On Fine-Grained Access Control for XML

Zhuo, Donghui

January 2003

Fine-grained access control for XML is about controlling access to XML documents at the granularity of individual elements or attributes. This thesis addresses two problems related to XML access controls. The first is efficient, secure evaluation of XPath expressions. We present a technique that secures path expressions by means of query modification, and we show that the query modification algorithm is correct under a language-independent semantics for secure query evaluation. The second problem is to provide a compact, yet useful, representation of the access matrix. Since determining a user's privilege directly from access control policies can be extremely inefficient, materializing the access matrix---the net effect of the access control policies---is a common approach to speed up the authorization decision making. The fine-grained nature of XML access controls, however, makes the space cost of matrix materialization a significant issue. We present a codebook-based technique that records access matrices compactly. Our experimental study shows that the codebook approach exhibits significant space savings over other storage schemes, such as the access control list and the compressed accessibility map. The solutions to the above two problems provide a foundation for the development of an efficient mechanism that enforces fine-grained access controls for XML databases in the cases of query access.

Computer Science

access control

XML

fine-grained

security

access matrix

On Fine-Grained Access Control for XML

Zhuo, Donghui

January 2003

Fine-grained access control for XML is about controlling access to XML documents at the granularity of individual elements or attributes. This thesis addresses two problems related to XML access controls. The first is efficient, secure evaluation of XPath expressions. We present a technique that secures path expressions by means of query modification, and we show that the query modification algorithm is correct under a language-independent semantics for secure query evaluation. The second problem is to provide a compact, yet useful, representation of the access matrix. Since determining a user's privilege directly from access control policies can be extremely inefficient, materializing the access matrix---the net effect of the access control policies---is a common approach to speed up the authorization decision making. The fine-grained nature of XML access controls, however, makes the space cost of matrix materialization a significant issue. We present a codebook-based technique that records access matrices compactly. Our experimental study shows that the codebook approach exhibits significant space savings over other storage schemes, such as the access control list and the compressed accessibility map. The solutions to the above two problems provide a foundation for the development of an efficient mechanism that enforces fine-grained access controls for XML databases in the cases of query access.

Computer Science

access control

XML

fine-grained

security

access matrix

A Platform for Assessing the Efficiency of Distributed Access Enforcement in Role Based Access Control (RBAC) and its Validation

Komlenovic, Marko

14 January 2011

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We provide a platform for assessing candidates for access enforcement in a distributed architecture for enforcement. The platform provides the ability to encode data structures and algorithms for enforcement, and to measure time-, space- and administrative efficiency. To validate our platform, we use it to compare the state of the art in enforcement, CPOL [6], with two other approaches, the directed graph and the access matrix [9, 10]. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We conclude with the somewhat surprising observation that CPOL is not necessarily the most efficient approach for access enforcement in distributed RBAC deployments.

Role Based Access Control

Distributed Access Enforcement in RBAC

RBAC

CPOL

Access Matrix

Directed Graph

Reference monitor

Access control policy

Electrical and Computer Engineering

A Platform for Assessing the Efficiency of Distributed Access Enforcement in Role Based Access Control (RBAC) and its Validation

Komlenovic, Marko

14 January 2011

We consider the distributed access enforcement problem for Role-Based Access Control (RBAC) systems. Such enforcement has become important with RBAC's increasing adoption, and the proliferation of data that needs to be protected. We provide a platform for assessing candidates for access enforcement in a distributed architecture for enforcement. The platform provides the ability to encode data structures and algorithms for enforcement, and to measure time-, space- and administrative efficiency. To validate our platform, we use it to compare the state of the art in enforcement, CPOL [6], with two other approaches, the directed graph and the access matrix [9, 10]. We consider encodings of RBAC sessions in each, and propose and justify a benchmark for the assessment. We conclude with the somewhat surprising observation that CPOL is not necessarily the most efficient approach for access enforcement in distributed RBAC deployments.

Role Based Access Control

Distributed Access Enforcement in RBAC

RBAC

CPOL

Access Matrix

Directed Graph

Reference monitor

Access control policy

Electrical and Computer Engineering