Static Enforceability of XPath-Based Access Control Policies

TL;DR

This paper investigates the static enforceability of XPath-based access control policies in XML databases, introducing topological characterizations to identify when policies can be enforced without database access, balancing efficiency and precision.

Contribution

It introduces topological characterizations of XPath fragments and defines fair policies, providing a framework to determine static enforceability and its computational complexity.

Findings

Topological characterizations of XPath fragments for static enforcement

Definition of fair policies that are statically enforceable

Complexity analysis of enforcement and fairness determination

Abstract

We consider the problem of extending XML databases with fine-grained, high-level access control policies specified using XPath expressions. Most prior work checks individual updates dynamically, which is expensive (requiring worst-case execution time proportional to the size of the database). On the other hand, static enforcement can be performed without accessing the database but may be incomplete, in the sense that it may forbid accesses that dynamic enforcement would allow. We introduce topological characterizations of XPath fragments in order to study the problem of determining when an access control policy can be enforced statically without loss of precision. We introduce the notion of fair policies that are statically enforceable, and study the complexity of determining fairness and of static enforcement itself.