Databases Reference
In-Depth Information
•
StatisticalAnalyst
requests
/account operation//notes
: the request
is
always denied
;
•
Client
requests
/account operation/operation/amount
: the request is
statically indeterminate
.
The last request introduced by the example is statically indeterminate as the
path expression
/account operation[./@bankAccN=$userAcc]
in the access
control policy cannot be statically captured by an automaton. To solve this
problem, it is possible to rewrite the policy, and all the statical analysis tools,
adding two new symbols to the considered alphabet:
account operation1 =
/account operation[./@bankAccN=$userAcc]
and
account operation2 =
/account operation[not ./@bankAccN=$userAcc]
.
4.3 Other Approaches
Besides the two access control models described above, a number of other
models have been introduced in the literature for controlling access to XML
documents.
The first work of Kudo et al. [10] introduce provisional authorizations in
XML access control. A
provisional authorization
is an authorization allowing
the specification of a security action that the user (and/or the system) has to
execute to gain access to the requested resource. A security action may be for
example, the encryption of a resource with a given key, or the recording in
the log of an access control decision. Due to the problem of run-time policy
evaluation, Kudo et al. [6] present a different access control model, based
on the definition of an
Access-Condition-Table
(ACT). An ACT structure is
statically generated from an access control policy. The ACT contains, for each
target path in the XML document, an access condition and a subtree access
conditions, which are the conditions that have to be fulfilled to gain access
to the node and to its subtree, respectively. By using the ACT, the run-time
evaluation of requests is reduced from the whole policy to an access condition.
The proposed model has however some disadvantages: it does not scale well,
and it imposes limitations on XPath expressions. To overcome these issues
the authors propose an alternative structure to ACT, the
Policy Matching
Tree
(PMT) [7], which supports real-time updates of both policy and data. In
this case, the pre-processing phase consists in building the tree structure on
the basis of the access control policy. Whenever a user makes a request, an
algorithm visits the path in the tree that matches the request, to compute the
correct answer stored in the leaf. To further improve computational eciency,
the authors propose a
function-based
access control model that has a rule
function for each authorization in the policy [17]. A rule function is a piece
of executable code, which is run any time an access request matches with
the rule, and returning the answer for the final user. Function rules can be
organized on the basis of the subject or object they refer to: the first solution
has been empirically proven to be more e
cient.
