skip to main content
research-article

Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data Federations

Published:01 November 2011Publication History
Skip Abstract Section

Abstract

Data federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies across the federation becomes a challenge. In this article, we first consider the problem of translating existing access control policies defined over source databases in a manner that allows the original semantics to be observed while becoming applicable across the entire data federation. We show that such a translation is always possible, and provide an algorithm for automating the translation. We show that verifying whether a translated policy obeys the semantics of the original access control policy defined over a source database is intractable, even under restrictive scenarios. We then describe a practical algorithmic framework for translating relational access control policies into their XML equivalent, expressed in the eXtensible Access Control Markup Language. Finally, we examine the difficulty of minimizing translated policies, and contribute a minimization algorithm applicable to nonrecursive translated policies.

References

  1. Anderson, A. 2005. Hierarchical resource profile of XACML v2.0. OASIS standard. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf.Google ScholarGoogle Scholar
  2. Barbosa, D., Freire, J., and Mendelzon, A. O. 2005. Designing information-preserving mapping schemes for XML. In Proceedings of the 31st International Conference on Very Large Data Bases. VLDB Endowment, 109--120. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Benedikt, M., Chan, C. Y., Fan, W., Rastogi, R., Zheng, S., and Zhou, A. 2002. DTD-directed publishing with attribute translation grammars. In Proceedings of the 28th International Conference on Very Large Data Bases. VLDB Endowment, 838--849. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bertino, E., Castano, S., and Ferreri, E. 2001. Securing XML documents with Author-X. IEEE Internet Comput. 5, 3, 21--31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Bertino, E., Carminati, B., and Ferrari, E. 2002. A temporal key management scheme for secure broadcasting of XML documents. In Proceedings of the 9th ACM Conference on Computer and Communications Security. ACM, New York, NY, 31--40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Boag, S., Chamberlin, D., Fernández, M. F., Florescu, D., Robie, J., and Siméon, J. 2007. XQuery 1.0: An XML query language. W3C Recommendation. http://www.w3.org/TR/xquery/.Google ScholarGoogle Scholar
  7. Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., and Yergeau, F. 2006. Extensible markup language (XML) 1.0 4th Ed. W3C Recommendation. http://www.w3.org/TR/2006/REC-xml-20060816/.Google ScholarGoogle Scholar
  8. Chandra, A. K. and Merlin, P. M. 1977. Optimal implementation of conjunctive queries in relational data bases. In Proceedings of the 9th Annual ACM Symposium on Theory of Computing. ACM, New York, NY, 77--90. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Chekuri, C. and Rajaraman, A. 1997. Conjunctive query containment revisited. In Proceedings of the 6th International Conference on Database Theory. Springer-Verlag, 56--70. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Crampton, J. 2004. Applying hierarchical and role-based access control to XML documents. In Proceedings of the ACM Workshop on Web Services. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., and Samarati, P. 2002. A fine-grained access control system for XML documents. ACM Trans. Info. Syst. Sec. 5, 169--202. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Eastlake, D. and Reagle, J. 2002. XML encryption syntax and processing. W3C Recommendation. http://www.w3.org/TR/xmlenc-core/.Google ScholarGoogle Scholar
  13. Fagin, R. 1978. On an authorization mechanism. ACM Trans. Datab. Syst. 3, 310--319. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Fan, W. 2007. XML publishing: Bridging theory and practice. In Database Programming Languages. Lecture Notes in Computer Science Series, vol. 4797. Springer Berlin, 1--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Fan, W., Geerts, F., and Neven, F. 2008. Expressiveness and complexity of XML publishing transducers. ACM Trans. Datab. Syst. 33, 25, 1--25. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Fernández, M., Kadiyska, Y., Suciu, D., Morishima, A., and Tan, W.-C. 2002. SilkRoute: A framework for publishing relational data in XML. ACM Trans. Datab. Syst. 27, 438--493. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Ferraiolo, D. F., Kuhn, D. R., and Chandramouli, R. 2003. Role-Based Access Control. Computer Security Series. Artech House, Norwood, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Griffiths, P. P. and Wade, B. W. 1976. An authorization mechanism for a relational database system. ACM Trans. Datab. Syst. 1, 242--255. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Hopcroft, J. E. 1971. An n log n algorithm for minimizing states in a finite automaton. In Theory of Machines and Computations, Z. Kohavi and A. Paz Eds., Academic Press, 189--196.Google ScholarGoogle Scholar
  20. IBM. 2008. Label-based access control (LBAC) overview. IBM. http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ibm.db2.udb.admin.doc/doc/c0021114.htm.Google ScholarGoogle Scholar
  21. Kudo, M. and Hada, S. 2000. XML document security based on provisional authorization. In Proceedings of the 7th ACM Conference on Computer and Communications Security. ACM, New York, NY, 87--96. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Leighton, G. and Barbosa, D. 2010. Access control policy translation and verification within heterogeneous data federations. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM, New York, NY, 173--182. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Libkin, L. 2003. Expressive power of SQL. Theor. Comput. Sci. 296, 379--404. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Luo, B., Lee, D., Lee, W.-C., and Liu, P. 2004. QFilter: Fine-grained run-time XML access control via NFA-based query rewriting. In Proceedings of the 13th ACM International Conference on Information and Knowledge Management. ACM, New York, NY, 543--552. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Melton, J. and Simon, A. R. 1993. Understanding the New SQL: A Complete Guide. Morgan-Kaufmann, San Francisco. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Miklau, G. and Suciu, D. 2003. Controlling access to published data using cryptography. In Proceedings of the 29th International Conference on Very Large Data Bases. VLDB Endowment, 898--909. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Moses, T. 2005. Extensible access control markup language (XACML) version 2.0. OASIS Standard. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.Google ScholarGoogle Scholar
  28. Oracle Corporation. 2005. Oracle 10g release 2 security. Oracle Corporation. http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_db_database_10gr2.pdf.Google ScholarGoogle Scholar
  29. Oracle Corporation. 2007. Oracle database 11g XML DB technical overview. http://www.oracle.com/technology/tech/xml/xmldb/Current/xmldb_11g_twp.pdf.Google ScholarGoogle Scholar
  30. Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3, 85--106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Pal, S., Fussell, M., and Dolobowsky, I. 2005. XML support in Microsoft SQL Server 2005. http://msdn.microsoft.com/en-us/library/ms345117.aspx.Google ScholarGoogle Scholar
  32. Shanmugasundaram, J., Shekita, E., Barr, R., Carey, M., Lindsay, B., Pirahesh, H., and Reinwald, B. 2001. Efficiently publishing relational data as XML documents. VLDB J. 10, 133--154. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. van der Meyden, R. 1997. The complexity of querying indefinite data about linearly ordered domains. J. Comput. Syst. Sci. 54, 113--135. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data Federations

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM Transactions on Information and System Security
            ACM Transactions on Information and System Security  Volume 14, Issue 3
            November 2011
            133 pages
            ISSN:1094-9224
            EISSN:1557-7406
            DOI:10.1145/2043621
            Issue’s Table of Contents

            Copyright © 2011 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 1 November 2011
            • Accepted: 1 June 2011
            • Revised: 1 February 2011
            • Received: 1 October 2010
            Published in tissec Volume 14, Issue 3

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article
            • Research
            • Refereed

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!