Databases Reference
In-Depth Information
•
Materialization.
The expressions composing policies are explicitly evalu-
ated, by obtaining a set of ground authorizations that represents the policy
that needs to be enforced. This strategy can be applied when all the com-
posed policies are known and reasonably static.
•
Partial materialization.
Whenever materialization is not possible since
some of the policies to be composed are not available, it is possible to
materialize only a subset of the final policy. This strategy is useful also
when some of the policies are subject to sudden and frequent changes, and
the cost of materialization may be too high with respect to the advantages
it may provide.
•
Run-time evaluation.
In this case no materialization is performed and run-
time evaluation is needed for each request (access triple), which is checked
against the policy expressions to determine whether the triple belongs to
the result.
The authors then propose a method (
pe2lp
) for transforming algebraic pol-
icy composition expressions into a logic program. The method proposed can be
easily adapted to one of the three materialization strategies introduced above.
Basically, the translation process creates a distinct predicate symbol for each
policy identifier and for each algebraic operator in the expression. The logic
programming formulation of algebra expressions can be used to enforce ac-
cess control. As already pointed out while introducing algebra operators, this
policy composition algebra can also be used to express simple access control
policies, such as open and closed policy, propagation policies, and exceptions
management. For instance, let us consider a hospital composed of three wards,
namely
Cardiology
,
Surgery
,and
Orthopaedics
. Each ward is responsible for
granting access to data under its responsibility. Let
P
Cardiology
,
P
Surgery
and
P
Orthopaedics
be the policies of the three wards. Suppose now that an
access is authorized if any of the wards policies state so and that authoriza-
tions in policy
P
Surgery
are propagated to individual users and documents
by classical hierarchy-based derivation rules, denoted
R
H
. In terms of the
algebra, the hospital policy can be represented as follows.
P
Cardiology
&
P
Surgery
∗
R
H
&
P
Orthopaedics
Following this work, Jajodia et al. [47] presented a propositional algebra
for policies with a syntax consisting of abstract symbols for atomic policy
expressions and composition operators.
5 Access Control Through Encryption
Since the amount of data that organizations need to manage is increasing
very quickly, data outsourcing is becoming more and more attractive. Data
outsourcing provides data storage at a low rate, allowing the data owner to
