Scalable Enforcement of Fine Grained Access Control Policies in Relational Database Management Systems

TL;DR

Sieve is a middleware that enhances the scalability and efficiency of enforcing fine-grained access control policies in relational databases through query rewriting and caching, supporting real-time privacy management.

Contribution

The paper introduces Sieve, a novel middleware combining query rewriting and caching to enable scalable, efficient enforcement of large-scale FGAC policies in relational DBMSs.

Findings

Sieve scales to large datasets and policy sets, maintaining low latency.

It improves policy evaluation performance by 2x to 10x.

Caching extension further boosts performance by 6% to 22% under dynamic workloads.

Abstract

The proliferation of smart technologies and evolving privacy regulations such as the GDPR and CPRA has increased the need to manage fine-grained access control (FGAC) policies in database management systems (DBMSs). Existing approaches to enforcing FGAC policies do not scale to thousands of policies, leading to degraded query performance and reduced system effectiveness. We present Sieve, a middleware for relational DBMSs that combines query rewriting and caching to optimize FGAC policy enforcement. Sieve rewrites a query with guarded expressions that group and filter policies and can efficiently use indexes in the DBMS. It also integrates a caching mechanism with an effective replacement strategy and a refresh mechanism to adapt to dynamic workloads. Experiments on two DBMSs with real and synthetic datasets show that Sieve scales to large datasets and policy corpora, maintaining low query latency and system load and improving policy evaluation performance by between 2x and 10x on workloads with 200 to 1,200 policies. The caching extension further improves query performance by between 6 and 22 percent under dynamic workloads, especially with larger cache sizes. These results highlight Sieve's applicability for real-time access control in smart environments and its support for efficient, scalable management of user preferences and privacy policies.