research-article

A Fine-Grained Access Control Model and Implementation

Authors:
Ekaterina Gorshkova

Department of Analytical Information Systems, University of St. Petersburg, Russia

Department of Analytical Information Systems, University of St. Petersburg, Russia
View Profile

,
Boris Novikov

Department of Analytical Information Systems, University of St. Petersburg, Russia

Department of Analytical Information Systems, University of St. Petersburg, Russia
View Profile

,
Manoj Kumar Shukla

India

India
View Profile

CompSysTech '17: Proceedings of the 18th International Conference on Computer Systems and TechnologiesJune 2017Pages 187–194https://doi.org/10.1145/3134302.3134310

Published:23 June 2017Publication History

CompSysTech '17: Proceedings of the 18th International Conference on Computer Systems and Technologies

Pages 187–194

ABSTRACT

The several models and solutions were introduced and implemented to address privacy and security issues during past decades. However, the most advanced role-based access control models support coarse-grained access control and widely used open source frameworks cannot provide efficient and effective fine-grained solution. We introduce a general fine-grained access control model and provide an implementation by extending Spring Security framework. Our model is tightly coupled with database access control at row-level and is separated from business functions of the application.

References

A. E. Abdallah and E. J. Khayat. A formal model for parameterized role-based access control. In Formal Aspects in Security and Trust: 2nd IFIP TC1 WG1.7 Workshop on Formal Aspects in Security and Trust (FAST), an event of the 18th IFIP World Computer Congress, August 22-27, 2004, Toulouse, France, pages 233--246, 2004.Google Scholar
G.-J. Ahn and H. Hu. Towards realizing a formal rbac model in real systems. In Proc. the 12th ACM ACMAT '07, p. 215--224, 2007. ACM. Google ScholarDigital Library
http://shiro.apache.org/.Google Scholar
A. Armando, R. Carbone, E. G. Chekole, and S. Ranise. Attribute based access control for apis in spring security. In Proc. 19th ACM SACMAT '14, p. 85--88, 2014. ACM. Google ScholarDigital Library
J. Chae. Towards modal logic formalization of role-based access control with object classes. In Proc. the 27th IFIP WG 6.1 Intnl. Conf. on Formal Techniques for Networked and Distributed Systems, FORTE '07, p. 97--111, Berlin, Heidelberg, 2007. Springer-Verlag. Google ScholarDigital Library
J. H. Chae and N. Shiri. Formalization of rbac policy with object class hierarchy. In Proc. ISPEC07, pages 162--176, Berlin, Heidelberg, 2007. Springer-Verlag. Google ScholarDigital Library
A. Cuzzocrea, M.-S. Hacid, and N. Grillo. Effectively and efficiently selecting access control rules on materialized views over relational databases. In Proc. IDEAS '10 p. 225--235, 2010. ACM. Google ScholarDigital Library
M. Finifter, A. Mettler, N. Sastry, and D. Wagner. Verifiable functional purity in java. In Proc. ACM CCS '08, p. 161--174, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
A. Y. Halevy. Theory of answering queries using views. SIGMOD Rec., 29(4):40--47, Dec. 2000. Google ScholarDigital Library
Y. Han, X. Chun-Gen, Z. Gong-Xuan, and L. Feng-Yu. Constraint specification for object model of access control based on role. SIGSOFT Softw. Eng. Notes, 25(2):60--63, Mar. 2000. Google ScholarDigital Library
G. T. Leavens, A. L. Baker, and C. Ruby. Preliminary design of jml: A behavioral interface specification language for java. SIGSOFT Softw. Eng Notes, 31(3):1--38, 2006. Google ScholarDigital Library
T. Lodderstedt, D. A. Basin, and J. Doser. Secureuml: A uml-based modeling language for model-driven security. In Proc. UML '02, p. 426--441, London, UK, UK, 2002. Springer-Verlag. Google ScholarDigital Library
T. Mustafa, M. Drouineaud, and K. Sohr. Towards formal specification and verification of a role-based authorization engine using jml. In Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS '10, p. 50--57, ACM. Google ScholarDigital Library
G. Naumovich and P. Centonze. Static analysis of role-based access control in j2ee applications. SIGSOFT Softw. Eng. Notes, 29(5):1--10, Sept. 2004. Google ScholarDigital Library
American national standards institute inc. role based access control. ANSI-INCITS 359--2004, 2004. Accessed April 4, 2010.Google Scholar
http://www.omg.org/spec/OCL/.Google Scholar
L. E. Olson, C A. Gunter, W. R. Cook, and M. Winslett. Implementing reflective access control in sql. In Proc. 23rd Annual IFIP WG 11.3 Working Conf. on Data and Applications Security XXIII, pages 17--32, Berlin, Heidelberg, 2009. Springer-Verlag. Google ScholarDigital Library
R. Pandey and B. Hashii. Providing fine-grained access control for java programs. In Proc. ECOOP '99, p. 449-- 473, London, UK, UK, 1999. Springer-Verlag. Google ScholarDigital Library
S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for fine-grained access control. In Proc. SIGMOD '04, p. 551--562ACM. Google ScholarDigital Library
E. Rosenthal, A. Sciore. Abstracting and refining authorization in sql. In Proceedings of VLDB 2004 Workshop, pages 184--162, 2004.Google ScholarCross Ref
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2):38--47, Feb. 1996. Google ScholarDigital Library
D. Servos and S. L. Osborn. Current research and open problems in attribute-based access control. ACM Comput. Surv., 49(4):65:1--65:45, Jan. 2017. Google ScholarDigital Library
http://projects.spring.io/spring-data/.Google Scholar
https://docs.spring.io/spring/docs/current/spring-framework-reference/html/expressions.html.Google Scholar
http://projects.spring.io/spring-security/.Google Scholar
http://www.uml.org/.Google Scholar
The virtual private database in oracle9ir2: An oracle technical white paper. http://otn.oracle.com/deploy/-security/oracle9ir2/pdf/vpd9ir2twp.pdf.Google Scholar
J. Zarnett, M. Tripunitara, and P. Lam. Role-based access control (rbac) in java via proxy objects using annotations. In Proc. ACMAT '10, p. 79--88, 2010. ACM. Google ScholarDigital Library

Recommendations

Towards a Flexible Fine-Grained Access Control System for Modern Cloud Applications
CLOUD '14: Proceedings of the 2014 IEEE International Conference on Cloud Computing

The fast growth of cloud applications highlights the requirement of appropriate security controls to restrict access to shared resources limited to authorized users. Existing authorization systems are not primarily designed for cloud environments and do ...
Read More
Fine-grained role graph model
Read More
Towards fine-grained access control on browser extensions
ISPEC'12: Proceedings of the 8th international conference on Information Security Practice and Experience

We propose a practical and fine-grained browser extension access control framework, which regulates the misbehavior of JSEs with malicious intent at run time by means of restricting the access to resources, in order to prevent the malicious JSEs from ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CompSysTech '17: Proceedings of the 18th International Conference on Computer Systems and Technologies
June 2017
358 pages
ISBN:9781450352345
DOI:10.1145/3134302
Editors:
Boris Rachev,
Angel Smrikarov
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 23 June 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
application development
fine-grained access control
privacy
security
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
CompSysTech '17 Paper Acceptance Rate42of107submissions,39%Overall Acceptance Rate241of492submissions,49%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 2
  Total Citations
  View Citations
- 132
  Total Downloads
- Downloads (Last 12 months)10
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A Fine-Grained Access Control Model and Implementation

CompSysTech '17: Proceedings of the 18th International Conference on Computer Systems and Technologies

ABSTRACT

References

Cited By

Recommendations

Towards a Flexible Fine-Grained Access Control System for Modern Cloud Applications

Fine-grained role graph model

Towards fine-grained access control on browser extensions