Abstract
Fine-grained access control (FGAC) must be supported by relational databases to satisfy the requirements of privacy preserving and Internet-based applications. Though much work on FGAC models has been conducted, there are still a number of ongoing problems. We propose a new FGAC model which supports the specification of open access control policies as well as closed access control policies in relational databases. The negative authorization is supported, which allows the security administrator to specify what data should not be accessed by certain users. Moreover, multiple policies defined to regulate user access together are also supported. The definition and combination algorithm of multiple policies are thus provided. Finally, we implement the proposed FGAC model as a component of the database management system (DBMS) and evaluate its performance. The performance results show that the proposed model is feasible.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y., 2002. Hippocratic Databases. Proc. Very Large Data Bases, p.563–574.
Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Rjaibi, W., 2005. Extending Relational Database Systems to Automatically Enforce Privacy Policies. Proc. 21st Int. Conf. on Data Engineering, p.1013–1022. [doi:10.1109/ICDE.2005.64]
Al-Kahtani, M.A., Sandhu, R., 2004. Rule-Based RBAC with Negative Authorization. Proc. 20th Annual Computer Security Applications Conf., p.405–415. [doi:10.1109/CSAC.2004.32]
Barker, S., 2008. Dynamic meta-level access control in SQL. LNCS, 5094:1–16. [doi:10.1007/978-3-540-70567-3_1]
Bertino, E., Sandhu, R., 2005. Database security-concepts, approaches, and challenges. IEEE Trans. Depend. Secur. Comput., 2(1):2–19. [doi:10.1109/TDSC.2005.9]
Bertino, E., Samarati, P., Jajodia, S., 1997. An extended authorization model for relational database. IEEE Trans. Knowl. Data Eng., 9(1):85–101. [doi:10.1109/69.567051]
Bertino, E., Byun, J.W., Li, N., 2005. Privacy-preserving database systems. LNCS, 3655:178–206. [doi:10.1007/11554578_6]
Byun, J.W., Bertino, E., Li, N., 2005. Purpose Based Access Control of Complex Data for Privacy Protection. Proc. 10th ACM Symp. on Access Control Models and Technologies, p.102–110. [doi:10.1145/1063979.1063998]
Chaudhuri, S., Dutta, T., Sudarshan, S., 2007. Fine Grained Authorization Through Predicated Grants. Int. Conf. on Data Engineering, p.1174–1183. [doi:10.1109/ICDE.2007.368976]
Da Meng Database Corporation, 2000. DM Database. Available from http://www.dameng.com/dmweb/ [Accessed on Feb. 14, 2009].
Dwivedi, S., Menezes, B., Singh, A., 2005. Database Access Control for E-business: a Case Study. Proc. Int. Conf. on Management of Data, p.168–175.
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R., 2001. Proposed NIST standard for role-based access control. ACM Trans. Inform. Syst. Secur., 4(3):224–274. [doi:10.1145/501978.501980]
Jain, U., 2004. Seminar Report Fine-Grained Access Control in Databases. Technical Report, Bernard Menezes KRe-SIT, IIT Bombay.
Kabra, G., Ramamurthy, R., Sudarshan, S., 2006. Redundancy and Information Leakage in Fine-Grained Access Control. Proc. ACM SIGMOD Int. Conf. on Management of Data, p.133–144. [doi:10.1145/1142473.1142489]
LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D., 2004. Limiting Disclosure in Hippocratic Databases. Proc. Very Large Data Bases, p.108–119.
Olson, L.E., Gunter, C.A., Madhusudan, P., 2008. A Formal Framework for Reflective Database Access Control Policies. Proc. 15th ACM Conf. on Computer and Communications Security, p.289–298. [doi:10.1145/1455770.1455808]
Olson, L.E., Gunter, C.A., Cook, W.R., Winslett, M., 2009. Implementing reflective access control in SQL. LNCS, 5645:17–32. [doi:10.1007/978-3-642-03007-9_2]
Oracle Corporation, 2005. Oracle Virtual Private Database. Technical Report. Available from http://www.oracle.com/technology/deploy/security/db_security/virtual-private-database/index.html [Accessed on Jan. 10, 2009].
Osborn, S., Sandhu, R., Munawer, Q., 2000. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inform. Syst. Secur., 3(2):85–106. [doi:10.1145/354876.354878]
Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P., 2004. Extending Query Rewriting Techniques for Fine-Grained Access Control. Proc. ACM SIGMOD Int. Conf. on Management of Data, p.551–562. [doi:10.1145/1007568.1007631]
Stonebraker, M., Wong, E., 1974. Access Control in a Relational Database Management System by Query Modification. Proc. ACM Annual Conf., p.180–186. [doi:10.1145/800182.810400]
Transaction Processing Performance Council (TPC), 2002. TPC BENCHMARK™ W (Web Commerce) Specification, Version 1.8. Available from http://www.tpc.org/tpcw/spec/tpcw_V1.8.pdf [Accessed on May 8, 2009].
Wang, Q., Yu, T., Li, N., Lobo, J., Bertino, E., Irwin, K., Byun, J.W., 2007. On the Correctness Criteria of Fine-Grained Access Control in Relational Databases. Proc. Very Large Data Bases, p.555–566.
Zhu, H., Fu, X., Lin, Q.H., Lu, K., 2006. The design and implementation of a performance evaluation tool with TPC-W benchmark. J. Comput. Inform. Technol., 14(2): 149–160. [doi:10.2498/cit.2006.02.06]
Author information
Authors and Affiliations
Corresponding author
Additional information
Project (No. 2006AA01Z430) supported by the National High-Tech Research and Development Program (863) of China
Rights and permissions
About this article
Cite this article
Shi, J., Zhu, H. A fine-grained access control model for relational databases. J. Zhejiang Univ. - Sci. C 11, 575–586 (2010). https://doi.org/10.1631/jzus.C0910466
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/jzus.C0910466