Abstract
Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies. The Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, however there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies in Transaction Datalog into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by access control matrices. This implementation demonstrates the practical feasibility of RDBAC, and suggests a rich field of further research.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abiteboul, S., Hull, R.: Data functions, datalog and negation (extended abstract). In: SIGMOD Conference, pp. 143–153 (1988)
Bonner, A.J.: Transaction datalog: A compositional language for transaction programming. In: Cluet, S., Hull, R. (eds.) DBPL 1997. LNCS, vol. 1369, pp. 373–395. Springer, Heidelberg (1998)
Bossi, A., Cocco, N., Dulli, S.: A method for specializing logic programs. ACM Transactions on Programming Languages and Systems 12(2), 253–302 (1990)
Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: IEEE Symposium on Security and Privacy, Oakland, CA, May 1989, pp. 206–214 (1989)
Catania, B., Bertino, E.: Static analysis of logical languages with deferred update semantics. IEEE Transactions on Knowledge and Data Engineering 15(2), 386–404 (2003)
Ceri, S., Gottlob, G., Lavazza, L.: Translation and optimization of logic queries: The algebraic approach. VLDB, 395–402 (1986)
Ceri, S., Gottlob, G., Wiederhold, G.: Efficient database access from prolog. IEEE Trans. Software Eng. 15(2), 153–164 (1989)
Chaudhuri, S., Dutta, T., Sudarshan, S.: Fine grained authorization through predicated grants. In: ICDE, Istanbul, Turkey, April 2007, pp. 1174–1183 (2007)
Cook, W.R., Gannholm, M.R.: Rule based database security system and method. United States Patent 6, 820, 082 (November 2004)
Draxler, C.: Accessing Relational and Higher Databases Through Database Set Predicates in Logic Programming Languages. PhD thesis, Zürich University (1991)
Hajiyev, E., Verbaere, M., de Moor, O.: Codequest: Scalable source code queries with datalog. In: Thomas, D. (ed.) ECOOP 2006. LNCS, vol. 4067, pp. 2–27. Springer, Heidelberg (2006)
Kabra, G., Ramamurthy, R., Sudarshan, S.: Redundancy and information leakage in fine-grained access control. In: SIGMOD Conference, Chicago, IL, June 2006, pp. 133–144 (2006)
Maier, D.: Is prolog a database language? In: NYU Symposium on New Directions for Database Systems, New York City (May 1984)
Microsoft TechNet Forums. SQL/CLR DML error: Invalid use of side-effecting or time-dependent operator. World Wide Web electronic publication (April 2008), http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3203413&SiteID=17
OASIS. eXtensible Access Control Markup Language (XACML). Technical Report 1.1, OASIS (August 2003)
Olson, L.E., Gunter, C.A., Madhusudan, P.: A formal framework for reflective database access control policies. In: CCS 2008, Alexandria, VA (October 2008)
Oracle Corporation. Oracle Virtual Private Database. Technical report, Oracle Corporation (June 2005), http://www.oracle.com/technology/deploy/security/db_security/virtual-private-database/index.html
Ullman, J.D.: Principles of Database and Knowledge-Base Systems, vol. I. Computer Science Press (1988)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Olson, L.E., Gunter, C.A., Cook, W.R., Winslett, M. (2009). Implementing Reflective Access Control in SQL. In: Gudes, E., Vaidya, J. (eds) Data and Applications Security XXIII. DBSec 2009. Lecture Notes in Computer Science, vol 5645. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03007-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-03007-9_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03006-2
Online ISBN: 978-3-642-03007-9
eBook Packages: Computer ScienceComputer Science (R0)