Implementing reflective access control in SQL

Lars E. Olson; Carl A. Gunter; William R. Cook; Marianne Winslett

doi:10.1007/978-3-642-03007-9_2

Implementing reflective access control in SQL

Lars E. Olson, Carl A. Gunter, William R. Cook, Marianne Winslett

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies. The Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, however there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies in Transaction Datalog into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by access control matrices. This implementation demonstrates the practical feasibility of RDBAC, and suggests a rich field of further research.

Original language	English (US)
Title of host publication	Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings
Pages	17-32
Number of pages	16
DOIs	https://doi.org/10.1007/978-3-642-03007-9_2
State	Published - 2009
Event	23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security - Montreal, QC, Canada Duration: Jul 12 2009 → Jul 15 2009

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5645 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security
Country/Territory	Canada
City	Montreal, QC
Period	7/12/09 → 7/15/09

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Online availability

10.1007/978-3-642-03007-9_2

Library availability

Discover UIUC Full Text

Cite this

Olson, L. E., Gunter, C. A., Cook, W. R., & Winslett, M. (2009). Implementing reflective access control in SQL. In Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings (pp. 17-32). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5645 LNCS). https://doi.org/10.1007/978-3-642-03007-9_2

Implementing reflective access control in SQL. / Olson, Lars E.; Gunter, Carl A.; Cook, William R. et al.

Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings. 2009. p. 17-32 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5645 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Olson, LE, Gunter, CA, Cook, WR & Winslett, M 2009, Implementing reflective access control in SQL. in Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5645 LNCS, pp. 17-32, 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Montreal, QC, Canada, 7/12/09. https://doi.org/10.1007/978-3-642-03007-9_2

Olson LE, Gunter CA, Cook WR, Winslett M. Implementing reflective access control in SQL. In Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings. 2009. p. 17-32. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-03007-9_2

@inproceedings{48f16c7437d64042a69db7fee949ef36,

title = "Implementing reflective access control in SQL",

abstract = "Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies. The Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, however there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies in Transaction Datalog into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by access control matrices. This implementation demonstrates the practical feasibility of RDBAC, and suggests a rich field of further research.",

author = "Olson, {Lars E.} and Gunter, {Carl A.} and Cook, {William R.} and Marianne Winslett",

year = "2009",

doi = "10.1007/978-3-642-03007-9_2",

language = "English (US)",

isbn = "3642030068",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "17--32",

booktitle = "Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings",

note = "23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security ; Conference date: 12-07-2009 Through 15-07-2009",

}

TY - GEN

T1 - Implementing reflective access control in SQL

AU - Olson, Lars E.

AU - Gunter, Carl A.

AU - Cook, William R.

AU - Winslett, Marianne

PY - 2009

Y1 - 2009

N2 - Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies. The Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, however there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies in Transaction Datalog into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by access control matrices. This implementation demonstrates the practical feasibility of RDBAC, and suggests a rich field of further research.

AB - Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies. The Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, however there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies in Transaction Datalog into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by access control matrices. This implementation demonstrates the practical feasibility of RDBAC, and suggests a rich field of further research.

UR - http://www.scopus.com/inward/record.url?scp=70350778358&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70350778358&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-03007-9_2

DO - 10.1007/978-3-642-03007-9_2

M3 - Conference contribution

AN - SCOPUS:70350778358

SN - 3642030068

SN - 9783642030062

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 17

EP - 32

BT - Data and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings

T2 - 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security

Y2 - 12 July 2009 through 15 July 2009

ER -

Implementing reflective access control in SQL

Abstract

Publication series

Other

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this