Extended XACML Language and Architecture for Access Control in Graph-structured Data

Aya Mohamed; Dagmar Auer; Daniel Hofer; Josef Küng

doi:10.1145/3487664.3487789

Extended XACML Language and Architecture for Access Control in Graph-structured Data

Aya Mohamed, Dagmar Auer, Daniel Hofer, Josef Küng

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

Abstract

The rapidly increasing use of graph databases for a wide variety of applications demands flexible authorization and fine-grained access control at the level of attributes associated with the basic entities (i.e., accessing subject, requested resource, performed action, and environmental conditions) but also the vertices and edges along a particular access path. We present a solution for authorization policy specification and enforcement in a graph database to apply fine-grained path-specific constraints on graph-structured data. Therefore, we extend the well-established declarative policy definition language eXtensible Access Control Markup Language (XACML) and its architecture to describe path patterns and enforce the policies using the standard functional components of XACML. Our approach, XACML for Graph-structured data (XACML4G), defines an extended XACML grammar for the authorization policy and access request. To enforce XACML4G policies, we relied on the extensibility points of the XACML architecture and added proprietary extensions. We show the significance of our approach by means of a demonstration prototype in the university domain. Finally, we provide an initial evaluation of the expressiveness and performance of XACML4G with regard to XACML.

Original language	English
Title of host publication	The 23rd International Conference on Information Integration and Web Intelligence (iiWAS2021)
Editors	Eric Pardede, Maria-Indrawan Santiago, Pari Delir Haghighi, Matthias Steinbauer, Ismail Khalil, Gabriele Kotsis
Place of Publication	New York, USA
Publisher	ACM
Pages	367-374
Number of pages	13
ISBN (Electronic)	9781450395564
DOIs	https://doi.org/10.1145/3487664.3487789
Publication status	Published - 2021

Publication series

Name	International Conference on Information Integration and Web Intelligence
ISSN (Print)	2662-995X

Fields of science

102010 Database systems
102015 Information systems
102016 IT security

JKU Focus areas

Digital Transformation

Access to Document

10.1145/3487664.3487789

Cite this

Mohamed, A., Auer, D., Hofer, D., & Küng, J. (2021). Extended XACML Language and Architecture for Access Control in Graph-structured Data. In E. Pardede, M.-I. Santiago, P. D. Haghighi, M. Steinbauer, I. Khalil, & G. Kotsis (Eds.), The 23rd International Conference on Information Integration and Web Intelligence (iiWAS2021) (pp. 367-374). (International Conference on Information Integration and Web Intelligence). ACM. https://doi.org/10.1145/3487664.3487789

Mohamed, Aya ; Auer, Dagmar ; Hofer, Daniel et al. / Extended XACML Language and Architecture for Access Control in Graph-structured Data. The 23rd International Conference on Information Integration and Web Intelligence (iiWAS2021). editor / Eric Pardede ; Maria-Indrawan Santiago ; Pari Delir Haghighi ; Matthias Steinbauer ; Ismail Khalil ; Gabriele Kotsis. New York, USA : ACM, 2021. pp. 367-374 (International Conference on Information Integration and Web Intelligence).

@inproceedings{47ab8e8009584b5e89f7997304a722d0,

title = "Extended XACML Language and Architecture for Access Control in Graph-structured Data",

abstract = "The rapidly increasing use of graph databases for a wide variety of applications demands flexible authorization and fine-grained access control at the level of attributes associated with the basic entities (i.e., accessing subject, requested resource, performed action, and environmental conditions) but also the vertices and edges along a particular access path. We present a solution for authorization policy specification and enforcement in a graph database to apply fine-grained path-specific constraints on graph-structured data. Therefore, we extend the well-established declarative policy definition language eXtensible Access Control Markup Language (XACML) and its architecture to describe path patterns and enforce the policies using the standard functional components of XACML. Our approach, XACML for Graph-structured data (XACML4G), defines an extended XACML grammar for the authorization policy and access request. To enforce XACML4G policies, we relied on the extensibility points of the XACML architecture and added proprietary extensions. We show the significance of our approach by means of a demonstration prototype in the university domain. Finally, we provide an initial evaluation of the expressiveness and performance of XACML4G with regard to XACML.",

author = "Aya Mohamed and Dagmar Auer and Daniel Hofer and Josef K{\"u}ng",

year = "2021",

doi = "10.1145/3487664.3487789",

language = "English",

series = "International Conference on Information Integration and Web Intelligence",

publisher = "ACM",

pages = "367--374",

editor = "Eric Pardede and Maria-Indrawan Santiago and Haghighi, \{Pari Delir\} and Matthias Steinbauer and Ismail Khalil and Gabriele Kotsis",

booktitle = "The 23rd International Conference on Information Integration and Web Intelligence (iiWAS2021)",

}

Mohamed, A, Auer, D, Hofer, D & Küng, J 2021, Extended XACML Language and Architecture for Access Control in Graph-structured Data. in E Pardede, M-I Santiago, PD Haghighi, M Steinbauer, I Khalil & G Kotsis (eds), The 23rd International Conference on Information Integration and Web Intelligence (iiWAS2021). International Conference on Information Integration and Web Intelligence, ACM, New York, USA, pp. 367-374. https://doi.org/10.1145/3487664.3487789

Extended XACML Language and Architecture for Access Control in Graph-structured Data. / Mohamed, Aya; Auer, Dagmar; Hofer, Daniel et al.
The 23rd International Conference on Information Integration and Web Intelligence (iiWAS2021). ed. / Eric Pardede; Maria-Indrawan Santiago; Pari Delir Haghighi; Matthias Steinbauer; Ismail Khalil; Gabriele Kotsis. New York, USA: ACM, 2021. p. 367-374 (International Conference on Information Integration and Web Intelligence).

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

TY - GEN

T1 - Extended XACML Language and Architecture for Access Control in Graph-structured Data

AU - Mohamed, Aya

AU - Auer, Dagmar

AU - Hofer, Daniel

AU - Küng, Josef

PY - 2021

Y1 - 2021

N2 - The rapidly increasing use of graph databases for a wide variety of applications demands flexible authorization and fine-grained access control at the level of attributes associated with the basic entities (i.e., accessing subject, requested resource, performed action, and environmental conditions) but also the vertices and edges along a particular access path. We present a solution for authorization policy specification and enforcement in a graph database to apply fine-grained path-specific constraints on graph-structured data. Therefore, we extend the well-established declarative policy definition language eXtensible Access Control Markup Language (XACML) and its architecture to describe path patterns and enforce the policies using the standard functional components of XACML. Our approach, XACML for Graph-structured data (XACML4G), defines an extended XACML grammar for the authorization policy and access request. To enforce XACML4G policies, we relied on the extensibility points of the XACML architecture and added proprietary extensions. We show the significance of our approach by means of a demonstration prototype in the university domain. Finally, we provide an initial evaluation of the expressiveness and performance of XACML4G with regard to XACML.

AB - The rapidly increasing use of graph databases for a wide variety of applications demands flexible authorization and fine-grained access control at the level of attributes associated with the basic entities (i.e., accessing subject, requested resource, performed action, and environmental conditions) but also the vertices and edges along a particular access path. We present a solution for authorization policy specification and enforcement in a graph database to apply fine-grained path-specific constraints on graph-structured data. Therefore, we extend the well-established declarative policy definition language eXtensible Access Control Markup Language (XACML) and its architecture to describe path patterns and enforce the policies using the standard functional components of XACML. Our approach, XACML for Graph-structured data (XACML4G), defines an extended XACML grammar for the authorization policy and access request. To enforce XACML4G policies, we relied on the extensibility points of the XACML architecture and added proprietary extensions. We show the significance of our approach by means of a demonstration prototype in the university domain. Finally, we provide an initial evaluation of the expressiveness and performance of XACML4G with regard to XACML.

UR - https://www.scopus.com/pages/publications/85122632273

U2 - 10.1145/3487664.3487789

DO - 10.1145/3487664.3487789

M3 - Conference proceedings

T3 - International Conference on Information Integration and Web Intelligence

SP - 367

EP - 374

BT - The 23rd International Conference on Information Integration and Web Intelligence (iiWAS2021)

A2 - Pardede, Eric

A2 - Santiago, Maria-Indrawan

A2 - Haghighi, Pari Delir

A2 - Steinbauer, Matthias

A2 - Khalil, Ismail

A2 - Kotsis, Gabriele

PB - ACM

CY - New York, USA

ER -

Mohamed A, Auer D, Hofer D, Küng J. Extended XACML Language and Architecture for Access Control in Graph-structured Data. In Pardede E, Santiago MI, Haghighi PD, Steinbauer M, Khalil I, Kotsis G, editors, The 23rd International Conference on Information Integration and Web Intelligence (iiWAS2021). New York, USA: ACM. 2021. p. 367-374. (International Conference on Information Integration and Web Intelligence). doi: 10.1145/3487664.3487789

Extended XACML Language and Architecture for Access Control in Graph-structured Data

Abstract

Publication series

Fields of science

JKU Focus areas

Access to Document

Other files and links

KnoP-2D

Cite this

Extended XACML Language and Architecture for Access Control in Graph-structured Data

Abstract

Publication series

Fields of science

JKU Focus areas

Access to Document

Other files and links

Projects

KnoP-2D

Cite this