MyABDAC: Compiling XACML policies for attribute-based database access control

Sonia Jahid; Carl Gunter; Imranul Hoque; Hamed Okhravi

doi:10.1145/1943513.1943528

MyABDAC: Compiling XACML policies for attribute-based database access control

Sonia Jahid, Carl Gunter, Imranul Hoque, Hamed Okhravi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Attribute-based Access Control (ABAC) based on XACML can substantially improve the security and management of access rights on databases. However, existing implementations rely on high-level policy interpretation and are not as efficient as mechanisms natively supported by commodity databases. In this paper we explore advantages and challenges arising from compiling XACML policies for database access into Access Control Lists (ACLs) natively supported by the database. The main contributions are an architecture and algorithms for efficiently addressing incremental changes in attributes that could trigger changes to the ACLs. We consider this in a context of reflective database access control where attributes used in access decisions are stored in the database itself. Our implementation and experiments demonstrate a significant improvement in access decision times compared to the best available optimizations for general XACML access engines.

Original language	English (US)
Title of host publication	CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy
Pages	97-108
Number of pages	12
DOIs	https://doi.org/10.1145/1943513.1943528
State	Published - 2011
Event	1st ACM Conference on Data and Application Security and Privacy, CODASPY'11 - San Antonio, TX, United States Duration: Feb 21 2011 → Feb 23 2011

Publication series

Name	CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy

Other

Other	1st ACM Conference on Data and Application Security and Privacy, CODASPY'11
Country/Territory	United States
City	San Antonio, TX
Period	2/21/11 → 2/23/11

Keywords

Access control list
Attribute
Database
MySQL
XACML

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications

Online availability

10.1145/1943513.1943528

Library availability

Discover UIUC Full Text

Cite this

Jahid, S., Gunter, C., Hoque, I., & Okhravi, H. (2011). MyABDAC: Compiling XACML policies for attribute-based database access control. In CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy (pp. 97-108). (CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy). https://doi.org/10.1145/1943513.1943528

MyABDAC: Compiling XACML policies for attribute-based database access control. / Jahid, Sonia; Gunter, Carl; Hoque, Imranul et al.
CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy. 2011. p. 97-108 (CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Jahid, S, Gunter, C, Hoque, I & Okhravi, H 2011, MyABDAC: Compiling XACML policies for attribute-based database access control. in CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy. CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy, pp. 97-108, 1st ACM Conference on Data and Application Security and Privacy, CODASPY'11, San Antonio, TX, United States, 2/21/11. https://doi.org/10.1145/1943513.1943528

@inproceedings{bb5301d76a274bb9b5d8a3432a1dcdd4,

title = "MyABDAC: Compiling XACML policies for attribute-based database access control",

abstract = "Attribute-based Access Control (ABAC) based on XACML can substantially improve the security and management of access rights on databases. However, existing implementations rely on high-level policy interpretation and are not as efficient as mechanisms natively supported by commodity databases. In this paper we explore advantages and challenges arising from compiling XACML policies for database access into Access Control Lists (ACLs) natively supported by the database. The main contributions are an architecture and algorithms for efficiently addressing incremental changes in attributes that could trigger changes to the ACLs. We consider this in a context of reflective database access control where attributes used in access decisions are stored in the database itself. Our implementation and experiments demonstrate a significant improvement in access decision times compared to the best available optimizations for general XACML access engines.",

keywords = "Access control list, Attribute, Database, MySQL, XACML",

author = "Sonia Jahid and Carl Gunter and Imranul Hoque and Hamed Okhravi",

year = "2011",

doi = "10.1145/1943513.1943528",

language = "English (US)",

isbn = "9781450304665",

series = "CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy",

pages = "97--108",

booktitle = "CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy",

note = "1st ACM Conference on Data and Application Security and Privacy, CODASPY'11 ; Conference date: 21-02-2011 Through 23-02-2011",

}

TY - GEN

T1 - MyABDAC

T2 - 1st ACM Conference on Data and Application Security and Privacy, CODASPY'11

AU - Jahid, Sonia

AU - Gunter, Carl

AU - Hoque, Imranul

AU - Okhravi, Hamed

PY - 2011

Y1 - 2011

N2 - Attribute-based Access Control (ABAC) based on XACML can substantially improve the security and management of access rights on databases. However, existing implementations rely on high-level policy interpretation and are not as efficient as mechanisms natively supported by commodity databases. In this paper we explore advantages and challenges arising from compiling XACML policies for database access into Access Control Lists (ACLs) natively supported by the database. The main contributions are an architecture and algorithms for efficiently addressing incremental changes in attributes that could trigger changes to the ACLs. We consider this in a context of reflective database access control where attributes used in access decisions are stored in the database itself. Our implementation and experiments demonstrate a significant improvement in access decision times compared to the best available optimizations for general XACML access engines.

AB - Attribute-based Access Control (ABAC) based on XACML can substantially improve the security and management of access rights on databases. However, existing implementations rely on high-level policy interpretation and are not as efficient as mechanisms natively supported by commodity databases. In this paper we explore advantages and challenges arising from compiling XACML policies for database access into Access Control Lists (ACLs) natively supported by the database. The main contributions are an architecture and algorithms for efficiently addressing incremental changes in attributes that could trigger changes to the ACLs. We consider this in a context of reflective database access control where attributes used in access decisions are stored in the database itself. Our implementation and experiments demonstrate a significant improvement in access decision times compared to the best available optimizations for general XACML access engines.

KW - Access control list

KW - Attribute

KW - Database

KW - MySQL

KW - XACML

UR - http://www.scopus.com/inward/record.url?scp=79952813395&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79952813395&partnerID=8YFLogxK

U2 - 10.1145/1943513.1943528

DO - 10.1145/1943513.1943528

M3 - Conference contribution

AN - SCOPUS:79952813395

SN - 9781450304665

T3 - CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy

SP - 97

EP - 108

BT - CODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy

Y2 - 21 February 2011 through 23 February 2011

ER -

MyABDAC: Compiling XACML policies for attribute-based database access control

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this