Access Control Models for XML - Database Security: Applications and Trends

Databases Reference

In-Depth Information

δ (Operation, recipient )=Recipient

δ (Operation, notes )=Notes;

δ (Operation, value )=Value

δ (Account Operation, @bankAccN )= q fin

δ (Account Operation, @Id )= q fin

δ (Request, @number )= q fin

The schema automaton defined accepts the same paths allowed by the

considered DTD. Specifically, L ( M G ) is equal to: /account operation ,

/account operation/@Id , /account operation/@bankAccN ,

/account operation/request , /account operation/request/@number ,

/account operation/request/date , /account operation/request/means ,

/account operation/request/notes ,

/account operation/operation ,

/account operation/operation/type ,

/account operation/operation/amount ,

/account operation/operation/recipient ,

/account operation/operation/notes ,

/account operation/operation/value .

The second step of the static ana lysis method consists in building the

access control automata M Γ and M Γ , for each of the three groups of users

considered. For the sake of simplicity, we represent only the language of the

automaton.

BankEmployee L ( M Γ )=

{

}·

( Σ E ) ∗ ·

( Σ A

∪{

}

)

account operation

StatisticalAnalyst L ( M Γ )=

( Σ E ) ∗

( Σ A

{

}·

∪{

}

)

account operation

( Σ E ) ∗ ·

( Σ A

{ notes }·

∪{

}

)

Client L ( M Γ )=

∅·

( Σ E ) ∗ ·

( Σ A

∪{

}

); L ( M Γ )=

{

}·

( Σ E ) ∗ ·

account operation

( Σ A

∪{

}

)

Here,

is the set difference operator, is the

nil character, and ( Σ E ) ∗ represents any string in Σ E .

Consider now the XQuery expression introduced in Example 2. The cor-

responding XPath expressions, classified on the basis of the clause they are

represented in, are:

is the concatenation operator,

FOR, LET, ORDER BY ,WHERE : /account operation ;

/account operation/operation/type

RETURN : account operation/operation/amount ;

account operation/operation/recipient ;

account operation//notes

Here

implies

both

and

record//notes

record/request/notes

record/operation/notes .

On the basis of the static analysis, it is possible to classify the requests

submitted by users. As an example, consider the following requests.

•

BankEmployee requests /account operation/operation/type : the re-

quest is always granted ;

Database Security: Applications and Trends

Search WWH ::

Custom Search

Home