Authorization Translation for XML Document Transformation

XML access control models proposed in the literature enforce access restrictions directly on the structure and content of an XML document. Therefore access authorization rules (authorizations, for short), which specify access rights of users on information within an XML document, must be revised if they do not match with changed structure of the XML document. In this paper, we present two authorization translation problems. The first is a problem of translating instance-level authorizations for an XML document. The second is a problem of translating schema-level authorizations for a collection of XML documents conforming to a DTD. For the first problem, we propose an algorithm that translates instance-level authorizations of a source XML document into those for a transformed XML document by using instance-tree mapping from the transformed document instance to the source document instance. For the second problem, we propose an algorithm that translates value-independent schema-level authorizations of non-recursive source DTD into those for a non-recursive target DTD by using schema-tree mapping from the target DTD to the source DTD. The goal of authorization translation is to preserve authorization equivalence at instance node level of the source document. The XML access control models use path expressions of XPath to locate data in XML documents. We define property of the path expressions (called node-reducible path expressions) that we can transform schema-level authorizations of value-independent type by schema-tree mapping. To compute authorizations on instances of schema elements of the target DTD, we need to identify the schema elements whose instances are located by a node-reducible path expression of a value-independent schema-level authorization. We give an algorithm that carries out path fragment containment test to identify the schema elements whose instances are located by a node-reducible path expression.

[1]  Yahiko Kambayashi,et al.  Translating Access Authorizations for Transformed XML Documents , 2002, DEXA.

[2]  Elke A. Rundensteiner,et al.  Automating the transformation of XML documents , 2001, WIDM '01.

[3]  Jim Melton,et al.  XML schema , 2003, SGMD.

[4]  Ernesto Damiani,et al.  Securing XML Documents , 2000, EDBT.

[5]  Steven J. DeRose,et al.  XML Path Language (XPath) , 1999 .

[6]  Markus Greunz,et al.  Integrating e-government infrastructures through secure XML document containers , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[7]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[8]  C. Michael Sperberg-McQueen,et al.  Extensible Markup Language (XML) Version 1.0 , 2000 .

[9]  Elisa Bertino,et al.  Specifying and enforcing access control policies for XML document sources , 2004, World Wide Web.

[10]  Donald E. Eastlake,et al.  XML-Signature Syntax and Processing , 2001, RFC.

[11]  Tova Milo,et al.  Using Schema Matching to Simplify Heterogeneous Data Translation , 1998, VLDB.

[12]  D. Eastlake,et al.  XML Encryption Syntax and Processing , 2003 .

[13]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[14]  Erhard Rahm,et al.  Generic Schema Matching with Cupid , 2001, VLDB.

[15]  Jeffrey D. Ullman,et al.  Principles Of Database And Knowledge-Base Systems , 1979 .

[16]  Steven J. DeRose,et al.  XML Path Language (XPath) Version 1.0 , 1999 .

[17]  Dan Suciu,et al.  Containment and equivalence for an XPath fragment , 2002, PODS.

[18]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[19]  Alban Gabillon,et al.  Regulating Access to XML documents , 2001, DBSec.

[20]  James Clark,et al.  XSL Transformations (XSLT) Version 1.0 , 1999 .