research-article

Extended XACML Language and Architecture for Access Control in Graph-structured Data

Authors:

Josef KüngAuthors Info & Claims

iiWAS2021: The 23rd International Conference on Information Integration and Web Intelligence

Pages 367 - 374

https://doi.org/10.1145/3487664.3487789

Published: 30 December 2021 Publication History

Abstract

The rapidly increasing use of graph databases for a wide variety of applications demands flexible authorization and fine-grained access control at the level of attributes associated with the basic entities (i.e., accessing subject, requested resource, performed action, and environmental conditions) but also the vertices and edges along a particular access path. We present a solution for authorization policy specification and enforcement in a graph database to apply fine-grained path-specific constraints on graph-structured data. Therefore, we extend the well-established declarative policy definition language eXtensible Access Control Markup Language (XACML) and its architecture to describe path patterns and enforce the policies using the standard functional components of XACML. Our approach, XACML for Graph-structured data (XACML4G), defines an extended XACML grammar for the authorization policy and access request. To enforce XACML4G policies, we relied on the extensibility points of the XACML architecture and added proprietary extensions. We show the significance of our approach by means of a demonstration prototype in the university domain. Finally, we provide an initial evaluation of the expressiveness and performance of XACML4G with regard to XACML.

References

[1]

ArangoDB. 2019. Access control in ArangoDB Oasis. https://www.arangodb.com/docs/devel/oasis/access-control.html. (Accessed in 07.2021).

[2]

Claudio Ardagna, Ernesto Damiani, Sabrina De Capitani di Vimercati, Cristiano Fugazza, and Pierangela Samarati. 2005. Offline expansion of xacml policies based on p3p metadata. In International Conference on Web Engineering. Springer, Springer Berlin Heidelberg, Berlin, Heidelberg, 363–374.

Digital Library

[3]

Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Stefano Paraboschi, Eros Pedrini, Pierangela Samarati, and Mario Verdicchio. 2009. Extending XACML for Open Web-based Scenarios. In W3C Workshop on Access Control Application Scenarios, Hal Lockhart and Rigo Wenning (Eds.). W3C, 5 pages. https://www.w3.org/2009/policy-ws/papers/Samarati.pdf

[4]

Sean Bechhofer, Frank van Harmelen, Jim Hendler, Ian Horrocks, Deborah L. McGuinness, Peter F. Patel-Schneider, and Lynn Andrea Stein. 2004. OWL web ontology language reference, W3C Recommendation. http://www. w3. org/TR/owl-ref/.

[5]

Igor Borojevic. 2017. Role-Based Access Control in Neo4j. https://neo4j.com/blog/role-based-access-control-neo4j-enterprise/. (Accessed in 07.2021).

[6]

Uri Braun, Avraham Shinnar, and Margo I. Seltzer. 2008. Securing Provenance. In 3rd USENIX Workshop on Hot Topics in Security, HotSec’08, San Jose, CA, USA, July 29, 2008, Proceedings, Niels Provos (Ed.). USENIX Association, USA, Article 4, 5 pages. http://www.usenix.org/events/hotsec08/tech/full_papers/braun/braun.pdf

Digital Library

[7]

Mark Brown, Sneha Gunda, Thomas Weiss, Kent Sharkey, Mike F. Robbins, Jason Howell, David Coulter, Robert Lyon, Govind Kanshi, and Rimma Nehme. 2021. Azure role-based access control in Azure Cosmos DB. https://docs.microsoft.com/en-us/azure/cosmos-db/role-based-access-control. (Accessed in 07.2021).

[8]

Jan Camenisch, Sebastian Mödersheim, Gregory Neven, Franz-Stefan Preiss, and Dieter Sommer. 2009. Credential-Based Access Control Extensions to XACML. In W3C Workshop on Access Control Application Scenarios, Hal Lockhartand Rigo Wenning (Eds.). W3C, 7 pages. https://www.w3.org/2009/policy-ws/papers/Neven.pdf

[9]

Nirmal Dagdee and Ruchi Vijaywargiya. 2011. Extending XACML to support Credential Based Hybrid Access Control. International Journal of Computer Science Issues (IJCSI) 8, 6(2011), 204.

[10]

Nurmamat Helil and Kaysar Rahman. 2010. Extending XACML profile for RBAC with semantic concepts. In 2010 International Conference on Computer Application and System Modeling (ICCASM 2010), Vol. 10. IEEE, V10–69–V10–74. https://doi.org/10.1109/ICCASM.2010.5622888

[11]

Vincent C. Hu, David F. Ferraiolo, Ramaswamy Chandramouli, and D. Richard Kuhn. 2017. Attribute-Based Access Control. Artech House, Boston.

[12]

Gina Kounga, Marco Casassa Mont, and Pete Bramhall. 2010. Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation. In International Conference on Trust, Privacy and Security in Digital Business(LNCS sublibrary. SL 4, Security and cryptology, Vol. 6264), Sokratis K. Katsikas, Javier López, and Miguel Soriano(Eds.). Springer, Berlin and New York, 153–164. https://doi.org/10.1007/978-3-642-15152-1_14

Digital Library

[13]

Andreas Matheus. 2008. Geospatial eXtensible Access Control Markup Language. In Image Information Mining Conference: Pursuing automation of geospatial intelligence for environment and security. esa, Frascati, Italy, 11 pages. http://wiki.services.eoportal.org/img/wiki_up/image/Events/2008_ESA-EUSC/Papers/Ar25_Matheus.pdf

[14]

Sun Microsystems. 2006. Sun’s XACML Implementation. http://sunxacml.sourceforge.net/.

[15]

Aya Mohamed, Dagmar Auer, Daniel Hofer, and Josef Küng. 2020. Authorization Policy Extension for Graph Databases. In International Conference on Future Data and Security Engineering(Lecture Notes in Computer Science), Tran Khanh Dang, Josef Küng, Makoto Takizawa, and Tai M. Chung (Eds.). Springer International Publishing, Cham, 47–66. https://doi.org/10.1007/978-3-030-63924-2_3

[16]

Bill Parducci and Hal Lockhart. 2013. eXtensible Access Control Markup Language (XACML) Version 3.0 - OASIS Standard. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html.

[17]

Óscar Mortágua Pereira, Vedran Semenski, Diogo Domingues Regateiro, and Rui L Aguiar. 2017. The XACML Standard - Addressing Architectural and Security Aspects. In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - IoTBDS, Vol. 2. INSTICC, SciTePress, Setúbal, Portugal, 189–197. https://doi.org/10.5220/0006224901890197

[18]

Ravi S. Sandhu. 1998. Role-based Access Control. In The engineering of large systems, Marvin V. Zelkowitz (Ed.). Advances in Computers, Vol. 46. Academic Pr, San Diego [u.a.], 237–286. https://doi.org/10.1016/S0065-2458(08)60206-5

Cited By

Mohamed AAuer DHofer DKüng J(2023)A systematic literature review of authorization and access control requirements and current state of the art for different database modelsInternational Journal of Web Information Systems10.1108/IJWIS-04-2023-007220:1(1-23)Online publication date: 9-Oct-2023
https://doi.org/10.1108/IJWIS-04-2023-0072

Index Terms

Extended XACML Language and Architecture for Access Control in Graph-structured Data

Index terms have been assigned to the content through auto-classification.

Recommendations

Authorization Policy Extension for Graph Databases
Future Data and Security Engineering
Abstract
The high increase in the use of graph databases also for business- and privacy-critical applications demands for a sophisticated, flexible, fine-grained authorization and access control approach. Attribute-based access control (ABAC) supports a ...
Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
ABAC '16: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control

Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. An objective of both is to provide a standardized way for ...
Extended Authorization Policy for Graph-Structured Data
Abstract
The high increase in the use of graph databases also for business- and privacy-critical applications demands for a sophisticated, flexible, fine-grained authorization and access control (AC) approach. Attribute-based access control (ABAC) supports ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

iiWAS2021: The 23rd International Conference on Information Integration and Web Intelligence

November 2021

658 pages

ISBN:9781450395564

DOI:10.1145/3487664

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 December 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Austrian Research Promotion Agency (FFG)

Conference

iiWAS2021

iiWAS2021: The 23rd International Conference on Information Integration and Web Intelligence

November 29 - December 1, 2021

Linz, Austria

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
59
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)2

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mohamed AAuer DHofer DKüng J(2023)A systematic literature review of authorization and access control requirements and current state of the art for different database modelsInternational Journal of Web Information Systems10.1108/IJWIS-04-2023-007220:1(1-23)Online publication date: 9-Oct-2023
https://doi.org/10.1108/IJWIS-04-2023-0072

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten