A Formal Access Control Model for XML Databases

  • Alban Gabillon
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3674)


In this paper, we first define a logical theory representing an XML database supporting XPath as query language and XUpdate as modification language. We then extend our theory with predicates allowing us to specify the security policy protecting the database. The security policy includes rules addressing the read and write privileges. We propose axioms to derive the database view each user is permitted to see. We also propose axioms to derive the new database content after an update.


Access Control Security Policy Logical Theory Numbering Scheme Access Control Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bertino, E., Castano, S., Ferrari, E., Mesiti, M.: Specifying and Enforcing Access Control Policies for XML Document Sources. World Wide Web Journal 3(3) (2000)Google Scholar
  2. 2.
    Bray, T., et al.: Extensible Markup Language (XML) 1.0. World Wide Web Consortium (W3C) (October 2000),
  3. 3.
    Bruno, E., Le Maitre, J., Murisasco, E.: Extending XQuery with Transformation Operators. In: Proceedings of the 2003 ACM Symposium on Document Engineering (DocEng 2003), November 20-22, pp. 1–8. ACM Press, Grenoble (2003) [Réf. F75]CrossRefGoogle Scholar
  4. 4.
    Clark, J., De Rose, S.: XML Path Language (XPath) Version 1.0. In: World Wide Web Consortium (W3C), November 1999 (1999),
  5. 5.
    Clark, J.: XSL Transformations (XSLT) Version 1.0. In: World Wide Web Consortium (W3C) (November 1999),
  6. 6.
    Cohen, E., Kaplan, H., Milo, T.: Labelling dynamic XML trees. In: Proceedings of PODS 2002 (2002)Google Scholar
  7. 7.
    Damiani, E., De di Capitani Vimercati, S., Paraboschi, S., Samarati, P.: Securing XML Documents. In: Zaniolo, C., Grust, T., Scholl, M.H., Lockemann, P.C. (eds.) EDBT 2000. LNCS, vol. 1777, p. 121. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Duong, M., Zhang, Y.: LSDX: A New Labelling Scheme for Dynamically Updating XML Data. In: proc of ACSW 2005 – 16th Australasian Database Conference, Newcastle, Australia (2005)Google Scholar
  9. 9.
    Fundulaki, I., Marx, M.: Specifying Acces Control Policies for XML Documents with XPath. In: ACM Symp. on Access Control Models and Technologies, SACMAT (2004)Google Scholar
  10. 10.
    Gabillon, A.: An Authorization model for XML databases. In: Proc. of the 11th ACM Conference on Computer Security (Workshop Secure Web Services), Fairfax, VA, USA, October 2004, George Mason University (2004)Google Scholar
  11. 11.
    Gabillon, A., Bruno, E.: Regulating Access to XML documents. In: Fifteenth Annual IFIP WG 11.3 Working Conference on Database Security, Niagara on the Lake, Ontario, Canada, July 15-18 (2001)Google Scholar
  12. 12.
    Gabillon, A., Fansi, M.: A Persistent Labelling Scheme for XML and tree Database. In: Submitted to the IEEE International Conference on Signal-Image Technology & Internet- Based Systems (2005)Google Scholar
  13. 13.
    Kudo, M., Hada, S.: XML Document Security based on Provisional Authorisation. In: Proceedings of the 7th ACM conference on Computer and communications security, Athens, Greece (November 2000)Google Scholar
  14. 14.
    Lim, C., Park, S., Son, S.H.: Access Control of XML Documents considering Update Operations. In: ACM Workshop on XML Security, Fairfax, VA (October 2003)Google Scholar
  15. 15.
    Martin, A.L., et al.: XML Update (XUpdate) language. XML:DB working draft September 14 (2000),
  16. 16.
    Reiter, R.: Toward a logical reconstruction of relational database theory. In: On Conceptual Modelling: Perspectives from Artificial Intelligence, Databases and Programming Languages. Springer, Heidelberg (1983)Google Scholar
  17. 17.
    Sandhu, R.: Role-Based Access Control. Advances in Computers, vol. 48. Academic Press, London (1998)Google Scholar
  18. 18.
    Stoica, A., Farkas, C.: Secure XML Views. In: Proc. 16th IFIP WG11.3 Working Conference on Database and Application Security (2002)Google Scholar
  19. 19.
    Sandhu, R., Jajodia, S.: Polyinstantiation for cover stories. In: Deswarte, Y., Quisquater, J.-J., Eizenberg, G. (eds.) ESORICS 1992. LNCS, vol. 648. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  20. 20.
    Sur, G.M., Hammer, J., Simeon, J.: UpdateX - An XQuery-Based Language for Processing Updates in XML. In: International Workshop on Programming Language Technologies for XML (PLAN-X 2004), Venice, Italy (January 2004)Google Scholar
  21. 21.
    Tatarinov, I., Viglas, S., Beyer, K., Shanmugasundaram, J., Shekita, E., Zhang: Storing and Querying Ordered XML Using a Relational Database System. In: Proceedings of SIGMOD (2002)Google Scholar
  22. 22.
    Tatarinov, I., Yves, Z.G., Halevy, A.Y., Weld, D.S.: Updating XML. In: ACM SIGMOD 2001, Santa Barbara, California, USA, May 21-24 (2001)Google Scholar
  23. 23.
    Apache software foundation. Xindice,
  24. 24.
    Yu, X.J., Luo, D., Meng, X., Lu, H.: Dynamically Updating XML Data: Numbering Scheme Revisited. In: World Wide Web: Internet and Web Information System, vol. 7 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Alban Gabillon
    • 1
  1. 1.IUT de Mont de Marsan, LIUPPA/CSySECUniversité de Pau et des Pays de l’AdourMont de MarsanFrance

Personalised recommendations