Databases Reference
In-Depth Information
<review summary>
<notificationDue>6/30/07 0:0 AM</notificationDue>
<entry>
<paper id="0120">XML Policy Model</paper>
<contents encoding="Base64">4Dxk5lw...</contents>
<authorName>Carol</authorName>
<review>
<reviewerName>Robert</reviewerName>
<rating>3.5</rating>
</review>
<result status="final">Accept</result>
</entry>
</review summary>
Fig. 1.
An example XML document
review XML document. The rule
R1
is the default policy for the chairperson.
Rule
R2
gives the write permission on the
result
field to the chairperson. Rule
R3
allows the reviewers to read any node below the
entry
element except for
the
authorName
element. Rule
R4
allows the reviewers to update their
rating
element. Rule
R5
allows authors access to their paper submission. Rule
R6
defines the temporal policy with regard to the notification date.
R1:
The chairperson can read any elements, attributes and text nodes of the review
document.
R2:
The chairperson can write the
review
result (accept or reject) in the result
field.
R3:
Each reviewer can read the
entry
element (and any subordinates nodes) as-
signed to him except for the
authorName
.
R4:
Each reviewer can fill in the
rating
element assigned to him.
R5:
Each author can read his own submission
entry
except for the
review
elements.
R6:
Each author can read the
result
of his submission after the date of the noti-
fication.
Fig. 2.
An access control policy example
For example, when the chairperson issues a read access request for the
author Name
element, the access should be permitted according to
R1
.On
the other hand, when a reviewer tries to read the
authorName
element, the
access should be denied according to
R3
. When an author tries to read the
result
element, the access should be permitted only after the notification
date has passed according to
R6
. Therefore, a query like ”retrieve complete
XML nodes below the document root” must reflect all of the access control
policies at the time of the access.