____________________________

________________________________________________________

XML Access Control for Semantically XML Access Control for Semantically Related XML DocumentsRelated XML Documents

&&A Role-Based Approach to Access Control A Role-Based Approach to Access Control

For XML DatabasesFor XML Databases

BYBYAsheesh KumarAsheesh Kumar

AXK0656AXK0656April 27, 2006April 27, 2006

XML Access Control for Semantically XML Access Control for Semantically Related XML DocumentsRelated XML Documents

__________________________________________________________________________________________

Vijay Parmar and Hongchi ShiVijay Parmar and Hongchi ShiDepartment of Computer Science & Computer Department of Computer Science & Computer

EngineeringEngineering

University of Missouri- Columbia, USAUniversity of Missouri- Columbia, USA

Su-Shing ChenSu-Shing Chen Dept of computer & Information Science &

Engineering University of Florida, USA

A Role-Based Approach to Access A Role-Based Approach to Access Control for XML DatabasesControl for XML Databases

__________________________________________________________________________________________

Zingzhu WangZingzhu Wang Department of Computer ScienceDepartment of Computer Science

University of Western Ontario, CanadaUniversity of Western Ontario, Canada

Su-Shing ChenSu-Shing Chen Department of Computer ScienceDepartment of Computer Science

University of Western Ontario, CanadaUniversity of Western Ontario, Canada

XML most preferred way to store & exchange XML most preferred way to store & exchange informationinformation

Need to provide controlled access to such Need to provide controlled access to such information is imminentinformation is imminent

Authors propose an access control policy & Authors propose an access control policy & mechanism for a collection of semantically mechanism for a collection of semantically related XML documents related XML documents

XML Access Control for Semantically XML Access Control for Semantically Related XML Documents Related XML Documents

__________________________________________________________________________________________

Features of proposed access control Features of proposed access control mechanismmechanism

It is developed for XML documents- It is developed for XML documents- semantically relatedsemantically related

Access control conditions can be specified Access control conditions can be specified based on contents of the documentbased on contents of the document

Access control is role basedAccess control is role based


__________________________________________________________________________________________

Assume that each XML document resembles Assume that each XML document resembles an entity playing a certain rolean entity playing a certain role

Each entity has certain relationships with Each entity has certain relationships with other entities (XML document)other entities (XML document)

An access request may result in data coming An access request may result in data coming from more than one document in the from more than one document in the collectioncollection

Semantic relationships, so document playing Semantic relationships, so document playing a certain role can have access to other a certain role can have access to other entities playing a different roleentities playing a different role


__________________________________________________________________________________________


__________________________________________________________________________________________

Sample relationships of entities playing particular Sample relationships of entities playing particular rolerole


__________________________________________________________________________________________

Relationship between entities (XML documents)Relationship between entities (XML documents)

Observations for Access Control Policy Observations for Access Control Policy XML documents are not accessed by the XML documents are not accessed by the

document names..document names.. Entity playing a role may requests data from Entity playing a role may requests data from

collection of XML documents by giving a collection of XML documents by giving a general request over the whole collectiongeneral request over the whole collection

Now, requesting entities identification & role Now, requesting entities identification & role would cause access control mechanism to would cause access control mechanism to restrict its access according to access control restrict its access according to access control policypolicy

All documents in collection must comply with All documents in collection must comply with same DTD, so all entities playing a similar role same DTD, so all entities playing a similar role have same structure but different content have same structure but different content


__________________________________________________________________________________________


__________________________________________________________________________________________

Overview of Access Control Policy Overview of Access Control Policy SpecificationSpecification

The Access Control Policy DTD The Access Control Policy DTD

Operation types and execution Operation types and execution ReadRead WriteWrite CreateCreate DeleteDelete

Operations are performed by first querying Operations are performed by first querying the XML document collection with the the XML document collection with the XPATH query expression provided in the XPATH query expression provided in the access requestaccess request


__________________________________________________________________________________________

Steps involved in Read Operation Steps involved in Read Operation XPath query is processed on collection of XPath query is processed on collection of

XML documentsXML documents Results checked for list of allowed elements Results checked for list of allowed elements

for read operation under the appropriate for read operation under the appropriate rolerole

Result of above step leaves a set of document Result of above step leaves a set of document fragment that is further checked for access fragment that is further checked for access control conditioncontrol condition

Condition for each allowed element and sub Condition for each allowed element and sub element is checkedelement is checked

If conditions are satisfied, the content of If conditions are satisfied, the content of allowed element are not deleted allowed element are not deleted


__________________________________________________________________________________________


__________________________________________________________________________________________

A sample Read A sample Read operationoperation


__________________________________________________________________________________________

Condition Specification Condition Specification Conditions indicate constraint for the access Conditions indicate constraint for the access

to the particular allowed element for a to the particular allowed element for a specific operationspecific operation

Presence of name of an element in the Presence of name of an element in the allowed element list indicates that it is allowed element list indicates that it is allowed for access for a particular role only allowed for access for a particular role only if the conditions are satisfiedif the conditions are satisfied

Conditions can be specified in the access Conditions can be specified in the access control policy document with the ‘condition’ control policy document with the ‘condition’ element element

AND & OR conditions ..AND & OR conditions ..


__________________________________________________________________________________________


__________________________________________________________________________________________

Condition types Condition types ProhibitProhibit EqualsEquals ExistsExists NotExistsNotExists


__________________________________________________________________________________________


__________________________________________________________________________________________

A sample Condition SpecificationA sample Condition Specification


__________________________________________________________________________________________

A student is not allowed to update his grades but allowed to view themA student is not allowed to update his grades but allowed to view them


__________________________________________________________________________________________

Overall Access control modelOverall Access control model

Propose to combine Role Graph Model, Propose to combine Role Graph Model, Authorization Type Graph and Authorization Authorization Type Graph and Authorization Object Schema, Authorization Object Graph Object Schema, Authorization Object Graph

Group of permission -> Role -> assigned to Group of permission -> Role -> assigned to usersusers

Permissions are privilegesPermissions are privileges Privileges are made up of object and access Privileges are made up of object and access

mode ( read/ write etc)mode ( read/ write etc) Object part of an XML database is any part of Object part of an XML database is any part of

XMLXML

A Role-Based Approach to Access A Role-Based Approach to Access Control for XML Databases Control for XML Databases

__________________________________________________________________________________________


__________________________________________________________________________________________

Example Role GraphExample Role Graph


__________________________________________________________________________________________

Authorization Object Schema for exampleAuthorization Object Schema for example


__________________________________________________________________________________________

Authorization Object Graph for exampleAuthorization Object Graph for example


__________________________________________________________________________________________

Authorization Type GraphAuthorization Type Graph


__________________________________________________________________________________________

Authorization Association MatrixAuthorization Association Matrix

Thank YouThank You

Asheesh KumarAsheesh Kumar

AXK0656AXK0656

____________________________

Documents

canadaxml access control

collection of xml documents

role basedxml access

controlled access

xml document collection

documentaccess control

entities identification

similar role