Implementing Reflective Access Control in SQL

Authors:
Lars E. Olson;Carl A. Gunter;William R. Cook;Marianne Winslett
Affiliations:
University of Illinois at Urbana-Champaign,;University of Illinois at Urbana-Champaign,;University of Texas,;University of Illinois at Urbana-Champaign,
Venue:
Proceedings of the 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security XXIII
Year:
2009

Citing 9
Cited 3

Principles of database and knowledge-base systems, Vol. I

Principles of database and knowledge-base systems, Vol. I
Data functions, datalog and negation

SIGMOD '88 Proceedings of the 1988 ACM SIGMOD international conference on Management of data
Efficient Database Access from Prolog

IEEE Transactions on Software Engineering
A method for specializing logic programs

ACM Transactions on Programming Languages and Systems (TOPLAS)
Static Analysis of Logical Languages with Deferred Update Semantics

IEEE Transactions on Knowledge and Data Engineering
Translation and Optimization of Logic Queries: The Algebraic Approach

VLDB '86 Proceedings of the 12th International Conference on Very Large Data Bases
Redundancy and information leakage in fine-grained access control

Proceedings of the 2006 ACM SIGMOD international conference on Management of data
A formal framework for reflective database access control policies

Proceedings of the 15th ACM conference on Computer and communications security
CodeQuest: scalable source code queries with datalog

ECOOP'06 Proceedings of the 20th European conference on Object-Oriented Programming

Effectively and efficiently selecting access control rules on materialized views over relational databases

Proceedings of the Fourteenth International Database Engineering & Applications Symposium
Inheriting access control rules from large relational databases to materialized views automatically

KES'10 Proceedings of the 14th international conference on Knowledge-based and intelligent information and engineering systems: Part III
MyABDAC: compiling XACML policies for attribute-based database access control

Proceedings of the first ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies. The Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, however there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies in Transaction Datalog into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by access control matrices. This implementation demonstrates the practical feasibility of RDBAC, and suggests a rich field of further research.