually adopted in practice.