Abstract
Neo4j is a popular graph database that offers two versions: an enterprise edition and a community edition. The enterprise edition offers customizable Role-based Access Control features through custom developed procedures, while the community edition does not offer any access control support. Being a graph database, Neo4j appears to be a natural application for Relationship-Based Access Control (ReBAC), an access control paradigm where authorization decisions are based on relationships between subjects and resources in the system (i.e., an authorization graph). In this article, we present AReBAC, an attribute-supporting ReBAC model for Neo4j that provides finer-grained access control by operating over resources instead of procedures. AReBAC employs Nano-Cypher, a declarative policy language based on Neo4j’s Cypher query language, the result of which allows us to weave database queries with access control policies and evaluate both simultaneously. Evaluating the combined query and policy produces a result that (i) matches the search criteria, and (ii) the requesting subject is authorized to access. AReBAC is accompanied by the algorithms and their implementation required for the realization of the presented ideas, including GP-Eval, a query evaluation algorithm. We also introduce Live-End Backjumping (LBJ), a backtracking scheme that provides a significant performance boost over conflict-directed backjumping for evaluating queries. As demonstrated in our previous work, the original version of GP-Eval already performs significantly faster than the Neo4j’s Cypher evaluation engine. The optimized version of GP-Eval, which employs LBJ, further improves the performance significantly, thereby demonstrating the capabilities of the technique.
- [n.d.]. Intro to Cypher. Retrieved from https://neo4j.com/developer/cypher-query-language/.Google Scholar
- [n.d.]. MySQL. Retrieved from http://www.mysql.com/.Google Scholar
- [n.d.]. Neo4J. Retrieved from http://neo4j.com/.Google Scholar
- [n.d.]. OpenMRS. Retrieved from http://openmrs.org/.Google Scholar
- Stanford Large Network Dataset Collection. 2014. Retrieved from http://snap.stanford.edu/data.Google Scholar
- Rafiul Ahad, James Davis, Stefan Gower, Peter Lyngbaek, Andra Marynowski, and Emmanuel Onuegbe. 1992. Supporting access control in an object-oriented database language. In Proceedings of the Conferences on Advances in Database Technology (EDBT’92). Springer Berlin, 184--200.Google Scholar
Cross Ref
- Tahmina Ahmed, Ravi Sandhu, and Jaehong Park. 2017. Classifying and comparing attribute-based and relationship-based access control. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY’17). ACM, New York, NY, 59--70. DOI:https://doi.org/10.1145/3029806.3029828Google Scholar
Digital Library
- Renzo Angles and Claudio Gutierrez. 2008. Survey of graph database models. ACM Comput. Surv. 40, 1, Article 1 (Feb. 2008), 39 pages.Google Scholar
Digital Library
- Albert-László Barabási and Réka Albert. 1999. Emergence of scaling in random networks. Science 286, 5439 (1999), 509--512. DOI:https://doi.org/10.1126/science.286.5439.509Google Scholar
- Glenn Bruns, Philip W. L. Fong, Ida Siahaan, and Michael Huth. 2012. Relationship-based access control: Its expression and enforcement through hybrid logic. In Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (CODASPY’12).Google Scholar
Digital Library
- Xinguang Chen and Peter van Beek. 2001. Conflict-directed backjumping revisited. J. Artif. Int. Res. 14, 1 (Mar. 2001), 53--81. Retrieved from http://dl.acm.org/citation.cfm?id=1622394.1622397.Google Scholar
Digital Library
- Yuan Cheng, Jaehong Park, and Ravi Sandhu. 2012. Relationship-based access control for online social networks: Beyond user-to-user relationships. In Proceedings of the 4th IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT’12).Google Scholar
Digital Library
- Yuan Cheng, Jaehong Park, and Ravi Sandhu. 2012. A user-to-user relationship-based access control model for online social networks. In Proceedings of the 26th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec’12) (LNCS), Vol. 7371.Google Scholar
Digital Library
- Yuan Cheng, Jaehong Park, and Ravi Sandhu. 2014. Attribute-aware relationship-based access control for online social networks. In Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII—Volume 8566 (DBSec’14). Springer-Verlag New York, Inc., 292--306. DOI:https://doi.org/10.1007/978-3-662-43936-4_19Google Scholar
Digital Library
- P. Colombo and E. Ferrari. 2016. Towards virtual private NoSQL datastores. In Proceedings of the IEEE 32nd International Conference on Data Engineering (ICDE’16). 193--204. DOI:https://doi.org/10.1109/ICDE.2016.7498240Google Scholar
- P. Colombo and E. Ferrari. 2017. Enhancing MongoDB with purpose-based access control. IEEE Trans. Depend. Secure Comput. 14, 6 (Nov. 2017), 591--604. DOI:https://doi.org/10.1109/TDSC.2015.2497680Google Scholar
Cross Ref
- Jason Crampton and Gregory Gutin. 2013. Constraint expressions and workflow satisfiability. In Proceedings of the 18th ACM Symposium on Access Control Models and Technologies (SACMAT’13). ACM, New York, NY, 73--84. DOI:https://doi.org/10.1145/2462410.2462419Google Scholar
Digital Library
- Jason Crampton and James Sellwood. 2014. Path conditions and principal matching: A new approach to access control. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT’14). ACM, New York, NY, 187--198.Google Scholar
Digital Library
- Jason Crampton and James Sellwood. 2016. ARPPM: Administration in the RPPM model. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16). ACM, New York, NY, 219--230. DOI:https://doi.org/10.1145/2857705.2857711Google Scholar
- Elena Ferrari. 2010. Access Control in Data Management Systems. Morgan and Claypool Publishers.Google Scholar
- Philip W. L. Fong. 2011. Relationship-based access control: Protection model and policy language. In Proceedings of the 1st ACM Conference on Data and Application Security and Privacy (CODASPY’11). ACM, New York, NY, 191--202.Google Scholar
Digital Library
- Philip W. L. Fong, Pooya Mehregan, and Ram Krishnan. 2013. Relational abstraction in community-based secure collaboration. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS’13). 585--598.Google Scholar
Digital Library
- Vincent C. Hu, David Ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. 2014. Guide to attribute based access control (ABAC) definition and considerations. NIST Spec. Pub. (Jan. 2014).Google Scholar
- Patricia Huey. 2014. Oracle Database Security Guide 11g Release 1 (1.11). Oracle Corp.Google Scholar
- Matthew O. Jackson and Brian W. Rogers. 2007. Meeting strangers and friends of friends: How random are social networks?Amer. Econ. Rev. 97, 3 (June 2007), 890--915. DOI:https://doi.org/10.1257/aer.97.3.890Google Scholar
- Daniel Karapetyan, Andrew J. Parkes, Gregory Gutin, and Andrei Gagarin. 2016. Pattern-based approach to the workflow satisfiability problem with user-independent constraints. CoRR abs/1604.05636 (2016).Google Scholar
- Jure Leskovec, Lars Backstrom, Ravi Kumar, and Andrew Tomkins. 2008. Microscopic evolution of social networks. In Proceedings of the 14th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’08). ACM, New York, NY, 462--470. DOI:https://doi.org/10.1145/1401890.1401948Google Scholar
Digital Library
- M. Lichman. 2013. UCI Machine Learning Repository. Retrieved from http://archive.ics.uci.edu/ml.Google Scholar
- Jakob Nielsen. 2009. Powers of 10: Time Scales in User Experience. Retrieved from https://www.nngroup.com/articles/powers-of-10-time-scales-in-ux/.Google Scholar
- Edelmira Pasarella and Jorge Lobo. 2017. A datalog framework for modeling relationship-based access control policies. In Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies (SACMAT’17 Abstracts). ACM, New York, NY, 91--102. DOI:https://doi.org/10.1145/3078861.3078871Google Scholar
Digital Library
- Patrick Prosser. 1993. Hybrid algorithms for the constraint satisfaction problem. Comput. Intell. 9, 3 (1993), 268--299.Google Scholar
Cross Ref
- Shariq Rizvi, Alberto Mendelzon, S. Sudarshan, and Prasan Roy. 2004. Extending query rewriting techniques for fine-grained access control. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD’04). ACM, New York, NY, 551--562. DOI:https://doi.org/10.1145/1007568.1007631Google Scholar
Digital Library
- Syed Zain R. Rizvi. 2018. Attribute-Supporting ReBAC Model. Retrieved from http://pages.cpsc.ucalgary.ca/ szrrizvi/projectAReBAC/.Google Scholar
- Syed Zain R. Rizvi and Philip W. L. Fong. 2016. Interoperability of relationship- and role-based access control. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY’16). ACM, New York, NY, 231--242.Google Scholar
- Syed Zain R. Rizvi and Philip W. L. Fong. 2018. Efficient authorization of graph database queries in an attribute-supporting ReBAC model. In Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY’18). ACM, New York, NY, 204--211. DOI:https://doi.org/10.1145/3176258.3176331Google Scholar
- Syed Zain R. Rizvi, Philip W. L. Fong, Jason Crampton, and James Sellwood. 2015. Relationship-based access control for an open-source medical records system. In Proceedings of the 20th ACM Symposium on Access Control Models and Technologies (SACMAT’15). ACM, New York, NY, 113--124.Google Scholar
Digital Library
- Francesca Rossi, Peter Van Beek, and Toby Walsh. 2007. Handbook of Constraint Programming. Elsevier.Google Scholar
- Ebrahim Tarameshloo and Philip W. L. Fong. 2014. Access control models for geo-social computing systems. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT’14). ACM, New York, NY, 115--126. DOI:https://doi.org/10.1145/2613087.2613098Google Scholar
- Peter van Beek. 2006. Backtracking search algorithms. In Handbook of Constraint Programming. Elsevier, 85--134.Google Scholar
- Chad Vicknair, Michael Macias, Zhendong Zhao, Xiaofei Nan, Yixin Chen, and Dawn Wilkins. 2010. A comparison of a graph database and a relational database: A data provenance perspective. In Proceedings of the 48th Annual Southeast Regional Conference (ACM SE’10). ACM, New York, NY, Article 42, 6 pages. DOI:https://doi.org/10.1145/1900008.1900067Google Scholar
Digital Library
Index Terms
Efficient Authorization of Graph-database Queries in an Attribute-supporting ReBAC Model
Recommendations
Efficient Authorization of Graph Database Queries in an Attribute-Supporting ReBAC Model
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyNeo4j is a popular graph database that offers two versions; a paid enterprise edition and a free community edition. The enterprise edition offers customizable Role-Based Access Control (RBAC) features through custom developed procedures, while the ...
Efficient Multi-depth Querying on Provenance of Relational Queries Using Graph Database
COMPUTE '16: Proceedings of the 9th Annual ACM India ConferenceData Provenance is the history associated with that data. It constitutes the origin, creation, processing, and archiving of data. In today's Internet era, it has gained significant importance for database analytics. Most of the provenance models store ...
Extended Authorization Policy for Graph-Structured Data
AbstractThe high increase in the use of graph databases also for business- and privacy-critical applications demands for a sophisticated, flexible, fine-grained authorization and access control (AC) approach. Attribute-based access control (ABAC) supports ...






Comments