Figure 1 - uploaded by Irini Fundulaki
Content may be subject to copyright.
XML DTD for User Profile Information
Source publication
Access control for XML documents is a non-trivial topic, as can be witnessed from the number of approaches presented in the literature. Trying to compare these, we discovered the need for a simple, clear and unambiguous language to state the declarative semantics of an access control policy. All current approaches state the semantics in natural lan...
Citations
... XACML provides several combining algorithms to select from contradicting policies. Fundulaki and Marx [35] formalize fine-grained access control using XPath for XML documents, and their work claims that the visibility of a node depends on its ancestors; thus, when a node is granted access, then access is also granted to its descendants. However, other dependencies are not discussed related to XML documents. ...
Scalability in modeling has many facets, including the ability to build larger models and domain-specific languages (DSLs) efficiently. With the aim of tackling some of the most prominent scalability challenges in model-based engineering (MBE), the MONDO EU project developed the theoretical foundations and open-source implementation of a platform for scalable modeling and model management. The platform includes facilities for building large graphical DSLs, for splitting large models into sets of smaller interrelated fragments, to index large collections of models to speed-up their querying, and to enable the collaborative construction and refinement of complex models, among other features. This paper reports on the tools provided by MONDO that Ikerlan, a medium-sized technology center which in the last decade has embraced the MBE paradigm, adopted in order to improve their processes. This experience produced as a result a set of model editors and related technologies that fostered collaboration and scalability in the development of wind turbine control applications. In order to evaluate the benefits obtained, an on-site evaluation of the tools was performed. This evaluation shows that scalable MBE technologies give new growth opportunities to small- and medium-sized organizations.
... XACML provides several combining algorithms to select from contradicting policies. In [27], fine-grained access control is formalized using XPath for XML documents, which claims that the visibility of a node depends on its ancestors; thus, when a node is granted access, then access is also granted to its descendants. However, other dependencies are not discussed related to XML Documents. ...
Large-scale model-driven system engineering projects are carried out collaboratively. Engineering artefacts stored in model repositories are developed in either offline (checkout–modify–commit) or online (GoogleDoc-style) scenarios. Complex systems frequently integrate models and components developed by different teams, vendors and suppliers. Thus, confidentiality and integrity of design artefacts need to be protected in accordance with access control policies. We propose a secure collaborative modelling approach where fine-grained access control for models is strictly enforced by bidirectional model transformations. Collaborators obtain filtered local copies of the model containing only those model elements which they are allowed to read; write access control policies are checked on the server upon submitting model changes. We present a formal collaboration schema which provenly guarantees certain correctness constraints, and its adaption to online scenarios with on-the-fly change propagation and the integration into existing version control systems to support offline scenarios. The approach is illustrated, and its scalability is evaluated using a case study of the MONDO EU project.
... In addition, there are many studies (Emami and Zokaei 2005;Fan et al., 2004;Fundulaki and Marx, 2004) using different approaches to solve data access control. Some authors use four tuples Schema Role Access Control Policy (SRACP) (Li et al., 2011), but this kind of expression hasn't been adopted extensively. ...
With increasing rate of storing and sharing information in the cloud by the users, data storage brings new challenges to the Extensible Markup Language (XML) database in big data environments. The efficient retrieval of data with protection and privacy issues for accessing mass data in the cloud is more and more important. Most of existing research about XML data query and retrieval focuses on efficiency or establishing the index, and so on. However, these methods or algorithms do not take into account the data and data structure for their own safety issues. Furthermore, traditional access control rules read XML document node in a dynamic environment, relevant dynamic query-based keyword research data security and privacy protection requirements are not many. In order to improve the search efficiency with security condition, this paper examines how to generate the sub-tree of matching keywords that the user can access by the access control rules for the user's role. The corresponding algorithm is proposed to achieve safe and efficient keywords search.
... An XPath query selects a set of nodes in the XML DOM graph associated to the XML document, using access control operators and rules [8], [9]. ...
... Regarding the essentials for the data-intensive platforms and services privacy and security mechanisms, the approach to achieving privacy protection is appropriate to implement through existing fine-grained access control mechanisms, such as the use of a high level access control specification language allowing the definition of a variety of access control user requirements. An applicable RDF access control approach (Flouris et al., 2010) is designed to scale, as it orients itself at previous work on database systems, provides a formal semantics as in (Fundulaki & Marx, 2004), and proposes an annotation-based enforcement mechanism. As a further evolution of such work, applicable to linked data, a new access mechanism is based on ORDL ontology is suggested by Steyskal and Polleres (Steyskal and Polleres, 2014). ...
The project OpenFridge has designed and developed the Internet of Things data system with semantic and data analytics enablers for building new services on a top of typical home appliance data–in particular, refrigerators. In order to identify the real-life potential of the system i.e. the innovative set-up from the technical as well as user acceptance sides, pilots with real users have been run, and eventually the data has been collected in a collaborative crowdsourcing manner. The most active users of the system have been surveyed. The paper describes the OpenFridge platform and approach, its evaluation results with the real life users, and discusses the lessons learned and open issues. Though still early for the massive market deployment, the system demonstrates the feasibility of the approach of the users interacting with the semantic energy data and eventually opening it up for the data economy. Also, preferences towards more pervasive ways to interact with such systems were identified.
... Interestingly, most of XML authorization models [8][9][10]17] consider structural hierarchy only. These models have an implicit assumption that information has been organized in the intended hierarchical form. ...
... On the other hand, XML security has long been investigated by many researchers. A fundamental line of work in this area is about specifying authorization policies for the protection of XML documents [8][9][10]17]. All of these models attach authorization policies directly on nodes in the XML tree. ...
There has been considerable research in specifying authorization policies for XML documents. Most of these approaches consider only hierarchical structure of underlying data. They define authorization policies by directly identifying XML nodes in the policies. These approaches work well for hierarchical structure but are not suitable for other required characteristics we identify in this paper as semantical association and scatteredness.
This paper presents an attribute based protection model for JSON documents. We assign security-label attribute values to JSON elements and specify authorization policies using these values. By using security-label attribute, we leverage semantical association and scatteredness properties. Our protection mechanism defines two types of policies called authorization and labeling policies. We present an operational model to specify authorization policies and different models for defining labeling policies. Finally, we demonstrate a proof-of-concept for the proposed models in the Swift service of OpenStack IaaS cloud.
... An XPath query selects a set of nodes in the XML DOM graph associated to the XML document, using access control operators and rules [8], [9]. ...
Web services allow middleware access to a relational database and require data representation in XML format. The XML views obtained from relational databases can be accessed by using XPath queries. This article proposes an optimization model for XML data processing based on a heuristic algorithm to extract data from XPath views. To this end, the author uses various XPath query classes temporarily stored in cache, as XPath views. For each view selected from cache, a compensation query can be found and composed with in order to solve an XML data query. Experimental results reveal the effectiveness of the heuristic method used to solve queries on XML documents.
... This feasibility hints towards efficient partitioning and reduction techniques on both the set of nodes and the set of paths in a document. Such techniques may fruitfully applied towards, e.g., document compression [27], access control [28], and designing indexes for query processing [12,29,30]. ...
Given a document D in the form of an unordered node-labeled tree, we study
the expressiveness on D of various basic fragments of XPath, the core
navigational language on XML documents. Working from the perspective of these
languages as fragments of Tarski's relation algebra, we give characterizations,
in terms of the structure of D, for when a binary relation on its nodes is
definable by an expression in these algebras. Since each pair of nodes in such
a relation represents a unique path in D, our results therefore capture the
sets of paths in D definable in each of the fragments. We refer to this
perspective on language semantics as the "global view." In contrast with this
global view, there is also a "local view" where one is interested in the nodes
to which one can navigate starting from a particular node in the document. In
this view, we characterize when a set of nodes in D can be defined as the
result of applying an expression to a given node of D. All these definability
results, both in the global and the local view, are obtained by using a robust
two-step methodology, which consists of first characterizing when two nodes
cannot be distinguished by an expression in the respective fragments of XPath,
and then bootstrapping these characterizations to the desired results.
... In recent years there has been significant growth in the use of RBAC policies for managing resources in the form of XML documents or parts thereof. There has been a lot of research on RBAC policies for XML, see [5], and [6], for which parts of XML documents, called views, are defined using XPath expressions, see [7], using one of the following two implementing techniques. In an original, centralized server-based approach, the client uses secure channels to (1) provide a credential and a role name to the server; and (2) upon receiving the proper authorization, receive the materialized view (generated by the server) associated with this role. ...
The popularity of role-based access control (RBAC) policies within industry has generated consid-erable interest in the research community. Since XML has become a de facto standard for data representation, most RBAC policies are expressed in XML. Although XML documents can be very large, no succinct imple-mentations for these policies exist. This paper describes a novel implementation (not previously proposed) for schema-less and streamed XML documents to provide authorized users with the results of queries on com-pressed documents. The designer of the policy does not need to be aware of any implementation details. Results of this research will be essential for industry, which could take advantage of efficient implementations of RBAC policies.
... In this section, we survey existing works and we present our approach in an informal way. The interested reader can also refer to [9] for a formal presentation of existing works. ...
In this paper, we first define a logical theory representing an XML database supporting XPath as query language and XUpdate as modification language. We then extend our theory with predicates allowing us to specify the security policy protecting the database. The security policy includes rules addressing the read and write privileges. We propose axioms to derive the database view each user is permitted to see. We also propose axioms to derive the new database content after an update.