Authorization-Transparent Access Control for XML Under the Non-Truman Model

In authorization-transparent access control, users formulate their queries against the database schema rather than against authorization views that transform and hide data. The Truman and the Non-Truman are two approaches to authorization transparency where in a Truman model, queries that violate the access restrictions are modified transparently by the system to only reveal accessible data, while in a Non-Truman model, such queries are rejected. The advantage of a Non-Truman model is that the semantics of user queries is not changed by the access control mechanism. This work presents an access control mechanism for XML under the Non-Truman model. Security policies are specified as parameterized rules formulated using XPath. The rules specify relationships between elements that should be concealed from users. Hence, not only elements, but also edges and paths within an XML document, can be concealed. The access control mechanism authorizes only valid queries, i.e., queries that do not disclose the existence of concealed relationships. The additional expressive power, provided by these rules, over element-based authorization techniques is illustrated and algorithms that check the validity of queries are provided. The proposed access control mechanism can either serve as a substitute for views or as a layer that verifies the specific relationships are concealed by a view.