Access control models are typically very coarse-grained, allowing one access to
ID: 648020 • Letter: A
Question
Access control models are typically very coarse-grained, allowing one access to a resource (possibly with some combination of read/write/execute permission) or exclude such access. Some models of database security allow access to be granted on a per row basis (though I don't have a reference handy).
Have fine-grained access control models been designed to limit access to parts of an XML document? What could/should a model look like? Has any work been done in this area? Are other security models applicable in this context?
For example, one could imagine that the model prevents access to a particular subtree. The subtree could either be removed or encrypted.
Note that this need not explicitly apply to XML. Any models devised for semi-structured data are also interesting.
Explanation / Answer
The conversion between SQL access control policies and XML-specific access control models has been studied in:
"Preserving SQL Access Control Policies Over Published XML Data" by G. Leighton (2009)
According to the author:
... To the best of our knowledge, our work represents the first attempt to formulate an SQL-to-XML access control policy translation framework, capable of expressing the entirety of the SQL access control model, and carrying the semantics of the original ACP over to the chosen XML ACP formulation language. ...