Abstract
The Web is becoming the main information dissemination means in private and public organizations. As a consequence, several applications at both internet and intranet level need mechanisms to support a selective access to data available over the Web. In this context, developing an access control model, and related mechanisms, in terms of XML (eXtensible Markup Language) is an important step, because XML is increasingly used as the language for representing information exchanged over the Web. In this paper, we propose access control policies and an associated model for XML documents, addressing peculiar protection requirements posed by XML. A first requirement is that varying protection granularity levels should be supported to guarantee a differentiated protection of document contents. A second requirement arises from the fact that XML documents do not always conform to a predefined document type. To cope with these requirements, the proposed model supports varying protection granularity levels, ranging from a set of documents, to a single document or specific document portion(s). Moreover, it allows the Security Administrator to choose different policies for documents not covered or only partially covered by the existing access control policies for document types. An access control mechanism for the enforcement of the proposed model is finally described.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bertino, E., C. Bettini, E. Ferrari, and P. Samarati (1996), “A Temporal Access Control Mechanism for Database Systems,” IEEE Transactions on Knowledge and Data Engineering 8, 1, 67–80.
Bertino, E., S. Castano, E. Ferrari, and M. Mesiti (1999a), “Controlled Access and Dissemination of XML Documents, ” In Proceedings of the 2nd ACM Workshop on Web Information and Data Management, Kansas City, MI, pp. 22–27.
Bertino, E., G. Guerrini, I. Merlo, and M. Mesiti (1999b), “An Approach to Classify Semi-Structured Objects,” In Proceedings of the 13th European Conference on Object-oriented Programming, R. Guerraoui, Ed., Lecture Notes in Computer Science, Vol. 1628, pp. 416–440.
Bertino, E., M. Braun, S. Castano, E. Ferrari, and M. Mesiti (2000), “Author-X: A Java-Based System for XML Data Protection,” In Proceedings of the 14th IFIP WG 11.3 Annual Conference on Database Security, Schoorl, The Netherlands.
Castano, S. and V. De Antonellis (1999), “A Discovery-based Approach to Database Ontology Design,” Distributed and Parallel Databases – Special Issue on Ontologies and Databases 7, 1.
Damiani, E., S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati (2000), “Securing XML Documents,” In Proceedings of the International Conference on Extending Database Technology (EDBT2000), Konstanz, Germany.
Deutsch, A., M. Fernandez, D. Florescu, A. Levy, and D. Suciu (1999), “A Query Language for XML,” In International Conference on World Wide Web, Toronto, Canada, http://www8.org/.
Fernandez, E., E. Gudes, and H. Song (1994), “A Model for Evaluation and Administration of Security in Object-oriented Databases,” IEEE Transactions on Knowledge and Data Engineering 6, 275–292.
ISO (1986), “Generalized Markup Language (SGML),” In ISO 8879.
Miller, A. (1995), “aWordNet: A Lexical Database for English,” Communications of the ACM 38, 11, 39–41.
Milo T. and S. Zohar (1998), “Using Schema Matching to Simplify Heterogeneous Data Translation,” In Proceedings of the 24th International Conference on Very Large Data Bases, A. Gupta, O. Shmueli, and J. Widom, Eds., pp. 122–133.
Nestorov, S., S. Abiteboul, and R. Motwani (1998), “Extracting Schema from Semistructured Data,” In Proceedings of the ACM SIGMOD International Conference on Management of Data, L.M. Haas and A. Tiwary, Eds., pp. 295–306.
Object Design Inc. (1998), “An XML Data Server for Building Enterprise Web Applications,” white paper, http://www.odi.com/excelon.
Rabitti, F., E. Bertino, W. Kim, and D. Woelk (1991), “A Model of Authorization for Next-generation Database Systems,” ACM Transactions on Database Systems 16, 1, 88–131.
Samarati, P., E. Bertino, and S. Jajodia (1996), “An Authorization Model for a Distributed Hypertext System,” IEEE Transactions on Knowledge and Data Engineering 8, 4, 555–562.
Winslett, M., N. Ching, V. Jones, and I. Slepchin (1997), “Using Digital Credentials on the World Wide Web,” Journal of Computer Security 5.
World Wide Web Consortium (1998a), “Extensible Markup Language (XML) 1.0,” http://www.w3.org/TR/REC-xml.
World Wide Web Consortium (1998b), “Hypertext Markup Language (HTML) 4.0,” http://www.w3.org/TR/REC-html40/.
World Wide Web Consortium (1999), “XML Path Language (Xpath) 1.0,” http://www.w3.org/TR/xpath.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Bertino, E., Castano, S., Ferrari, E. et al. Specifying and enforcing access control policies for XML document sources. World Wide Web 3, 139–151 (2000). https://doi.org/10.1023/A:1019289831564
Issue Date:
DOI: https://doi.org/10.1023/A:1019289831564