A fine-grained access control model for relational databases

Fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications. Though much work on FGAC models has been conducted, there are still a number of ongoing problems. We propose a new FGAC model which supports the specification of open access control policies as well as closed access control policies in relational databases. The negative authorization is supported, which allows the security administrator to specify what data should not be accessed by certain users. Moreover, multiple policies defined to regulate user access together are also supported. The definition and combination algorithm of multiple policies are thus provided. Finally, we implement the proposed FGAC model as a component of the database management system (DBMS) and evaluate its performance. The performance results show that the proposed model is feasible.

[1]  Amihai Motro,et al.  An access authorization model for relational databases based on algebraic manipulation of view definitions , 1989, [1989] Proceedings. Fifth International Conference on Data Engineering.

[2]  Ehud Gudes,et al.  Fine-grained access control to web databases , 2007, SACMAT '07.

[3]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[4]  Jorge Lobo,et al.  On the Correctness Criteria of Fine-Grained Access Control in Relational Databases , 2007, VLDB.

[5]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[6]  S. Sudarshan,et al.  Fine Grained Authorization Through Predicated Grants , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[7]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[8]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[9]  Jeffrey D. Ullman,et al.  Principles of Database Systems , 1980 .

[10]  Utkarsh Jain,et al.  Fine-grained Access Control in Databases , 2004 .

[11]  Ravi Sandhu,et al.  Rule-based RBAC with negative authorization , 2004, 20th Annual Computer Security Applications Conference.

[12]  Elisa Bertino,et al.  Privacy-Preserving Database Systems , 2005, FOSAD.

[13]  Nirmal Dagdee,et al.  Credential Based Hybrid Access Control Methodology for Shared Electronic Health Records , 2009, 2009 International Conference on Information Management and Engineering.

[14]  Elisa Bertino,et al.  Database security - concepts, approaches, and challenges , 2005, IEEE Transactions on Dependable and Secure Computing.

[15]  Christoph Meinel,et al.  Implement role based access control with attribute certificates , 2004, The 6th International Conference on Advanced Communication Technology, 2004..

[16]  Rakesh Agrawal,et al.  Extending relational database systems to automatically enforce privacy policies , 2005, 21st International Conference on Data Engineering (ICDE'05).

[17]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[18]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[19]  Elisa Bertino,et al.  An Extended Authorization Model for Relational Databases , 1997, IEEE Trans. Knowl. Data Eng..

[20]  Marianne Winslett,et al.  Implementing Reflective Access Control in SQL , 2009, DBSec.

[21]  Kanwal Rekhi,et al.  Database Access Control for E-Business – A case study , 2005 .

[22]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[23]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[24]  Hong Zhu,et al.  The Design and Implementation of a Performance Evaluation Tool with TPC-W Benchmark , 2006, J. Comput. Inf. Technol..

[25]  Elisa Bertino,et al.  A flexible authorization mechanism for relational data management systems , 1999, TOIS.

[26]  Michael Stonebraker,et al.  Access control in a relational data base management system by query modification , 1974, ACM '74.

[27]  Carl A. Gunter,et al.  A formal framework for reflective database access control policies , 2008, CCS.

[28]  Steve Barker,et al.  Dynamic Meta-level Access Control in SQL , 2008, DBSec.

[29]  S. Sudarshan,et al.  Redundancy and information leakage in fine-grained access control , 2006, SIGMOD Conference.