XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement

Aya Mohamed; Dagmar Auer; Daniel Hofer; Josef Küng

doi:10.5220/0012090000003555

XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement

Aya Mohamed, Dagmar Auer, Daniel Hofer, Josef Küng

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

Abstract

The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account, such as vertices and edges along the path between a given subject and resource. In our previous research iterations, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case giving an outlook on performance.

Original language	English
Title of host publication	Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1
Editors	Sabrina De Capitani di Vimercati and Pierangela Samarati
Place of Publication	Portugal
Publisher	Science and Technology Publications (SciTePress)
Pages	442-449
Number of pages	8
Volume	1
ISBN (Print)	978-989-758-666-8
DOIs	https://doi.org/10.5220/0012090000003555
Publication status	Published - Jul 2023

Fields of science

102 Computer Sciences
102010 Database systems
102015 Information systems
102016 IT security

JKU Focus areas

Digital Transformation
Sustainable Development: Responsible Technologies and Management

Access to Document

10.5220/0012090000003555

KnoP-2D
Auer, D. (Researcher), Mohamed, A. (Researcher) & Küng, J. (PI)
01.03.2019 → 28.02.2022
Project: Funded research › FFG - Austrian Research Promotion Agency

Cite this

Mohamed, A., Auer, D., Hofer, D., & Küng, J. (2023). XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement. In Sabrina De Capitani di Vimercati and Pierangela Samarati (Ed.), Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1 (Vol. 1, pp. 442-449). Science and Technology Publications (SciTePress). https://doi.org/10.5220/0012090000003555

Mohamed, Aya ; Auer, Dagmar ; Hofer, Daniel et al. / XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement. Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1. editor / Sabrina De Capitani di Vimercati and Pierangela Samarati. Vol. 1 Portugal : Science and Technology Publications (SciTePress), 2023. pp. 442-449

@inproceedings{9b78fb25ba7047fc919a499fe0745c65,

title = "XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement",

abstract = "The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account, such as vertices and edges along the path between a given subject and resource. In our previous research iterations, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case giving an outlook on performance.",

author = "Aya Mohamed and Dagmar Auer and Daniel Hofer and Josef K{\"u}ng",

year = "2023",

month = jul,

doi = "10.5220/0012090000003555",

language = "English",

isbn = "978-989-758-666-8",

volume = "1",

pages = "442--449",

editor = "{Sabrina De Capitani di Vimercati and Pierangela Samarati}",

booktitle = "Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1",

publisher = "Science and Technology Publications (SciTePress)",

}

Mohamed, A, Auer, D, Hofer, D & Küng, J 2023, XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement. in Sabrina De Capitani di Vimercati and Pierangela Samarati (ed.), Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1. vol. 1, Science and Technology Publications (SciTePress), Portugal, pp. 442-449. https://doi.org/10.5220/0012090000003555

XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement. / Mohamed, Aya; Auer, Dagmar; Hofer, Daniel et al.
Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1. ed. / Sabrina De Capitani di Vimercati and Pierangela Samarati. Vol. 1 Portugal: Science and Technology Publications (SciTePress), 2023. p. 442-449.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceedings › peer-review

TY - GEN

T1 - XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement

AU - Mohamed, Aya

AU - Auer, Dagmar

AU - Hofer, Daniel

AU - Küng, Josef

PY - 2023/7

Y1 - 2023/7

N2 - The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account, such as vertices and edges along the path between a given subject and resource. In our previous research iterations, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case giving an outlook on performance.

AB - The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account, such as vertices and edges along the path between a given subject and resource. In our previous research iterations, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case giving an outlook on performance.

U2 - 10.5220/0012090000003555

DO - 10.5220/0012090000003555

M3 - Conference proceedings

SN - 978-989-758-666-8

VL - 1

SP - 442

EP - 449

BT - Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1

A2 - Sabrina De Capitani di Vimercati and Pierangela Samarati, null

PB - Science and Technology Publications (SciTePress)

CY - Portugal

ER -

Mohamed A, Auer D, Hofer D, Küng J. XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement. In Sabrina De Capitani di Vimercati and Pierangela Samarati, editor, Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1. Vol. 1. Portugal: Science and Technology Publications (SciTePress). 2023. p. 442-449 doi: 10.5220/0012090000003555

XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement

Abstract

Fields of science

JKU Focus areas

Access to Document

Projects

KnoP-2D

Cite this