Architectural Considerations for a Data Access Marketplace Based upon API Management

  • Uwe HohensteinEmail author
  • Sonja ZillnerEmail author
  • Andreas BiesdorfEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 862)


Data and access to data are becoming more and more a product or service to be sold. In order to deal with data access, this paper presents a marketplace for trading data. Within the marketplace, producers can present their offerings for data access and algorithms, whereas consumers are able to browse through the offerings, to subscribe to corresponding services, and to use them after being approved. As a specific property, the presented approach allows to control data access at a fine-granular level. This supports use cases where different consumers should see different portions of data according to subscribed price models and/or Service Level Agreements (SLAs). The approach takes benefit from API management, particularly the tool WSO2. The paper discusses possible architectures to combine API Management with user-specific filtering and control of SLAs, and illustrates in detail how the features of WSO2 help ease implementation and reduce effort on the one hand. On the other hand, the paper elaborates upon several technical challenges to overcome.


Marketplace Data access control Filtering API Management 



This research has been supported in part by the KDI project, which is funded by the German Federal Ministry of Economics and Technology under grant number 01MT14001 and by the EU FP7 Diachron project (GA 601043).


  1. 1.
    Abramov, J., Anson, O., Dahan, M., et al.: A methodology for integrating access control policies within database development. Comput. Secur. 31(3), 299–314 (2012)CrossRefGoogle Scholar
  2. 2.
    Balazinska, M., Howe, B., Suciu, D.: Data markets in the cloud: an opportunity for the fatabase community. Proc. VLDB Endow. 4(12), 1482–1485 (2011)Google Scholar
  3. 3.
    Barker, S.: Dynamic meta-level access control in SQL. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 1–16. Springer, Heidelberg (2008). Scholar
  4. 4.
    Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM Trans. Inf. Syst. 17(2), 101–140 (1999)CrossRefGoogle Scholar
  5. 5.
    Caires, L., Pérez, J.A., Seco, J.C., Vieira, H.T., Ferrão, L.: Type-based access control in data-centric systems. In: Barthe, G. (ed.) ESOP 2011. LNCS, vol. 6602, pp. 136–155. Springer, Heidelberg (2011). Scholar
  6. 6.
    Chaudhuri, S., Dutta, T., Sudarshan, S.: Fine grained authorization through predicated grants. In: 23rd International Conference on Data Engineering (ICDE), pp. 1174–1183. IEEE (2007)Google Scholar
  7. 7.
    Chlipala, A., Impredicative, L.: Static checking of dynamically-varying security policies in database-backed applications. In: The USENIX Conference on Operating Systems Design and Implementation, pp. 105–118 (2010)Google Scholar
  8. 8.
    Corcoran, B., Swamy, N., Hicks, M.: Cross-tier, label-based security enforcement for web applications. In: Proceedings of the 2009 ACM SIGMOD International Conference on Management of Data, pp. 269–282. ACM (2009)Google Scholar
  9. 9.
    Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-grained access control with object-sensitive roles. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 173–194. Springer, Heidelberg (2009). Scholar
  10. 10.
    Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security – a survey and classification of the research area. Comput. Secur. 30(8), 748–769 (2011)CrossRefGoogle Scholar
  11. 11.
    Hohenstein, U., Zillner, S., Biesdorf, A.: Architectural considerations for a data access marketplace. In: Proceedings of the 7th International Conference on Data Science, Technology and Applications (DATA 2018), Porto (Portugal), pp. 323–333 (2018)Google Scholar
  12. 12.
    Jayaraman, K., Tripunitara, M., Ganesh, V., et al.: Mohawk: abstraction-refinement and bound-estimation for verifying access control policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(4), 1–28 (2013). Article No. 18CrossRefGoogle Scholar
  13. 13.
    LeFevre, K., Agrawal, R., Ercegovac, V., et al.: Limiting disclosure in hippocratic databases. In: Proceedings of the 13th VLDB, pp. 108–119 (2004)CrossRefGoogle Scholar
  14. 14.
    Oracle: Using Oracle Virtual Private Database to Control Data Access.
  15. 15.
    Pereira, O., Regateiro, D., Aguiar, R.: Distributed and typed role-based access control mechanisms driven by CRUD expressions. Int. J. Comput. Sci. Theor. Appl. 2(1), 1–11 (2014)Google Scholar
  16. 16.
    Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: ACM SIGMOD Conference, pp. 551–562 (2004)Google Scholar
  17. 17.
  18. 18.
    Roichman, A., Gudes, E.: Fine-grained access control to web databases. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 31–40. ACM (2007)Google Scholar
  19. 19.
    Roman, D., Paniagua, J., Tarasova, T., et al.: proDataMarket: a data marketplace for monetizing linked data. In: Demo Paper at 16th International Semantic Web Conference (ISWC 2017), Vienna (2017)Google Scholar
  20. 20.
    Sonntag, D., Tresp, V., Zillner, S., Cavallaro, A., et al.: The clinical data intelligence project. Informatik-Spektrum 39, 1–11 (2015)Google Scholar
  21. 21.
    Wang, Q., Yu, T., Li, N., et al.: On the correctness criteria of fine-grained access control in relational databases. In: Proceedings of the 33rd International Conference on Very Large Data Bases, pp. 555–566 (2007)Google Scholar
  22. 22.
    Zarnett, J., Tripunitara, M., Lam, P.: Role-based access control (RBAC) in Java via proxy objects using annotations. In: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, pp. 79–88. ACM (2010)Google Scholar
  23. 23.
    XACML: XACML – eXtensible Access Control Markup Language.

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Corporate Technology, Siemens AGMunichGermany

Personalised recommendations