Fine Grained Access Control in XML DataBase Systems Naveen Yajamanam April 27,2006

References • QFilter:Fine-Grained Run-Time XML Access control via NFA-based Query rewriting Bo luo,D.Lee,Wang-chienLee,P.Lee

• XML Access control using static Analysis Murata ,Tozawa,Kudo

Introduction • XML has emerged as the language to exchange data over web.

• XML provides for fine granularity of information retrieval because the elements of an XML document can be retrieved by XML queries directly and independently.

• Fine granularity requires mechanisms to control the access at varying levels of the document.

• XML Access control ensures only authorised users can access only authorised portion of XML data.

Concrete view of XML

QFILTER

XML ACCESS CONTROL MECHANISMS

Different Evaluation Plans • No access control • Primitive • Pre-processing • Post-Processing

Primitive Approach

Primitive Approach (cont’d)

Post Processing Approach • Intermediate answers are calculated as usual • Then, ACR prunes out unsafe data.

• Suitable when ACR and data are stored separately in some distributed environment • Can be implemented by XML data filtering package(YFilter)

Pre-Processing Approach • Primitive Approach satisfies two goals Non-view based Independent on underlying XML engine • But, rewritten-query Q’ is not the most efficient one

Pre-Processing-QFilter • • QFilter reads as input query Q,Acces control rules ACR,schema S,then returns a modified query Q’ as output: Q’=QFilter(Q,ACR,S) QFilter has three types of operations: 1.Accept:Q’=Q 2.Deny:Q’={ } 3.Rewrite

QFilter Construction • QFilter captures ACR as NFA(Non deterministic Finite Automata).

• Given Q ,quickly determine if it is Accepted,Denied,Rewrited.

QFilter Construction consider following XPath expressions

State Transition Map

NFA

Q:/site/categories/NW/item

Q:/site/top//item

Q:/site/*/person/name

QFilter with predicate handling

Q:/site/regions/*/item[quantity]/name Q’:/site/regions/*/item[quantity] [description]/name

QFilter performance

QFilter performance

Experimental results • Efficient in terms of query execution time • Scalable to the number of access control rules specified in the system.

STATIC ANALYSIS

INTRODUCTION • Static Analysis is performed at compile time(when query expression is created rather than each time it is evaluated).

• Run-time checking is required only when static analysis is unable to grant or deny access requests without examining the actual databases.

• Key Idea: To use automata for representing and comparing queries, access control policies and schemas.

Introduction(conti…) Static Analysis has Two Phases: First Phase:-We create query automata access control automata,schema automata.

Second phase:-We compare these Automata While applying the rules .

Introduction(cont’d) • Schema :Schema is a description of permissible XML documents.

A schema is a 5-tuple G=(N, ∑E, ,∑A,S,P) N is a finite set of non-terminals ∑E is a finite set of element names ∑A is a finite set of attribute names S is a subset of ∑E X N, P is a set of production rules X->r.A where X Є N, r is a regular expression over ∑E XN A is a subset of ∑A .

Schema G1=

Syntax of Access control policy • Ex : Role: Docter +R,/record Role: Intern +R, /record -R, //comment

Static Analysis • Static Analysis has four steps: 1) creating schema automata from schemas 2)creating access control automata from access control policies 3)creating query automata from XQuery queries 4)comparison of schema automata ,query automata, and access control automata.

Framework of the Analysis

Creating schema Automata

Schema G1=

Schema Automata for this schema is

This Automata Accepts the following paths

Creating Access control Automata

Creating Access control Automata(cont’d) • For the role Intern ,this policy contains a grant rule and a denial rule,both of which propagate downward.The grant rule contains an XPath /record,while the denial rule contains an XPath //comment.Thus

Creating Query Automata • Consider the following XQuery and XPath expressions extracted from it

Creating Query Automata(cont’d) • Let r be /record//comment ,then

Comparison of Automata The path expression r is always-granted if every path accepted by both the schema automaton and query automaton is accepted by the access control automaton .

The path expression is always-denied if no path is accepted by all of the schema automaton ,query automaton and access control automaton. The path expression is statically indeterminateif it is neither always-granted, or always-denied.

Example

Experimental Results • Query optimization • Static Analysis frequently makes run-time checks unnecessary.

QFilter VS Static-Analysis

• Conclusion QFilter is Superior to Post- processing primitive, no access control approach.

• Static Analysis can handle only two cases i.e., either access fully granted or access fully denied. QFilter is superior to Static-Analysis .

Thank You