Static Enforceability of XPath-Based Access Control Policies
This work addresses performance bottlenecks in XML database security for applications requiring fine-grained access control, though it is incremental as it builds on prior dynamic enforcement methods.
The paper tackles the problem of efficiently enforcing XPath-based access control policies in XML databases by introducing topological characterizations to determine when static enforcement is possible without loss of precision, resulting in a method that avoids expensive dynamic checks.
We consider the problem of extending XML databases with fine-grained, high-level access control policies specified using XPath expressions. Most prior work checks individual updates dynamically, which is expensive (requiring worst-case execution time proportional to the size of the database). On the other hand, static enforcement can be performed without accessing the database but may be incomplete, in the sense that it may forbid accesses that dynamic enforcement would allow. We introduce topological characterizations of XPath fragments in order to study the problem of determining when an access control policy can be enforced statically without loss of precision. We introduce the notion of fair policies that are statically enforceable, and study the complexity of determining fairness and of static enforcement itself.