|
The prevalent use of XML highlights the important issue of ensuring the selective exposure of XML content to different user groups based on their access privileges. The problem of securing XML querying is to ensure that, given a user query Q over an XML database T, the evaluation of Q returns only information in T that the user is allowed to access. This calls for 1) an expressive language for specifying access policies for multiple user groups at various levels of granularity; 2) efficient techniques to enforce access policies during XML query evaluation; and 3) the ability to derive and provide a view schema for each group of users, characterizing their accessible data in order to facilitate query formulation and optimization. Previous proposals and standards for XML security are to specify and enforce access policies at a physical level by either annotating data nodes or materializing XML views. This is costly for large XML databases, and worse still, is error-prone when the underlying data or access policies are updated. Furthermore, none of these models supports schema availability.
In this talk, I shall present a security model that both specifies and enforces XML access control at a conceptual (schema) level. The novelty of the model consists in 1) a language to specify access policies upon a document DTD, 2) a notion of security views characterizing all and only the information that the users are authorized to access, along with view DTDs that the views are guaranteed to conform to; 3) algorithms for automatically deriving a security-view definition from a access-control specification; and (4) algorithms for efficiently rewriting and optimizing XML queries over security views to equivalent queries over the original database, such that the views do not need to be materialized. These yield an effective approach to supporting access control and schema availability for XML data.
|
Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: school-office@inf.ed.ac.uk Please contact our webadmin with any comments or corrections. Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh |
