Imposing Fine-grain Next Generation Access Control over Database Queries

ABAC '17 Pub Date : 2017-03-24 DOI:10.1145/3041048.3041050

David F. Ferraiolo, S. Gavrila, Gopi Katwala, Joshua D. Roberts

{"title":"Imposing Fine-grain Next Generation Access Control over Database Queries","authors":"David F. Ferraiolo, S. Gavrila, Gopi Katwala, Joshua D. Roberts","doi":"10.1145/3041048.3041050","DOIUrl":null,"url":null,"abstract":"In this paper, we describe a system that leverages ANSI/INCITS Next Generation Access Control (NGAC) standard called Next-generation Database Access Control (NDAC) for accessing data in tables, rows, and columns in existing RDBMS products. NDAC imposes access control at the data level, eliminating the need for implementing and managing access control in applications and/or through the use of proprietary RDBMS mechanisms. Consequently, the same policies can protect multiple databases from queries sent from multiple applications. Furthermore, NDAC not only provides control down to the field level, but to varying fields of select rows. NDAC is unique in achieving this granularity of control without the use and coordination of multiple protection mechanisms. Operationally, users issue wide sweeping queries, and NDAC allows access to the optimal amount of data permissible for the user. The method includes an Access Manager for trapping and enforcing policy over SQL queries issued by applications as well as a Translator for converting SQL statements to NGAC inputs and converting NGAC authorization responses to either an access Deny or one or more permitted SQL statements.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ABAC '17","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3041048.3041050","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

In this paper, we describe a system that leverages ANSI/INCITS Next Generation Access Control (NGAC) standard called Next-generation Database Access Control (NDAC) for accessing data in tables, rows, and columns in existing RDBMS products. NDAC imposes access control at the data level, eliminating the need for implementing and managing access control in applications and/or through the use of proprietary RDBMS mechanisms. Consequently, the same policies can protect multiple databases from queries sent from multiple applications. Furthermore, NDAC not only provides control down to the field level, but to varying fields of select rows. NDAC is unique in achieving this granularity of control without the use and coordination of multiple protection mechanisms. Operationally, users issue wide sweeping queries, and NDAC allows access to the optimal amount of data permissible for the user. The method includes an Access Manager for trapping and enforcing policy over SQL queries issued by applications as well as a Translator for converting SQL statements to NGAC inputs and converting NGAC authorization responses to either an access Deny or one or more permitted SQL statements.

查看原文本刊更多论文

对数据库查询施加细粒度的下一代访问控制

在本文中，我们描述了一个利用ANSI/INCITS下一代访问控制(NGAC)标准的系统，该标准称为下一代数据库访问控制(NDAC)，用于访问现有RDBMS产品中的表、行和列中的数据。NDAC在数据级别施加访问控制，消除了在应用程序和/或通过使用专有的RDBMS机制实现和管理访问控制的需要。因此，相同的策略可以保护多个数据库免受来自多个应用程序的查询。此外，NDAC不仅提供对字段级别的控制，还提供对选择行的不同字段的控制。NDAC在不使用和协调多种保护机制的情况下实现这种粒度控制是独一无二的。在操作上，用户发出广泛的扫描查询，NDAC允许访问用户允许的最佳数据量。该方法包括一个Access Manager，用于捕获和执行应用程序发出的SQL查询的策略，以及一个Translator，用于将SQL语句转换为NGAC输入，并将NGAC授权响应转换为访问拒绝或一个或多个允许的SQL语句。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ABAC '17

自引率

0.00%

发文量