MyABDAC: Compiling XACML policies for attribute-based database access control

Sonia Jahid, Carl Gunter, Imranul Hoque, Hamed Okhravi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Attribute-based Access Control (ABAC) based on XACML can substantially improve the security and management of access rights on databases. However, existing implementations rely on high-level policy interpretation and are not as efficient as mechanisms natively supported by commodity databases. In this paper we explore advantages and challenges arising from compiling XACML policies for database access into Access Control Lists (ACLs) natively supported by the database. The main contributions are an architecture and algorithms for efficiently addressing incremental changes in attributes that could trigger changes to the ACLs. We consider this in a context of reflective database access control where attributes used in access decisions are stored in the database itself. Our implementation and experiments demonstrate a significant improvement in access decision times compared to the best available optimizations for general XACML access engines.

Original languageEnglish (US)
Title of host publicationCODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy
Pages97-108
Number of pages12
DOIs
StatePublished - Mar 24 2011
Event1st ACM Conference on Data and Application Security and Privacy, CODASPY'11 - San Antonio, TX, United States
Duration: Feb 21 2011Feb 23 2011

Publication series

NameCODASPY'11 - Proceedings of the 1st ACM Conference on Data and Application Security and Privacy

Other

Other1st ACM Conference on Data and Application Security and Privacy, CODASPY'11
CountryUnited States
CitySan Antonio, TX
Period2/21/112/23/11

Keywords

  • Access control list
  • Attribute
  • Database
  • MySQL
  • XACML

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

Fingerprint Dive into the research topics of 'MyABDAC: Compiling XACML policies for attribute-based database access control'. Together they form a unique fingerprint.

Cite this