Article

Extending query rewriting techniques for fine-grained access control

Authors:
Shariq Rizvi

University of California, Berkeley

University of California, Berkeley
View Profile

,
Alberto Mendelzon

University of Toronto

University of Toronto
View Profile

,
S. Sudarshan

Indian Institute of Technology, Bombay

Indian Institute of Technology, Bombay
View Profile

,
Prasan Roy

IBM Indian Research Laboratory

IBM Indian Research Laboratory
View Profile

SIGMOD '04: Proceedings of the 2004 ACM SIGMOD international conference on Management of dataJune 2004Pages 551–562https://doi.org/10.1145/1007568.1007631

Published:13 June 2004Publication History

SIGMOD '04: Proceedings of the 2004 ACM SIGMOD international conference on Management of data

Pages 551–562

ABSTRACT

Current day database applications, with large numbers of users, require fine-grained access control mechanisms, at the level of individual tuples, not just entire relations/views, to control which parts of the data can be accessed by each user. Fine-grained access control is often enforced in the application code, which has numerous drawbacks; these can be avoided by specifying/enforcing access control at the database level. We present a novel fine-grained access control model based on authorization views that allows "authorization-transparent" querying; that is, user queries can be phrased in terms of the database relations, and are valid if they can be answered using only the information contained in these authorization views. We extend earlier work on authorization-transparent querying by introducing a new notion of validity, conditional validity. We give a powerful set of inference rules to check for query validity. We demonstrate the practicality of our techniques by describing how an existing query optimizer can be extended to perform access control checks by incorporating these inference rules.

References

The Virtual Private Database in Oracle9ir2: An Oracle Technical White Paper http://otn.oracle.com/deploy/security/oracle9ir2/pdf/vpd9ir2twp.pdf.Google Scholar
G.-J. Ahn and R. Sandhu. Role-based authorization constraints specification. ACM Trans. on Information and System Security, 3(4), November 2000. Google ScholarDigital Library
R. Bello, K. Dias, A. Downing. J. Feenan, J. Finnerty, W. Norcott, H. Sun, A. Witkowski, and M. Ziauddin. Materialized views in ORACLE. In VLDB Conf., pages 659--664, 1998. Google ScholarDigital Library
A. Brodsky, C. Farkas, and S. Jajodia. Secure databases: Constraints, inference channels, and monitoring disclosures. IEEE Trans. on Knowl. and Data Engg., 12(96):900--919, 2000. Google ScholarDigital Library
S. Castano, M. Fugini, G. Martella, and P. Samarati. Database Security. Addison-Wesley, 1995. Google ScholarDigital Library
S. Chaudhuri, R. Krishnamurthy, S. Potamianos, and K. Shim. Optimizing queries with materialized views. In ICDE, pages 190--200, 1995. Google ScholarDigital Library
S. Chaudhuri and M. Vardi. Optimizing real conjuctive queries. In PODS, pages 59--70, 1994. Google ScholarDigital Library
V. Cohen, W. Nutt, and A. Serebrenik. Rewriting aggregate queries using views. In PODS, pages 155--166, 1999. Google ScholarDigital Library
D. Denning. Commutative filters for reducing inference threats in multilevel database systems. In IEEE Symp. on Security and Privacy, pages 134--146, 1985.Google ScholarCross Ref
C. Farkas and S. Jajodia. The inference problem: A survey. SIGKDD Explorations, 4(2), Mar. 2003. Google ScholarDigital Library
V. Gligor. Characteristics of role-based access control. In ACM Symp. on Access Control Models and Technologies, 1996. Google ScholarDigital Library
J. Goldstein and P. Larson. Optimizing queries using materialized views: a practical, scalable solution. In SIGMOD Conf., pages 331--342, 2001. Google ScholarDigital Library
G. Graefe and W. J. McKenna. The Volcano optimizer generator: Extensibility and efficient search. In ICDE, 1993. Google ScholarDigital Library
A. Gupta, V. Harinarayan, and D. Quass. Aggregate-query processing in data warehousing environments. In VLDB Conf., pages 358--369, 1995. Google ScholarDigital Library
A. Halevy. Answering queries using views: A survey. The VLDB Journal, 10(4):270--294, 2001. Google ScholarDigital Library
M. A. Harrison, M. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communication of the ACM, 19(8) (Pages 461--471), August 1976. Google ScholarDigital Library
S. Jajodia, P. Samarati, M. Sapino, and V. Subrahmaniam. Flexible support for multiple access control policies. ACM Trans. on Database Systems, 26(4), June 2001. Google ScholarDigital Library
S. Jajodia and R. Sandhu. Towards a multilevel secure relational data model. In SIGMOD Conf., pages 50--59, 1991. Google ScholarDigital Library
S. Jajodia and D. Wijesekera. Recent advances in access control models. In IFIP Working Conference on Database and Application Security (DBSec), 2001. Google ScholarDigital Library
A. Motro. An access authorization model for relational databases based on algebraic manipulation of view definitions. In ICDE, pages 339--347, 1989. Google ScholarDigital Library
A. Motro. Panorama: A database system that annotates its answers to queries with their properties. Journal of Intelligent Information Systems, 7(1):51--73, Sept. 1996. Google ScholarDigital Library
A. Rosenthal and E. Sciore. View security as the basis for data warehouse security. In Intl. Workshop on Design and Management of Data Warehouses (DMDW), 2000.Google Scholar
A. Rosenthal and E. Sciore. Administering permissions for distributed data: Factoring and automated inference. In IFIP 11.3 Working Conf. in Database Security, 2001.Google Scholar
A. Rosenthal, E. Sciore, and V. Doshi. Security administration for federations, warehouses, and other derived data. In IFIP WG11.3 Conf. on Database Security, 1999. Google ScholarDigital Library
P. Roy, S. Seshadri, S. Sudarshan, and S. Bhobe. Efficient and extensible algorithms for multi query optimization. In SIGMOD Conf., pages 249--260, 2000. Google ScholarDigital Library
D. Srivastava, S. Dar, H. V. Jagadish, and A. Y. Levy. Answering queries with aggregation using views. In VLDB Conf., pages 318--329, 1996. Google ScholarDigital Library
R. Yerneni, C. Li, H. Garcia-Molina, and J. D. Ullman. Computing capabilities of mediators. In SIGMOD Conf., pages 443--454, 1999. Google ScholarDigital Library
M. Zaharioudakis, R. Cochrane, G. Lapis, H. Pirahesh, and M. Urata. Answering complex sql queries using automatic summary tables. In SIGMOD Conf., pages 105--116, 2000. Google ScholarDigital Library

Extending query rewriting techniques for fine-grained access control

Recommendations

A fine-grained access control system for XML documents

Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing of information via the Web that must be accessed in a selective way, such as electronic commerce ...
Read More
Query evaluation in the presence of fine-grained access control
Read More
Fine-grained role graph model
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SIGMOD '04: Proceedings of the 2004 ACM SIGMOD international conference on Management of data
June 2004
988 pages
ISBN:1581138598
DOI:10.1145/1007568
Conference Chairs:
Arnd Christian König
Microsoft Research
,
Stefan Dessloch
University of Kaiserslautern, Germany
,
General Chair:
Patrick Valduriez
INRIA, France
,
Program Chair:
Gerhard Weikum
University of the Saarland
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 June 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate785of4,003submissions,20%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 223
  Total Citations
  View Citations
- 2,284
  Total Downloads
- Downloads (Last 12 months)74
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Extending query rewriting techniques for fine-grained access control

SIGMOD '04: Proceedings of the 2004 ACM SIGMOD international conference on Management of data

ABSTRACT

References

Cited By

Recommendations

A fine-grained access control system for XML documents

Query evaluation in the presence of fine-grained access control

Fine-grained role graph model