ABSTRACT
Traditional access control models focus on individual data items, whereas in provenance we are concerned with protecting both the data items and their relationships (Braun et al. 2008). The various paths in a provenance graph from a resource to all its sources are important in proving the validity of that resource. Furthermore, these paths contain the pertinent information needed to verify the integrity of the data and establish trust between a user and the data. However, we do not want to divulge any exclusive information in the path that could be used by an adversary to gain advantages (for example, in military intelligence).
