Databases Reference
In-Depth Information
Table 2.
An example of access control policies
Subject
Object
Sign Action Type
1
Public,*,*
−
/account operation/@bankAccN
read LD
2
BankEmployee,*,*
+
/account operation
read RD
3
StatisticalAnalyst,*,*
+
/account operation
read RD
4
StatisticalAnalyst,*,*
−
//notes
read LD
5
StatisticalAnalyst,*,*
−
/account operation/operation
read RD
[./type=
“bank transfer”
]
6
Client,*,*
/account operation
+
read R
[./@bankAccN=$userAcc]
7
BankEmployee,150.108.33.*,*
/account operation/@bankAccN
+
read L
8
StatisticalAnalyst,*,*.bank.com /account operation//notes
+
read L
9
CashOperators,*,*
/account operation/
−
read R
request[./means=
“Internet”
]
DTD. DTD loosening prevents users from detecting whether information
has been hidden by the security enforcement or was simply missing in the
original document [14].
Example 3.
Consider the DTD and the XML document in Fig. 1, and
the user-group hierarchy in Fig. 3. Table 2 shows a list of access con-
trol policies. The first schema-level authorization states that nobody can
access attribute
@bankAccN
of element
account operation
(1). Users be-
longing to
BankEmployee
and
StatisticalAnalyst
groups can access
the
account operation
element (2 and 3), but
StatisticalAnalyst
group is denied access to
//notes
(4). Since the fourth authorization
is
LD
, while third authorization is
RD
, the fourth policy overrides the
third one. Furthermore,
StatisticalAnalyst
group is denied access to
/account operation/operation[./type=
“bank transfer”
]
, meaning that
users belonging to the group cannot access
/account operation/operation
if the operation is a bank transfer (5). Consider now the instance-
level authorizations. Users belonging to
Client
group can access the
account operation
element, if condition
./@bankAccN=$userAcc
holds (vari-
able
$userAcc
represents the variable containing the bank account num-
ber for the requesting user) (6). Also, members of the
BankEmployee
group and connected from
150.108.33.*
can access
@bankAccN
at-
tribute (7). This authorization overrides the first authorization in
the table. Members of the
StatisticalAnalyst
group and connected
from
*.bank.com
can read
/account operation//notes
for the spe-
cific instance (8). Finally,
CashOperators
group is denied access to
/account operation/request[./means=
“Internet”
]
(9).
Suppose now that Alice and David submit a request to read the document
in Fig. 1(b). Figure 4 illustrates the views returned to Alice and David at the
end of the access control process.