CLC number: TP309
On-line Access: 2010-08-02
Received: 2009-07-29
Revision Accepted: 2010-01-11
Crosschecked: 2010-05-31
Cited: 6
Clicked: 7816
Jie Shi, Hong Zhu. A fine-grained access control model for relational databases[J]. Journal of Zhejiang University Science C, 2010, 11(8): 575-586.
@article{title="A fine-grained access control model for relational databases",
author="Jie Shi, Hong Zhu",
journal="Journal of Zhejiang University Science C",
volume="11",
number="8",
pages="575-586",
year="2010",
publisher="Zhejiang University Press & Springer",
doi="10.1631/jzus.C0910466"
}
%0 Journal Article
%T A fine-grained access control model for relational databases
%A Jie Shi
%A Hong Zhu
%J Journal of Zhejiang University SCIENCE C
%V 11
%N 8
%P 575-586
%@ 1869-1951
%D 2010
%I Zhejiang University Press & Springer
%DOI 10.1631/jzus.C0910466
TY - JOUR
T1 - A fine-grained access control model for relational databases
A1 - Jie Shi
A1 - Hong Zhu
J0 - Journal of Zhejiang University Science C
VL - 11
IS - 8
SP - 575
EP - 586
%@ 1869-1951
Y1 - 2010
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/jzus.C0910466
Abstract: fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications. Though much work on FGAC models has been conducted, there are still a number of ongoing problems. We propose a new FGAC model which supports the specification of open access control policies as well as closed access control policies in relational databases. The negative authorization is supported, which allows the security administrator to specify what data should not be accessed by certain users. Moreover, multiple policies defined to regulate user access together are also supported. The definition and combination algorithm of multiple policies are thus provided. Finally, we implement the proposed FGAC model as a component of the database management system (DBMS) and evaluate its performance. The performance results show that the proposed model is feasible.
[1]Agrawal, R., Kiernan, J., Srikant, R., Xu, Y., 2002. Hippocratic Databases. Proc. Very Large Data Bases, p.563-574.
[2]Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Rjaibi, W., 2005. Extending Relational Database Systems to Automatically Enforce Privacy Policies. Proc. 21st Int. Conf. on Data Engineering, p.1013-1022.
[3]Al-Kahtani, M.A., Sandhu, R., 2004. Rule-Based RBAC with Negative Authorization. Proc. 20th Annual Computer Security Applications Conf., p.405-415.
[4]Barker, S., 2008. Dynamic meta-level access control in SQL. LNCS, 5094:1-16.
[5]Bertino, E., Sandhu, R., 2005. Database security-concepts, approaches, and challenges. IEEE Trans. Depend. Secur. Comput., 2(1):2-19.
[6]Bertino, E., Samarati, P., Jajodia, S., 1997. An extended authorization model for relational database. IEEE Trans. Knowl. Data Eng., 9(1):85-101.
[7]Bertino, E., Byun, J.W., Li, N., 2005. Privacy-preserving database systems. LNCS, 3655:178-206.
[8]Byun, J.W., Bertino, E., Li, N., 2005. Purpose Based Access Control of Complex Data for Privacy Protection. Proc. 10th ACM Symp. on Access Control Models and Technologies, p.102-110.
[9]Chaudhuri, S., Dutta, T., Sudarshan, S., 2007. Fine Grained Authorization Through Predicated Grants. Int. Conf. on Data Engineering, p.1174-1183.
[10]Da Meng Database Corporation, 2000. DM Database. Available from http://www.dameng.com/dmweb/ [Accessed on Feb. 14, 2009].
[11]Dwivedi, S., Menezes, B., Singh, A., 2005. Database Access Control for E-business: a Case Study. Proc. Int. Conf. on Management of Data, p.168-175.
[12]Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R., 2001. Proposed NIST standard for role-based access control. ACM Trans. Inform. Syst. Secur., 4(3):224-274.
[13]Jain, U., 2004. Seminar Report Fine-Grained Access Control in Databases. Technical Report, Bernard Menezes KReSIT, IIT Bombay.
[14]Kabra, G., Ramamurthy, R., Sudarshan, S., 2006. Redundancy and Information Leakage in Fine-Grained Access Control. Proc. ACM SIGMOD Int. Conf. on Management of Data, p.133-144.
[15]LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D., 2004. Limiting Disclosure in Hippocratic Databases. Proc. Very Large Data Bases, p.108-119.
[16]Olson, L.E., Gunter, C.A., Madhusudan, P., 2008. A Formal Framework for Reflective Database Access Control Policies. Proc. 15th ACM Conf. on Computer and Communications Security, p.289-298.
[17]Olson, L.E., Gunter, C.A., Cook, W.R., Winslett, M., 2009. Implementing reflective access control in SQL. LNCS, 5645:17-32.
[18]Oracle Corporation, 2005. Oracle Virtual Private Database. Technical Report. Available from http://www.oracle.com/technology/deploy/security/db_security/virtual-private-database/index.html [Accessed on Jan. 10, 2009].
[19]Osborn, S., Sandhu, R., Munawer, Q., 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inform. Syst. Secur., 3(2):85-106.
[20]Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P., 2004. Extending Query Rewriting Techniques for Fine-Grained Access Control. Proc. ACM SIGMOD Int. Conf. on Management of Data, p.551-562.
[21]Stonebraker, M., Wong, E., 1974. Access Control in a Relational Database Management System by Query Modification. Proc. ACM Annual Conf., p.180-186.
[22]Transaction Processing Performance Council (TPC), 2002. TPC BENCHMARKTM W (Web Commerce) Specification, Version 1.8. Available from http://www.tpc.org/tpcw/spec/tpcw_V1.8.pdf [Accessed on May 8, 2009].
[23]Wang, Q., Yu, T., Li, N., Lobo, J., Bertino, E., Irwin, K., Byun, J.W., 2007. On the Correctness Criteria of Fine-Grained Access Control in Relational Databases. Proc. Very Large Data Bases, p.555-566.
[24]Zhu, H., Fu, X., Lin, Q.H., Lu, K., 2006. The design and implementation of a performance evaluation tool with TPC-W benchmark. J. Comput. Inform. Technol., 14(2):149-160.
Open peer comments: Debate/Discuss/Question/Opinion
<1>