Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data Federations

Data federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies across the federation becomes a challenge. In this article, we first consider the problem of translating existing access control policies defined over source databases in a manner that allows the original semantics to be observed while becoming applicable across the entire data federation. We show that such a translation is always possible, and provide an algorithm for automating the translation. We show that verifying whether a translated policy obeys the semantics of the original access control policy defined over a source database is intractable, even under restrictive scenarios. We then describe a practical algorithmic framework for translating relational access control policies into their XML equivalent, expressed in the eXtensible Access Control Markup Language. Finally, we examine the difficulty of minimizing translated policies, and contribute a minimization algorithm applicable to nonrecursive translated policies.

[1]  John E. Hopcroft,et al.  An n log n algorithm for minimizing states in a finite automaton , 1971 .

[2]  Elisa Bertino,et al.  A temporal key management scheme for secure broadcasting of XML documents , 2002, CCS '02.

[3]  Denilson Barbosa,et al.  Access control policy translation and verification within heterogeneous data federations , 2010, SACMAT '10.

[4]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[5]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[6]  Anand Rajaraman,et al.  Conjunctive query containment revisited , 2000, Theor. Comput. Sci..

[7]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[8]  D. Eastlake,et al.  XML Encryption Syntax and Processing , 2003 .

[9]  Dan Suciu,et al.  Controlling Access to Published Data Using Cryptography , 2003, VLDB.

[10]  Leonid Libkin,et al.  Expressive power of SQL , 2001, Theor. Comput. Sci..

[11]  Aoying Zhou,et al.  DTD-Directed Publishing with Attribute Translation Grammars , 2002, VLDB.

[12]  Ronald Fagin,et al.  On an authorization mechanism , 1978, TODS.

[13]  Scott Boag,et al.  XQuery 1.0 : An XML Query Language , 2007 .

[14]  Ashok K. Chandra,et al.  Optimal implementation of conjunctive queries in relational data bases , 1977, STOC '77.

[15]  Alan R. Simon,et al.  Understanding the New SQL: A Complete Guide , 1993 .

[16]  BarbosaDenilson,et al.  Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data Federations , 2011 .

[17]  Frank Neven,et al.  Expressiveness and complexity of xml publishing transducers , 2007, PODS '07.

[18]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[19]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[20]  Ron van der Meyden,et al.  The complexity of querying indefinite data about linearly ordered domains , 1992, J. Comput. Syst. Sci..

[21]  Elisa Bertino,et al.  Securing XML Documents with Author-X , 2001, IEEE Internet Comput..

[22]  Bradford W. Wade,et al.  An authorization mechanism for a relational database system , 1976, TODS.

[23]  Peng Liu,et al.  QFilter: fine-grained run-time XML access control via NFA-based query rewriting , 2004, CIKM '04.

[24]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[25]  Ron van der Meyden The Complexity of Querying Indefinite Data about Linearly Ordered Domains , 1997, J. Comput. Syst. Sci..

[26]  Anand Rajaraman,et al.  Conjunctive query containment revisited , 1997, Theor. Comput. Sci..

[27]  Dan Suciu,et al.  SilkRoute: A framework for publishing relational data in XML , 2002, TODS.

[28]  Jason Crampton,et al.  Applying hierarchical and role-based access control to XML documents , 2004, SWS '04.

[29]  Hamid Pirahesh,et al.  Efficiently publishing relational data as XML documents , 2001, The VLDB Journal.

[30]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[31]  Wenfei Fan XML Publishing: Bridging Theory and Practice , 2007, DBPL.

[32]  Denilson Barbosa,et al.  Designing Information-Preserving Mapping Schemes for XML , 2005, VLDB.