ABSTRACT
Current day database applications, with large numbers of users, require fine-grained access control mechanisms, at the level of individual tuples, not just entire relations/views, to control which parts of the data can be accessed by each user. Fine-grained access control is often enforced in the application code, which has numerous drawbacks; these can be avoided by specifying/enforcing access control at the database level. We present a novel fine-grained access control model based on authorization views that allows "authorization-transparent" querying; that is, user queries can be phrased in terms of the database relations, and are valid if they can be answered using only the information contained in these authorization views. We extend earlier work on authorization-transparent querying by introducing a new notion of validity, conditional validity. We give a powerful set of inference rules to check for query validity. We demonstrate the practicality of our techniques by describing how an existing query optimizer can be extended to perform access control checks by incorporating these inference rules.
- The Virtual Private Database in Oracle9ir2: An Oracle Technical White Paper http://otn.oracle.com/deploy/security/oracle9ir2/pdf/vpd9ir2twp.pdf.Google Scholar
- G.-J. Ahn and R. Sandhu. Role-based authorization constraints specification. ACM Trans. on Information and System Security, 3(4), November 2000. Google ScholarDigital Library
- R. Bello, K. Dias, A. Downing. J. Feenan, J. Finnerty, W. Norcott, H. Sun, A. Witkowski, and M. Ziauddin. Materialized views in ORACLE. In VLDB Conf., pages 659--664, 1998. Google ScholarDigital Library
- A. Brodsky, C. Farkas, and S. Jajodia. Secure databases: Constraints, inference channels, and monitoring disclosures. IEEE Trans. on Knowl. and Data Engg., 12(96):900--919, 2000. Google ScholarDigital Library
- S. Castano, M. Fugini, G. Martella, and P. Samarati. Database Security. Addison-Wesley, 1995. Google ScholarDigital Library
- S. Chaudhuri, R. Krishnamurthy, S. Potamianos, and K. Shim. Optimizing queries with materialized views. In ICDE, pages 190--200, 1995. Google ScholarDigital Library
- S. Chaudhuri and M. Vardi. Optimizing real conjuctive queries. In PODS, pages 59--70, 1994. Google ScholarDigital Library
- V. Cohen, W. Nutt, and A. Serebrenik. Rewriting aggregate queries using views. In PODS, pages 155--166, 1999. Google ScholarDigital Library
- D. Denning. Commutative filters for reducing inference threats in multilevel database systems. In IEEE Symp. on Security and Privacy, pages 134--146, 1985.Google ScholarCross Ref
- C. Farkas and S. Jajodia. The inference problem: A survey. SIGKDD Explorations, 4(2), Mar. 2003. Google ScholarDigital Library
- V. Gligor. Characteristics of role-based access control. In ACM Symp. on Access Control Models and Technologies, 1996. Google ScholarDigital Library
- J. Goldstein and P. Larson. Optimizing queries using materialized views: a practical, scalable solution. In SIGMOD Conf., pages 331--342, 2001. Google ScholarDigital Library
- G. Graefe and W. J. McKenna. The Volcano optimizer generator: Extensibility and efficient search. In ICDE, 1993. Google ScholarDigital Library
- A. Gupta, V. Harinarayan, and D. Quass. Aggregate-query processing in data warehousing environments. In VLDB Conf., pages 358--369, 1995. Google ScholarDigital Library
- A. Halevy. Answering queries using views: A survey. The VLDB Journal, 10(4):270--294, 2001. Google ScholarDigital Library
- M. A. Harrison, M. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communication of the ACM, 19(8) (Pages 461--471), August 1976. Google ScholarDigital Library
- S. Jajodia, P. Samarati, M. Sapino, and V. Subrahmaniam. Flexible support for multiple access control policies. ACM Trans. on Database Systems, 26(4), June 2001. Google ScholarDigital Library
- S. Jajodia and R. Sandhu. Towards a multilevel secure relational data model. In SIGMOD Conf., pages 50--59, 1991. Google ScholarDigital Library
- S. Jajodia and D. Wijesekera. Recent advances in access control models. In IFIP Working Conference on Database and Application Security (DBSec), 2001. Google ScholarDigital Library
- A. Motro. An access authorization model for relational databases based on algebraic manipulation of view definitions. In ICDE, pages 339--347, 1989. Google ScholarDigital Library
- A. Motro. Panorama: A database system that annotates its answers to queries with their properties. Journal of Intelligent Information Systems, 7(1):51--73, Sept. 1996. Google ScholarDigital Library
- A. Rosenthal and E. Sciore. View security as the basis for data warehouse security. In Intl. Workshop on Design and Management of Data Warehouses (DMDW), 2000.Google Scholar
- A. Rosenthal and E. Sciore. Administering permissions for distributed data: Factoring and automated inference. In IFIP 11.3 Working Conf. in Database Security, 2001.Google Scholar
- A. Rosenthal, E. Sciore, and V. Doshi. Security administration for federations, warehouses, and other derived data. In IFIP WG11.3 Conf. on Database Security, 1999. Google ScholarDigital Library
- P. Roy, S. Seshadri, S. Sudarshan, and S. Bhobe. Efficient and extensible algorithms for multi query optimization. In SIGMOD Conf., pages 249--260, 2000. Google ScholarDigital Library
- D. Srivastava, S. Dar, H. V. Jagadish, and A. Y. Levy. Answering queries with aggregation using views. In VLDB Conf., pages 318--329, 1996. Google ScholarDigital Library
- R. Yerneni, C. Li, H. Garcia-Molina, and J. D. Ullman. Computing capabilities of mediators. In SIGMOD Conf., pages 443--454, 1999. Google ScholarDigital Library
- M. Zaharioudakis, R. Cochrane, G. Lapis, H. Pirahesh, and M. Urata. Answering complex sql queries using automatic summary tables. In SIGMOD Conf., pages 105--116, 2000. Google ScholarDigital Library
- Extending query rewriting techniques for fine-grained access control
Recommendations
A fine-grained access control system for XML documents
Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing of information via the Web that must be accessed in a selective way, such as electronic commerce ...
Comments