TY - GEN
T1 - Authorization Policy Extension for Graph Databases
AU - Mohamed, Aya
AU - Auer, Dagmar
AU - Hofer, Daniel
AU - Küng, Josef
PY - 2020/11
Y1 - 2020/11
N2 - The high increase in the use of graph databases also for business- and privacy-critical applications demands for a sophisticated, flexible, fine-grained authorization and access control approach. Attribute -based access control (ABAC) supports a fine-grained definition of authorization rules and policies. Attributes can be associated with the subject, the requested resource and action, but also the environment. Thus, this is a promising starting point. However, specific characteristics of graph-structured data such as attributes on vertices and edges along a path to the resource, are not yet considered. The well-established eXtensible Access Control Markup Language (XACML), which defines a declarative language for fine-grained, attribute-based authorization policies, is the basis for our proposed approach - XACML for Graph-structured data (XACML4G). The additional path-specific constraints, described in graph patterns, demand for specialized processing of the rules and policies as well as adapted enforcement and decision making in the access control process. To demonstrate XACML4G and its enforcement process, we present a scenario from the university domain. Due to the project’s environment, the prototype is built with the multi-model database ArangoDB. The results are promising and further studies concerning performance and use in practice are planned.
AB - The high increase in the use of graph databases also for business- and privacy-critical applications demands for a sophisticated, flexible, fine-grained authorization and access control approach. Attribute -based access control (ABAC) supports a fine-grained definition of authorization rules and policies. Attributes can be associated with the subject, the requested resource and action, but also the environment. Thus, this is a promising starting point. However, specific characteristics of graph-structured data such as attributes on vertices and edges along a path to the resource, are not yet considered. The well-established eXtensible Access Control Markup Language (XACML), which defines a declarative language for fine-grained, attribute-based authorization policies, is the basis for our proposed approach - XACML for Graph-structured data (XACML4G). The additional path-specific constraints, described in graph patterns, demand for specialized processing of the rules and policies as well as adapted enforcement and decision making in the access control process. To demonstrate XACML4G and its enforcement process, we present a scenario from the university domain. Due to the project’s environment, the prototype is built with the multi-model database ArangoDB. The results are promising and further studies concerning performance and use in practice are planned.
UR - https://www.scopus.com/pages/publications/85097430862
U2 - 10.1007/978-3-030-63924-2_3
DO - 10.1007/978-3-030-63924-2_3
M3 - Conference proceedings
SN - 978-3-030-63923-5
VL - 12466
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 47
EP - 66
BT - Future Data and Security Engineering - 7th International Conference, FDSE 2020, Proceedings
A2 - Dang, Tran Khanh
A2 - Küng, Josef
A2 - Takizawa, Makoto
A2 - Chung, Tai M.
PB - Springer Nature Switzerland
ER -