An XML-Based Policy Model for Access Control in Web Applications

  • Tania Basso
  • Nuno Antunes
  • Regina Moraes
  • Marco Vieira
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8056)


Organizational Information Systems (IS) collect, store, and manage personal and business data. Due to regulation laws and to protect the privacy of users, clients, and business partners, these data must be kept private. This paper proposes a model and a mechanism that allows defining access control policies based on the user profile, the time period, the mode and the location from where data can be accessed. The proposed policy model is simple enough to be used by a business manager, yet it has the flexibility to define complex restrictions. At runtime, a protection layer monitors data accesses and enforces existing policies. A prototype tool was implemented to run an experimental evaluation, which showed that the tool is able to enforce access control with minimal performance impact, while assuring scalability both in terms of the number of users and the number of policies.


access control policy data privacy security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bertino, E., Lin, D., Jiang, W.: A Survey of Quantification of Privacy Preserving Data Mining Algorithms. In: Aggarwal, C.C., Yu, P.S., Elmagarmid, A.K. (eds.) Privacy-Preserving Data Mining, vol. 34, pp. 183–205. Springer, US (2008)CrossRefGoogle Scholar
  2. 2.
    Internet Engineering Task Force (IETF), (accessed: September 07, 2012)
  3. 3.
    Bertino, E., Ghinita, G., Kamra, A.: Access Control for Databases: Concepts and Systems. Now Publishers Inc. (2011)Google Scholar
  4. 4.
    Sandhu, R.S.: Role-based Access Control. In: Advances in Computers, vol. 46, pp. 237–286. Elsevier (1998)Google Scholar
  5. 5.
    Ni, Q., Bertino, E., Lobo, J., Calo, S.B.: Privacy-Aware Role-Based Access Control. IEEE Security Privacy 7(4), 35–43 (2009)CrossRefGoogle Scholar
  6. 6.
    OASIS eXtensible Access Control Markup Language (XACML) TC | OASIS, (accessed: September 07, 2012)
  7. 7.
    Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and Implementation of the XACML Access Control Mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 60–74. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Bernard Stepien, S.M.: Advantages of a non-technical XACML notation in role-based models, pp. 193–200 (2011)Google Scholar
  9. 9.
    Samarati, P., de, S., di Vimercati, C.: Access Control: Policies, Models, and Mechanisms. In: Foundations of Security Analysis and Design (Tutorial Lectures), pp. 137–196 (2001)Google Scholar
  10. 10.
    Bernard Stepien, S.M.: Advantages of a non-technical XACML notation in role-based models, pp. 193–200 (2011)Google Scholar
  11. 11.
    Turkmen, F., Crispo, B.: Performance evaluation of XACML PDP implementations. In: Proceedings of the 2008 ACM Workshop on Secure Web Services, New York, NY, USA, pp. 37–44 (2008)Google Scholar
  12. 12.
    Michael Butler, J.: Extending Role Based Access Control - A SANS Whitepaper, (accessed: February15, 2013)
  13. 13.
    P3P: The Platform for Privacy Preferences, (accessed: September 04, 2012)
  14. 14.
    Byun, J.-W., Li, N.: Purpose based access control for privacy protection in relational database systems. The VLDB Journal 17(4), 603–619 (2008)CrossRefGoogle Scholar
  15. 15.
    Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Rjaibi, W.: Extending Relational Database Systems to Automatically Enforce Privacy Policies. In: Proceedings of the 21st International Conference on Data Engineering, Washington, DC, USA, pp. 1013–1022 (2005)Google Scholar
  16. 16.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: 28th Int’l Conference on Very Large Databases, Hong Kong (2002)Google Scholar
  17. 17.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  18. 18.
    Arora, S., Song, E., Kim, Y.: Modified hierarchical privacy-aware role based access control model. In: Proceedings of the 2012 ACM Research in Applied Computation Symposium, New York, NY, USA, pp. 344–347 (2012)Google Scholar
  19. 19.
    Ni, Q., Bertino, E.: Conditional Privacy-Aware Role Based Access Control. Springer, Heidelberg (2007)Google Scholar
  20. 20.
    Beznosov, K.: Requirements for access control: US Healthcare domain. In: Proceedings of the Third ACM workshop on Role-based access control, New York, NY, USA (1998)Google Scholar
  21. 21.
    Bertino, E., Carminati, B., Ferrari, E.: Access control for XML documents and data. Inf. Secur. Tech. Rep., vol. 9, no 3, pp. 19–34 (July 2004)Google Scholar
  22. 22.
    Lu, Y., Zhang, L., Sun, J.: Task-activity based access control for process collaboration environments. Comput. Ind. 60(6), 403–415 (2009)CrossRefGoogle Scholar
  23. 23.
    Tolone, W., Ahn, G.-J., Pai, T., Hong, S.-P.: Access control in collaborative systems. ACM Comput. Surv. 37(1), 29–41 (2005)CrossRefGoogle Scholar
  24. 24.
    De Capitani di Vimercati, S., Samarati, P., Jajodia, S.: Policies, models, and languages for access control. In: Databases in Networked Information Systems, pp. 225–237 (2005)Google Scholar
  25. 25.
    Regina Lúcia de Oliveira Moraes, (Accessed: April 9, 2013)
  26. 26.
    Sybase XML Modeling PowerDesigner® 15.3, (accessed: April 09, 2013])
  27. 27.
    Zhu, H., Lü, K.: Fine-grained access control for database management systems. In: Proceedings of the 24th British National Conference on Databases, Berlin, Heidelberg, pp. 215–223 (2007)Google Scholar
  28. 28.
    ROLE-BASED ACCESS CONTROL A Position Statement, (accessed: January 29, 2013)
  29. 29.
    Miseldine, P.L.: Automated XACML Policy Reconfiguration for Evaluation Otimisation. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems (SESS 2008), pp. 1–8. ACM, New York (2008)Google Scholar
  30. 30.
    TPC-W, (accessed: January 08, 2013)
  31. 31.
    Oracle | Hardware and Software, Engineered to Work Together, January 29, 2013)
  32. 32.
    Apache JMeter - Apache JMeterTM, (accessed: January 09, 2013)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Tania Basso
    • 1
  • Nuno Antunes
    • 2
  • Regina Moraes
    • 1
  • Marco Vieira
    • 2
  1. 1.State University of Campinas (UNICAMP)CampinasBrazil
  2. 2.University of Coimbra (UC)CoimbraPortugal

Personalised recommendations