Abstract
The most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.
This paper introduces constraints-based access control (CBAC) — an access control mechanism that general associations between users and permissions are specified by the rules (or constraints) governing the access rights of each user. This association is not restricted to static events but can include dynamic factors as well.
One of the many advantages of CBAC is that even a static CBAC is a generalisation of most of the access control mechanism in use today. We demonstrate how CBAC can efficiently simulate role-based access control (RBAC) and access control list (ACL). In fact, CBAC allows the introduction of any abstract concepts as one would do roles in RBAC. On top of that, CBAC also allows the users to specify interactions between these concepts.
Any flexibile access control method usually raises concerns over its time efficiency. We advocate the use of partial solutions to the access control constraints to improve the efficiency of CBAC.
Partial funding provided by a Strategic Research Programme on Computer Security funded by NSTB/MOE
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35587-0_24
Chapter PDF
Similar content being viewed by others
References
Bertino, E., Bettini, C., Ferrari, E., and Samarati, P. (1998). An access control model supporting periodicity constraints and temporal reasoning. In ACM Transactions on Database Systems, volume 23, pages 231–285.
Bertino, E., Samarati, P., and Jajodia, S. (1993). Authorizations in relational database management systems. In 1st ACM Conference on Computer and Communications Security, pages 130–139.
Castano, S., Fugini, M., Martella, G., and Samarati, P. (1994). Database Security Addison Wesley.
Jaffar, J. and Lassez, J.-L. (1987). Constraint logic programming. In Principles of Programming Languages
Marriott, K. and Stuckey, P. J. (1998). Programming with Constraints The MIT Press.
Rosenthal, A. and Sciore, E. (2000). Extending sql grant and revoke operations to limit and reactive privileges. In FIP Working Conference on Database Security
Sandhu, R. S. (1996). Role-based access control. Technical report, Laboratory for Information Security Technology, Geore Mason University.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29 (2): 38–47.
Sandhu, R. S. and Samarati, P. Access control: Principles and practice. www.isse.gmu.edu/faculty/sandhu.
Tsang, E. (1993). Foundations of Constraint Satisfaction Academic Press.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Tan, W.Y. (2002). Constraints-Based Access Control. In: Olivier, M.S., Spooner, D.L. (eds) Database and Application Security XV. IFIP — The International Federation for Information Processing, vol 87. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35587-0_3
Download citation
DOI: https://doi.org/10.1007/978-0-387-35587-0_3
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-1028-1
Online ISBN: 978-0-387-35587-0
eBook Packages: Springer Book Archive