Implementing reflective access control in SQL

Lars E. Olson, Carl A. Gunter, William R. Cook, Marianne Winslett

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies. The Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, however there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies in Transaction Datalog into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by access control matrices. This implementation demonstrates the practical feasibility of RDBAC, and suggests a rich field of further research.

Original languageEnglish (US)
Title of host publicationData and Applications Security XXIII - 23rd Annual IFIP WG 11.3 Working Conference, Proceedings
Number of pages16
StatePublished - 2009
Event23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security - Montreal, QC, Canada
Duration: Jul 12 2009Jul 15 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5645 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security
CityMontreal, QC

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Implementing reflective access control in SQL'. Together they form a unique fingerprint.

Cite this