Abstract
Traditional SQL-based data stores have been the market leaders for decades. However, they have drawbacks with today’s massive and highly connected data due to their low flexibility in terms of data structures. NoSQL database models (i.e., key-value, column, document, and graph) are designed for unstructured data in large quantities. However, they currently lack fine-grained dynamic security support, with respect to authorization and access control, in contrast to relational database management systems. We define advanced authorization and access control requirements which are applicable for any database model regardless of the application and access control scenario. According to our discussion on existing access control features versus the requirements in the context of each database model, we conclude whether the requirements are satisfied or not, and provide a corresponding overview.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, D.J., Boncz, P.A., Harizopoulos, S.: Column-oriented database systems. Proc. VLDB Endow. 2(2), 1664–1665 (2009). https://doi.org/10.14778/1687553.1687625
Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Rjaibi, W.: Extending relational database systems to automatically enforce privacy policies. In: 21st International Conference on Data Engineering (ICDE 2005), pp. 1013–1022 (2005). https://doi.org/10.1109/ICDE.2005.64
Alotaibi, A., Alotaibi, R., Hamza, N.: Access control models in NoSQL databases: an overview. JKAU 8(1), 1–9 (2019)
Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997). https://doi.org/10.1109/69.567051
Bertino, E., Ghinita, G., Kamra, A.: Access Control for Databases: Concepts and Systems. Now Publishers Inc. (2011)
Borojevic, I.: Role-based access control in Neo4j enterprise edition (2017). https://neo4j.com/blog/role-based-access-control-neo4j-enterprise. Accessed Aug 2022
Browder, K., Davidson, M.A.: The virtual private database in oracle9ir2. Oracle Technical White Paper, Oracle Corporation 500(280) (2002)
Colombo, P., Ferrari, E.: Enhancing MongoDB with purpose-based access control. IEEE Trans. Dependable Secure Comput. 14(6), 591–604 (2015). https://doi.org/10.1109/TDSC.2015.2497680
Colombo, P., Ferrari, E.: Fine-grained access control within NoSQL document-oriented datastores. Data Sci. Eng. 1(3), 127–138 (2016)
Colombo, P., Ferrari, E.: Towards virtual private NoSQL datastores. In: 2016 IEEE 32nd International Conference on Data Engineering (ICDE), pp. 193–204 (2016). https://doi.org/10.1109/ICDE.2016.7498240
Colombo, P., Ferrari, E.: Towards a unifying attribute based access control approach for NoSQL datastores. In: 2017 IEEE 33rd International Conference on Data Engineering (ICDE), pp. 709–720 (2017). https://doi.org/10.1109/ICDE.2017.123
Dadapeer, N.I., Adarsh, G.: A survey on security of NoSQL databases. Int. J. Innovative Res. Comput. Commun. Eng. 4(4), 5250–5254 (2016)
Dindoliwala, V.J., Morena, R.D.: Survey on security mechanisms in NoSQL databases. Int. J. Adv. Res. CS 8(5) (2017)
Kacimi, Z., Benhlima, L.: XACML policies into MongoDB for privacy access control. In: Proceedings of the Mediterranean Symposium on Smart City Application, SCAMS 2017. Association for Computing Machinery, New York (2017). https://doi.org/10.1145/3175628.3175646
Kalajainen, T., et al.: An access control model in a semantic data structure: case process modelling of a bleaching line. Department of CS and Engineering (2007)
Kulkarni, D.: A fine-grained access control model for key-value systems. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 161–164. Association for Computing Machinery, New York (2013). https://doi.org/10.1145/2435349.2435370
LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D.: Limiting disclosure in hippocratic databases. In: 30th International Conference on Very Large Databases, VLDB Endowment, Toronto, Canada, pp. 108–119 (2004)
Mohamed, A., Auer, D., Hofer, D., Küng, J.: Extended authorization policy for graph-structured data. SN Comput. Sci. 2(5), 1–18 (2021)
Moreno, J., Fernandez, E.B., Fernandez-Medina, E., Serrano, M.A.: A security pattern for key-value NoSQL database authorization. In: Proceedings of the 23rd European Conference on Pattern Languages of Programs, EuroPLoP 2018. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3282308.3282321
Morgado, C., Busichia Baioco, G., Basso, T., Moraes, R.: A security model for access control in graph-oriented databases. In: 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS), pp. 135–142 (2018). https://doi.org/10.1109/QRS.2018.00027
Neo4j: Neo4j documentation (2022). https://neo4j.com/docs/. Accessed Aug 2022
Oasis: Access control in ArangoDB (2019). https://www.arangodb.com/docs/stable/oasis/access-control.html. Accessed Aug 2022
Sahafizadeh, E., Nematbakhsh, M.A.: A survey on security issues in big data and NoSQL. Adv. Comput. Sci. Int. J. 4(4), 68–72 (2015)
Sandhu, R.: Relational database access controls. Handb. Inf. Secur. Manag. 95, 145–160 (1994)
Sicari, S., Rizzardi, A., Coen-Porisini, A.: Security &privacy issues and challenges in NoSQL databases. Comput. Netw. 206, 108828 (2022). https://doi.org/10.1016/j.comnet.2022.108828
Tankard, C.: Big data security. Netw. Secur. 2012(7), 5–8 (2012). https://doi.org/10.1016/S1353-4858(12)70063-6
Valzelli, M., Maurino, A., Palmonari, M., Spahiu, B.: Towards an access control model for knowledge graphs (2021)
Weiss, T., et al.: Azure role-based access control in azure cosmos DB (2022). https://docs.microsoft.com/en-us/azure/cosmos-db/role-based-access-control. Accessed Aug 2022
Zahid, A., Masood, R., Shibli, M.A.: Security of sharded NoSQL databases: a comparative analysis. In: 2014 Conference on Information Assurance and Cyber Security (CIACS), pp. 1–8 (2014). https://doi.org/10.1109/CIACS.2014.6861323
Zugaj, W., Beichler, A.: Analysis of standard security features for selected NoSQL systems. Am. J. Inf. Sci. Technol. 3(2), 41–49 (2019)
Acknowledgement
The research reported in this paper has been partly supported by the LIT Secure and Correct Systems Lab funded by the State of Upper Austria. The work was also funded within the FFG BRIDGE project KnoP-2D (grant no. 871299).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Mohamed, A., Auer, D., Hofer, D., Küng, J. (2022). Authorization and Access Control for Different Database Models: Requirements and Current State of the Art. In: Dang, T.K., Küng, J., Chung, T.M. (eds) Future Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications. FDSE 2022. Communications in Computer and Information Science, vol 1688. Springer, Singapore. https://doi.org/10.1007/978-981-19-8069-5_15
Download citation
DOI: https://doi.org/10.1007/978-981-19-8069-5_15
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-8068-8
Online ISBN: 978-981-19-8069-5
eBook Packages: Computer ScienceComputer Science (R0)