ADQL: A Flexible Access Definition and Query Language to Define Access Control Models

Andreas Sonnenbichler, Andreas Geyer-Schulz

Abstract

We suggest a full specified formal language, the Access Definition and Query Language (ADQL). It has been designed to define access control models, facts, policies, and queries. ADQL, therefore, has the features of a meta language: It can be configured to act like known access control models e.g. as Bell-LaPadula, RBAC and its extensions and applications (e.g. SAP R/3), but also it can implement new models. Because of this, ADQL is highly flexible. Nevertheless, ADQL is not only a meta-language, but also allows to define facts, policies and queries. It has been implemented as a software service. It can be used as external authorization component for other applications and services. Through its flexibility many access control models can be supported.

References

  1. AG, S. (2008). ADM940 - Berechtigungskonzept AS ABAP Schulungshandbuch. SAP, Walldorf, Germany.
  2. Ardagna, C. A., Cremonini, M., De Capitani di Vimercati, S., and Samarati, P. (2008). A privacy-aware access control system. J. Comput. Secur., 16(4):369-397.
  3. Barker, S. (2009). The next 700 access control models or a unifying meta-model? In Proceedings of the 14th ACM symposium on Access control models and technologies, SACMAT 7809, pages 187-196, New York, NY, USA. ACM.
  4. Bell, D. E. and LaPadula, L. J. (1975). Secure Computer Systems: Mathematical Foundations and Model. M74-244. Mitre Corporation, Bedford, MA, USA.
  5. Berners-Lee, T., Fielding, R., Irvine, U., and Masinter, L. (1998). Uniform resource identifiers (URI): generic syntax. http://www.ietf.org/rfc/rfc2396.txt. last accessed: 2011-02-26.
  6. Crampton, J. and Huth, M. (2010). An authorization framework resilient to policy evaluation failures. In Gritzalis, D., Preneel, B., and Theoharidou, M., editors, Computer Security ESORICS 2010, volume 6345 of Lecture Notes in Computer Science, pages 472-487. Springer Berlin / Heidelberg. 10.1007/978-3-642- 15497-3 29.
  7. Damiani, E., di Vimercati, S. D. C., Paraboschi, S., and Samarati, P. (2002). A fine-grained access control system for XML documents. ACM Transactions on Information and System Security (TISSEC), 5:169-202. ACM ID: 505590.
  8. Geysin, S., Petrov, A., Charrue, P., Gajewski, W., Kain, V., Kostro, K., Kruk, G., Page, S., and Peryt, M. (2007). Role-Based access control for the accelerator control system at CERN. In International Conference on Accelerator and Large Experimental Physics Control Systems, pages 90-92, Knoxville, Tennessee, USA.
  9. Gupta, R. and Bhide, M. (2005). A Generic XACML Based Declarative Authorization Scheme for Java. In di Vimercati, S. d. C., Syverson, P., and Gollmann, D., editors, Computer Security ESORICS 2005, volume 3679 of Lecture Notes in Computer Science, pages 44-63. Springer Berlin / Heidelberg.
  10. Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1976). Protection in operating systems. Communications of the ACM, 19(8):461-471.
  11. Li, N., Wang, Q., Qardaji, W., Bertino, E., Rao, P., Lobo, J., and Lin, D. (2009). Access control policy combining: theory meets practice. In Proceedings of the 14th ACM symposium on Access control models and technologies, SACMAT 7809, pages 135-144, New York, NY, USA. ACM.
  12. McLean, J. (1988). The algebra of security. In IEEE Symposium on Security and Privacy, Oakland, CA.
  13. Ni, Q., Bertino, E., and Lobo, J. (2009). D-algebra for composing access control policy decisions. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 7809, pages 298-309, New York, NY, USA. ACM.
  14. Notargiacomo, L. (1996). Role-based access control in ORACLE7 and trusted ORACLE7. In Proceedings of the first ACM Workshop on Role-based access control, RBAC 7895, New York, NY, USA. ACM.
  15. Rissanen, E. (2010). eXtensible Access Control Markup Language (XACML) Version 3.0 Committee Draft 03. OASIS eXtensible Access Control Markup Language (XACML) TC.
  16. Samarati, P. and Vimercati, S. D. C. d. (2001). Access control: Policies, models, and mechanisms. In Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures, pages 137-196. Springer-Verlag.
  17. Wang, Q., Jin, H., and Li, N. (2009). Usable access control in collaborative environments: authorization based on people-tagging. In Proceedings of the 14th European conference on Research in computer security, ESORICS'09, pages 268-284, Berlin, Heidelberg. Springer-Verlag.
  18. Yuan, E. and Tong, J. (2005). Attributed based access control (ABAC) for web services. In Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE International Conference on, pages 569-578.
Download


Paper Citation


in Harvard Style

Sonnenbichler A. and Geyer-Schulz A. (2012). ADQL: A Flexible Access Definition and Query Language to Define Access Control Models . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 379-386. DOI: 10.5220/0004023903790386


in Bibtex Style

@conference{secrypt12,
author={Andreas Sonnenbichler and Andreas Geyer-Schulz},
title={ADQL: A Flexible Access Definition and Query Language to Define Access Control Models},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},
year={2012},
pages={379-386},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004023903790386},
isbn={978-989-8565-24-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - ADQL: A Flexible Access Definition and Query Language to Define Access Control Models
SN - 978-989-8565-24-2
AU - Sonnenbichler A.
AU - Geyer-Schulz A.
PY - 2012
SP - 379
EP - 386
DO - 10.5220/0004023903790386