A FLEXIBLE FRAMEWORK FOR APPLYING DATA ACCESS AUTHORIZATION BUSINESS RULES

Leonardo Guerreiro Azevedo, Sergio Puntar, Raphael Thiago, Fernanda Baião, Claudia Cappelli

Abstract

This work proposes a flexible framework for managing and implementing data access authorization business rules on top of relational DBMSs, in an independent way for the applications accessing a database. The framework adopts the RBAC policy definition approach, and was implemented on Oracle DBMS. Therefore, data access security is managed by the data server layer in a centralized manner, rather than in each application that accesses data, and is enforced by the database server. Experimental tests were executed using the TPCH Benchmark workload, and the results indicate the effectiveness of our proposal.

References

  1. BRG, 2009. The Business Rules Group. http://www. businessrulesgroup.org/home-brg.shtml.
  2. Calì, A., Martinenghi, D. 2008. Querying data under access limitations. In ICDE 2008, Cancun.
  3. DoD, 1983, Trusted Computer Security Evaluation Criteria. Department of Defense, DoD 5200.28-STD.
  4. Ferraiolo, D., Khun, D. 1992, Role-Based Access Control. In: 15th Natl Computer Security Conf, pp. 554-563.
  5. Ferraiolo, D.F., Sandhu, R., et al., 2001, Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4 (3), pp. 224-274.
  6. Fischer et al., 2009, Fine-Grained Access Control with Object-Sensitive Roles, In: Drossopoulou (Ed.): ECOOP 2009, LNCS 5653, pp. 173-194
  7. Murthy, R., Sedlar, E., 2007. Flexible and efficient access control in oracle. In ACM SIGMOD 2007, pp. 973- 980, Beijing.
  8. ORACLE. 2003. Oracle Label Security Administrator's Guide. Oracle Corporation. http://download.oracle.com/docs/cd/B14117_01/netwo rk.101/b10774.pdf.
  9. ORACLE, 2008. Oracle Database Security Guide, Oracle RDBMS 10gR2. Oracle Corporation. http://download. oracle.com/docs/cd/B19306_01/network.102/b14266.p df.
  10. SOX, 2009. Sarbanes-Oxley: Financial and Accounting Disclosure Information. http://www.sarbanesoxley.com/section.php?level=1&pub_id=SOA-Manual
  11. TPCH, 2008. TPC Benchmark H Standard Specification Revision 2.8.0. Transaction Processing Perfermance Council. http://www.tpc.org/tpch/spec/tpch2.8.0.pdf.
  12. Vimercati, S., Foresti, S. et al., P. 2008. Controlled information sharing in collaborative distributed query processing. In Proc. of ICDCS 2008, Beijing.
  13. Yang, L. 2009. Teaching database security and auditing. ACM SIGCSE 1(1), pp. 241-245.
Download


Paper Citation


in Harvard Style

Guerreiro Azevedo L., Puntar S., Thiago R., Baião F. and Cappelli C. (2010). A FLEXIBLE FRAMEWORK FOR APPLYING DATA ACCESS AUTHORIZATION BUSINESS RULES . In Proceedings of the 12th International Conference on Enterprise Information Systems - Volume 1: ICEIS, ISBN 978-989-8425-04-1, pages 275-280. DOI: 10.5220/0002909602750280


in Bibtex Style

@conference{iceis10,
author={Leonardo Guerreiro Azevedo and Sergio Puntar and Raphael Thiago and Fernanda Baião and Claudia Cappelli},
title={A FLEXIBLE FRAMEWORK FOR APPLYING DATA ACCESS AUTHORIZATION BUSINESS RULES},
booktitle={Proceedings of the 12th International Conference on Enterprise Information Systems - Volume 1: ICEIS,},
year={2010},
pages={275-280},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002909602750280},
isbn={978-989-8425-04-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Enterprise Information Systems - Volume 1: ICEIS,
TI - A FLEXIBLE FRAMEWORK FOR APPLYING DATA ACCESS AUTHORIZATION BUSINESS RULES
SN - 978-989-8425-04-1
AU - Guerreiro Azevedo L.
AU - Puntar S.
AU - Thiago R.
AU - Baião F.
AU - Cappelli C.
PY - 2010
SP - 275
EP - 280
DO - 10.5220/0002909602750280