Databases Reference
In-Depth Information
4 XML Access Control Policy Languages
4.1 XACL
The XML Access Control Language (XACL)[9] is a fine-grained access control
policy specification language for XML data. It allows application developers
to specify policies at the element and attribute levels with various conditional
expressions. XACL uses XPath expressions to specify the targets of a policy
with either positive or negative permissions. It provides several ways to re-
solve conflicts between the decisions, either by the
permit-takes-precedence
or
the
denial-takes-precedence
resolution policies. The XACL also defines how
the access effects propagate on the XML tree structure. By default, a read
permission specified on a certain element automatically propagates upward to
the root node as well as propagating downward to its descendants.
Policy Syntax and Semantics.
The XACL policies are specified using
xacl
elements and one or more
rule
elements that specify permit or deny authorization conditions. Two or more
rules are disjunctively combined according to the pre-defined combining al-
gorithms. The authorization subject is specified using one or more subject
descriptors of
group
,
role
,or
userid
under a
subject
element. With regard
to the authorization objects, XACL only supports XPath expressions as an
href
attribute of the
object
element. There are four types of authorization
actions in XACL,
read
,
write
,
create
,and
delete
. Arbitrary conditional
expressions can be specified using the
operation
attributes, the
predicate
elements, or the
parameter
elements below the
condition
elements. Figure
3 expresses Rule
R3
of Figure2.
Rule
R3-1
specifies a permissive rule on a
/review summary/entry
el-
ement for the reviewer group with the condition that only the reviewer in
charge can access the paper content and the submission information. Since
the XACL supports the downward propagation from the target node by de-
fault, any subordinate nodes below the
entry
element, e.g. the
authorName
and
reviewerName
elements, are also the target authorization objects of this
rule.
In contrast, Rule
R3-2
specifies a denial rule for all reviewers on the
/re-
view summary/entry/authorName
element which enables anonymous paper
review policy. Where this rule contradicts the permissive
R3-1
rule, the con-
flict resolution
denial-takes-precedence
policy, which is supposed to be
specified for the
property
element below the
policy
element, denies access
to the
authorName
.
Binding Scheme.
How to bind a set of policies written in XACL with target documents is out
of the scope of XACL. There are two fundamental approaches. One is the
