Appl Intell DOI 10.1007/s10489-017-1064-3 OrBAC from access control model to access usage model Khalida Guesmia 1 · Narhimene Boustia 2 © Springer Science+Business Media, LLC 2017 Abstract The purpose based access control model has been proposed recently to restrict the access to the sensitive data which are out of control of their owner. This model can be enforced by ensuring that the user who wants to access the private data will respect the specific plan of tasks/actions that leads to achieving the intended objective to use these data. The Organization Based Access Control (OrBAC) model is suitable to integrate this principle, but in a dynamic environment such as the cloud computing, the authoriza- tion rules should be expressed in flexible way, and they may include optional tasks which can be skipped in some cases in order to adapt temporarily to the changes in the con- text. To meet these requirements, we propose in this paper a new extension of the OrBAC model using the temporal non- monotonic description logic (TL − JClassic + δǫ ) that allows to represent formally the policy rules as hierarchical plan- ning that includes a set of ordered tasks that may admit exceptions in special cases and when the access request is made, the access control system depending on the cur- rent context will infer dynamically the appropriate sequence of actions that can be performed by subject who demands access to private data that may be outsourced into the cloud.  Khalida Guesmia guesmia.khalida@yahoo.fr Narhimene Boustia nboustia@gmail.com 1 SIIR/LRDSI, Blida 1 University, Blida, Algeria 2 SIIR/LRDSI(Blida1) & RCR/RIIMA(USTHB), Blida 1 University, Blida, Algeria Keywords Data privacy · Purpose based access control · Organization based access control · Nonmonotonic reasoning · Temporal description logic 1 Introduction The cloud computing [27] is an emerging technology that introduces a new approach to delivering computing resources as services over the internet, with hiding all the details of implementation, deployment, maintenance and administration. It provides several advantages, most notably it offers ubiquitous services where anyone can access ser- vices at anytime from any device connected to internet and it allows businesses and organizations to reduce considerably their capital expenditure on both hardware and software aspects, and thus it makes their business more effective. However, outsourcing data to the cloud providers will obviously raise serious questions about data security and privacy. For that, several security properties need to be addressed properly in order to encourage companies to adopt the cloud services. Therefore, besides encrypting data to be transferred in a secure manner to and from the cloud, there is also a strong need to prevent these data from ille- gal disclosure and inappropriate usage. In this work, we are interested in controlling access to the sensitive data that may be stored in the cloud. The purpose based access control model (PBAC) [13] has been proposed recently to ensure the privacy of person- nel data which are out control of their owner. The principle of this model is to allow or forbid some access requests in the system based on the purposes that involved access to this data. For example, the physician is allowed to access a patient’s data only for certain purposes, such as treatment, and is prohibited from accessing the same data for other