Abstract
Data federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies across the federation becomes a challenge. In this article, we first consider the problem of translating existing access control policies defined over source databases in a manner that allows the original semantics to be observed while becoming applicable across the entire data federation. We show that such a translation is always possible, and provide an algorithm for automating the translation. We show that verifying whether a translated policy obeys the semantics of the original access control policy defined over a source database is intractable, even under restrictive scenarios. We then describe a practical algorithmic framework for translating relational access control policies into their XML equivalent, expressed in the eXtensible Access Control Markup Language. Finally, we examine the difficulty of minimizing translated policies, and contribute a minimization algorithm applicable to nonrecursive translated policies.
- Anderson, A. 2005. Hierarchical resource profile of XACML v2.0. OASIS standard. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-spec-os.pdf.Google Scholar
- Barbosa, D., Freire, J., and Mendelzon, A. O. 2005. Designing information-preserving mapping schemes for XML. In Proceedings of the 31st International Conference on Very Large Data Bases. VLDB Endowment, 109--120. Google Scholar
Digital Library
- Benedikt, M., Chan, C. Y., Fan, W., Rastogi, R., Zheng, S., and Zhou, A. 2002. DTD-directed publishing with attribute translation grammars. In Proceedings of the 28th International Conference on Very Large Data Bases. VLDB Endowment, 838--849. Google Scholar
Digital Library
- Bertino, E., Castano, S., and Ferreri, E. 2001. Securing XML documents with Author-X. IEEE Internet Comput. 5, 3, 21--31. Google Scholar
Digital Library
- Bertino, E., Carminati, B., and Ferrari, E. 2002. A temporal key management scheme for secure broadcasting of XML documents. In Proceedings of the 9th ACM Conference on Computer and Communications Security. ACM, New York, NY, 31--40. Google Scholar
Digital Library
- Boag, S., Chamberlin, D., Fernández, M. F., Florescu, D., Robie, J., and Siméon, J. 2007. XQuery 1.0: An XML query language. W3C Recommendation. http://www.w3.org/TR/xquery/.Google Scholar
- Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., and Yergeau, F. 2006. Extensible markup language (XML) 1.0 4th Ed. W3C Recommendation. http://www.w3.org/TR/2006/REC-xml-20060816/.Google Scholar
- Chandra, A. K. and Merlin, P. M. 1977. Optimal implementation of conjunctive queries in relational data bases. In Proceedings of the 9th Annual ACM Symposium on Theory of Computing. ACM, New York, NY, 77--90. Google Scholar
Digital Library
- Chekuri, C. and Rajaraman, A. 1997. Conjunctive query containment revisited. In Proceedings of the 6th International Conference on Database Theory. Springer-Verlag, 56--70. Google Scholar
Digital Library
- Crampton, J. 2004. Applying hierarchical and role-based access control to XML documents. In Proceedings of the ACM Workshop on Web Services. ACM, New York. Google Scholar
Digital Library
- Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., and Samarati, P. 2002. A fine-grained access control system for XML documents. ACM Trans. Info. Syst. Sec. 5, 169--202. Google Scholar
Digital Library
- Eastlake, D. and Reagle, J. 2002. XML encryption syntax and processing. W3C Recommendation. http://www.w3.org/TR/xmlenc-core/.Google Scholar
- Fagin, R. 1978. On an authorization mechanism. ACM Trans. Datab. Syst. 3, 310--319. Google Scholar
Digital Library
- Fan, W. 2007. XML publishing: Bridging theory and practice. In Database Programming Languages. Lecture Notes in Computer Science Series, vol. 4797. Springer Berlin, 1--16. Google Scholar
Digital Library
- Fan, W., Geerts, F., and Neven, F. 2008. Expressiveness and complexity of XML publishing transducers. ACM Trans. Datab. Syst. 33, 25, 1--25. Google Scholar
Digital Library
- Fernández, M., Kadiyska, Y., Suciu, D., Morishima, A., and Tan, W.-C. 2002. SilkRoute: A framework for publishing relational data in XML. ACM Trans. Datab. Syst. 27, 438--493. Google Scholar
Digital Library
- Ferraiolo, D. F., Kuhn, D. R., and Chandramouli, R. 2003. Role-Based Access Control. Computer Security Series. Artech House, Norwood, MA. Google Scholar
Digital Library
- Griffiths, P. P. and Wade, B. W. 1976. An authorization mechanism for a relational database system. ACM Trans. Datab. Syst. 1, 242--255. Google Scholar
Digital Library
- Hopcroft, J. E. 1971. An n log n algorithm for minimizing states in a finite automaton. In Theory of Machines and Computations, Z. Kohavi and A. Paz Eds., Academic Press, 189--196.Google Scholar
- IBM. 2008. Label-based access control (LBAC) overview. IBM. http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ibm.db2.udb.admin.doc/doc/c0021114.htm.Google Scholar
- Kudo, M. and Hada, S. 2000. XML document security based on provisional authorization. In Proceedings of the 7th ACM Conference on Computer and Communications Security. ACM, New York, NY, 87--96. Google Scholar
Digital Library
- Leighton, G. and Barbosa, D. 2010. Access control policy translation and verification within heterogeneous data federations. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM, New York, NY, 173--182. Google Scholar
Digital Library
- Libkin, L. 2003. Expressive power of SQL. Theor. Comput. Sci. 296, 379--404. Google Scholar
Digital Library
- Luo, B., Lee, D., Lee, W.-C., and Liu, P. 2004. QFilter: Fine-grained run-time XML access control via NFA-based query rewriting. In Proceedings of the 13th ACM International Conference on Information and Knowledge Management. ACM, New York, NY, 543--552. Google Scholar
Digital Library
- Melton, J. and Simon, A. R. 1993. Understanding the New SQL: A Complete Guide. Morgan-Kaufmann, San Francisco. Google Scholar
Digital Library
- Miklau, G. and Suciu, D. 2003. Controlling access to published data using cryptography. In Proceedings of the 29th International Conference on Very Large Data Bases. VLDB Endowment, 898--909. Google Scholar
Digital Library
- Moses, T. 2005. Extensible access control markup language (XACML) version 2.0. OASIS Standard. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.Google Scholar
- Oracle Corporation. 2005. Oracle 10g release 2 security. Oracle Corporation. http://www.oracle.com/technology/deploy/security/database-security/pdf/twp_security_db_database_10gr2.pdf.Google Scholar
- Oracle Corporation. 2007. Oracle database 11g XML DB technical overview. http://www.oracle.com/technology/tech/xml/xmldb/Current/xmldb_11g_twp.pdf.Google Scholar
- Osborn, S., Sandhu, R., and Munawer, Q. 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3, 85--106. Google Scholar
Digital Library
- Pal, S., Fussell, M., and Dolobowsky, I. 2005. XML support in Microsoft SQL Server 2005. http://msdn.microsoft.com/en-us/library/ms345117.aspx.Google Scholar
- Shanmugasundaram, J., Shekita, E., Barr, R., Carey, M., Lindsay, B., Pirahesh, H., and Reinwald, B. 2001. Efficiently publishing relational data as XML documents. VLDB J. 10, 133--154. Google Scholar
Digital Library
- van der Meyden, R. 1997. The complexity of querying indefinite data about linearly ordered domains. J. Comput. Syst. Sci. 54, 113--135. Google Scholar
Digital Library
Index Terms
Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data Federations
Recommendations
Access control policy translation and verification within heterogeneous data federations
SACMAT '10: Proceedings of the 15th ACM symposium on Access control models and technologiesData federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies ...
Entity-Based Access Control: supporting more expressive access control policies
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications ConferenceAccess control is an important part of security that restricts the actions that users can perform on resources. Policy models specify how these restrictions are formulated in policies. Over the last decades, we have seen several such models, including ...
Attribute Expressions, Policy Tables and Attribute-Based Access Control
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesAttribute-based access control (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XACML. ABAC policies written in languages like XACML have a tree-like structure, where leaf nodes ...






Comments