TY - GEN
T1 - XACML Extension for Graphs: Flexible Authorization Policy Specification and Datastore-Independent Enforcement
AU - Mohamed, Aya
AU - Auer, Dagmar
AU - Hofer, Daniel
AU - Küng, Josef
PY - 2023/7
Y1 - 2023/7
N2 - The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account, such as vertices and edges along the path between a given subject and resource. In our previous research iterations, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case giving an outlook on performance.
AB - The increasing use of graph-structured data for business- and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. This does not take special properties of graphs into account, such as vertices and edges along the path between a given subject and resource. In our previous research iterations, we started to design an authorization policy language and access control model, which considers the specification of graph paths and enforces them in the multi-model database ArangoDB. Since this approach is promising to consider graph characteristics in data protection, we improve the language in this work to provide flexible path definitions and specifying edges as protected resources. Furthermore, we introduce a method for a datastore-independent policy enforcement. Besides discussing the latest work in our XACML4G model, which is an extension to the Extensible Access Control Markup Language (XACML), we demonstrate our prototypical implementation with a real case giving an outlook on performance.
UR - https://www.scopus.com/pages/publications/85178622303
U2 - 10.5220/0012090000003555
DO - 10.5220/0012090000003555
M3 - Conference proceedings
SN - 978-989-758-666-8
VL - 1
T3 - Proceedings of the International Conference on Security and Cryptography
SP - 442
EP - 449
BT - Proceedings of the 20th International Conference on Security and Cryptography SECRYPT - Volume 1
A2 - De Capitani di Vimercati, Sabrina
A2 - Samarati, Pierangela
PB - Science and Technology Publications (SciTePress)
CY - Portugal
ER -