Databases Reference
In-Depth Information
node
n
overrides a contradicting authorization
3
associated with any
ancestor of
n
for all the descendants of
n
.
Path overrides.
Authorizations of a node are propagated to its descen-
dants, if not overridden. An authorization associated with a node
n
overrides a contradicting authorization associated with an ancestor
n
for all the descendants of
n
only for the paths passing from
n
.The
overriding has no effect on other paths.
These policies can be adopted also for the authorization subject hierarchy.
Support of Exceptions. The support of authorizations at different granularity
levels allows for easy expressiveness of both fine and coarse grained autho-
rizations. Such an advantage would remain however very limited without
the ability of the authorization model to support exceptions, since the
presence of a granule (document or element/attribute) with protection
requirements different from those of its siblings would require the ex-
plicit specification of authorizations at that specific granularity level. For
instance, the situation where a user should be granted access to all docu-
ments associated with a DTD but one specific instance, would imply the
need of stating the authorizations explicitly for all the other documents
as well; thereby ruling out the advantage of supporting authorizations
at the DTD level. A simple way to support exceptions is by using both
positive
(permissions) and
negative
(denials) authorizations, where per-
missions and denials can override each other.
The combined use of positive and negative authorizations brings to the
problem of how the two specifications should be treated when conflict-
ing authorizations are associated with the same node element for a given
subject and action. This requires the support for conflict resolution poli-
cies [11].
Most of the models proposed for XML access control adopt, as a conflict
resolution policy, the “denials take precedence” policy, meaning that, in
case of conflict, access is denied.
Note that, when both permissions and denials can be specified, another
problem that naturally arises is the
incompleteness
problem, meaning that
for some accesses neither a positive nor a negative authorization exists.
The incompleteness problem is typically solved by applying a default
open
or
closed
policy [12].
•
4 XML Access Control Models
Several access control models have been proposed in the literature for regu-
lating access to XML documents. We start our overview of these models by
presenting the first access control model for XML [9], which has then inspired
3
Two authorizations (
s, o, a
)and(
s
,o
,a
) are contradictory if
s
=
s
,
o
=
o
,and
a
=
a
, but one of them grants access, while the other denies it.
