Encyclopedia of Database Systems

Living Edition
| Editors: Ling Liu, M. Tamer Özsu

Access Control

  • Elena FerrariEmail author
Living reference work entry
DOI: https://doi.org/10.1007/978-1-4899-7993-3_6-3


Cloud Computing Access Control Resource Description Framework Access Control Policy Access Control Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



Access control deals with preventing unauthorized operations on the managed data. Access control is usually performed against a set of authorizations stated by Security Administrators (SAs) or users according to the access control policies of the organization. Authorizations are then processed by the access control mechanism (or reference monitor) to decide whether each access request can be authorized or should be denied.

Historical Background

Access control models for DBMSs have been greatly influenced by the models developed for the protection of operating system resources (see, for instance, the model proposed by Lampson [1], also known as the access matrix model, since authorizations are represented as a matrix). However, much of the early work on database protection was on inference control in statistical databases.

Then, in the 1970s, as research in relational databases began, attention was directed towards access control issues. As part of the research on System R at IBM Almaden Research Center, there was much work on access control for relational database systems [2, 3], which strongly influenced access control models and mechanisms of current commercial relational DBMSs. Around the same time, some early work on multilevel secure database management systems (MLS/DBMSs) was reported. However, it was only after the Air Force Summer Study in 1982 [4] that developments on MLS/DBMSs began. For instance, the early prototypes based on the integrity lock mechanisms developed at the MITRE Corporation. Later, in the mid-1980s, pioneering research was carried out at SRI International and Honeywell Inc. on systems such as SeaView and LOCK Data Views [5]. Some of the technologies developed by these research efforts were transferred to commercial products by corporations such as Oracle, Sybase, and Informix. In the 1990s, numerous other developments were made to meet the access control requirements of new applications and environments, such as the World Wide Web, data warehouses, data mining systems, multimedia systems, sensor systems, workflow management systems, and collaborative systems. This resulted in several extensions to the basic access control models previously developed, by including the support for temporal constraints, derivation rules, positive and negative authorizations, strong and weak authorizations, and content and context-dependent authorizations [6]. Role-based access control has been proposed [7] to simplify authorization management within companies and organizations. In the 2000s, there have been numerous developments in access control. Some of them have been driven by developments in web data management. For example, standards such as XML (eXtensible Markup Language) and RDF (Resource Description Framework) require proper access control mechanisms. Also, web services and the social web have become extremely popular and therefore research has been carried out to address the related access control issues. Access control has also being examined for new application areas, such as knowledge management [8], data outsourcing, GIS and location-based services [9], peer-to-peer computing, and stream data management [10], and social networks [11]. Today, we are in the era of Big Data [12], Cloud Computing [13], and NoSQL databases which have opened new opportunities for research in the access control field.


The basic building block on which access control relies is a set of authorizations [6] which state, who can access which resource, and under which mode. Authorizations are specified according to a set of access control policies, which define the high-level rules according to which access control must occur. In its basic form, an authorization is, in general, specified on the basis of three components (s, o, p), and specifies that subject s is authorized to exercise privilege p on object o. The three main components of an authorization have the following meaning:
  • Authorization subjects: they are the “active” entities in the system to which authorizations are granted. Subjects can be further classified into the following, not mutually exclusive, categories: users, that is, single individuals connecting to the system; groups, that is, sets of users; roles, that is, named collection of privileges needed to perform specific activities within the system; and processes, executing programs on behalf of users.

  • Authorization objects: they are the “passive” components (i.e., resources) of the system to which protection from unauthorized accesses should be given. The set of objects to be protected clearly depends on the considered environment. For instance, files and directories are examples of objects of an operating system environment, whereas in a relational DBMS, examples of resources to be protected are relations, views, and attributes. Authorizations can be specified at different granularity levels, that is, on a whole object or only on some of its components. This is a useful feature when an object (e.g., a relation) contains information (e.g., tuples) of different sensitivity levels and therefore requires a differentiated protection.

  • Authorization privileges: they state the types of operations (or access modes) that a subject can exercise on the objects in the system. As for objects, the set of privileges also depends on the resources to be protected. For instance, read, write, and execute privileges are typical of an operating system environment, whereas in a relational DBMS privileges refer to SQL commands (e.g., select, insert, update, delete). Moreover, new environments such as social networks are characterized by new access modes, for instance, share and post access rights.

Depending on the considered domain and the way in which access control is enforced, objects, subjects, and/or privileges can be hierarchically organized. The hierarchy can be exploited to propagate authorizations and therefore to simplify authorization management by limiting the set of authorizations that must be explicitly specified. For instance, when objects are hierarchically organized, the hierarchy usually represents a “part-of” relation, that is, the hierarchy reflects the way objects are organized in terms of other objects. In contrast, the privilege hierarchy usually represents a subsumption relation among privileges. Privileges towards the bottom of the hierarchy are subsumed by privileges towards the top (for instance, the write privilege is at a higher level in the hierarchy with respect to the read privilege, since write subsumes read operations). Also roles and groups can be hierarchically organized. The group hierarchy usually reflects the membership of a group to another group. In contrast, the role hierarchy usually reflects the relative position of roles within an organization. The higher the level of a role in the hierarchy, the higher its position in the organization.

Authorizations are stored into the system and are then used to verify whether an access request can be authorized or not. How to represent and store authorizations depends on the protected resources. For instance, in a relational DBMS, authorizations are modeled as tuples stored into system catalogs. In contrast, when resources to be protected are XML documents, authorizations are usually encoded using XML itself. Finally, the last key component of the access control infrastructure is the access control mechanism (or reference monitor), which is a trusted software module in charge of enforcing access control. It intercepts each access request submitted to the system (for instance, SQL statements in case of relational DBMSs) and, on the basis of the specified authorizations, it determines whether the access can be partially or totally authorized or should be denied. The reference monitor should be non-bypassable. Additionally, the hardware and software architecture should ensure that the reference monitor is tamper proof, that is, it cannot be maliciously modified (or at least that any improper modification can be detected). The main components of access control are illustrated in Fig. 1.
Fig. 1

Access control: main components

A basic distinction when dealing with access control is between discretionary and mandatory access control [6]. Discretionary access control (DAC) governs the access of subjects to objects on the basis of subjects’ identity and a set of explicitly specified authorizations that state, for each subject, the set of objects that he/she can access in the system and the allowed access modes. When an access request is submitted to the system, the access control mechanism verifies whether or not the access can be authorized according to the specified authorizations. The system is discretionary in the sense that a subject, by proper configuring the set of authorizations, is both able to enforce various access control requirements and to dynamically change them when needed (simply by updating the authorization state). In contrast, mandatory access control (MAC) specifies the accesses that subjects can exercise on the objects in the system, on the basis of subjects and objects security classification. Security classes usually form a partially ordered set. This type of security has also been referred to as multilevel security, and database systems that enforce multilevel access control are called Multilevel Secure Database Management Systems (MLS/DBMSs). When mandatory access control is enforced, authorizations are implicitly specified, by assigning subjects and objects proper security classes. The decision on whether or not to grant an access depends on the access mode and the relation existing between the classification of the subject requesting the access and that of the requested object. In addition to DAC and MAC, role-based access control (RBAC) has been more recently proposed [7]. RBAC is an alternative to discretionary and mandatory access control, mainly conceived for regulating accesses within companies and organizations. In RBAC, permissions are associated with roles, instead of with users, and users acquire permissions through their membership to roles. The set of authorizations can be inferred by the sets of user-role and role-permission assignments. RBAC models have been shown to be policy-neutral since, by appropriately configuring the set of roles,one can support both mandatory and discretionary policies.

Key Applications

Access control techniques are applied in almost all environments that need to grant a controlled access to their resources, including, but not limited, to the following: DBMSs, Data Stream Management Systems, Operating Systems, Workflow Management Systems, Digital Libraries, GIS, Multimedia DBMSs, E-commerce services, Publish-subscribe systems, Data warehouses, Social Networks.

Future Directions

Altough access control is a mature area with consolidated results, the evolution of DBMSs and the requirements of new applications and environments pose new challenges to the research community. Some of the most recent research issues in the field are discussed below.

Social networks. On-line social networks (OSNs) represent one of the biggest revolution in the Computer Science field. Social Networks, as many other Web 2.0 technologies, have rapidly transformed the Web from a simple tool for publishing textual data into a complex collaborative knowledge management system to be used both for personal purposes and for business activities. Despite the clear advantages of OSNs in terms of information diffusion, they raised the need for giving content owners more control on the distribution of their resources, which may be accessed by a community far wider than they expected. So far, this issue has been mainly addressed by commercial OSNs and research proposals through Relationship-based Access Control (ReBAC) [11]. ReBAC takes into account the existence of a particular relationship or a particular sequence of relationships between users and/or resources and expresses access control policies in terms of such user-to-user (U2U), user-to-resource (U2R), or resource-to-resource (R2R) relationships. Despite the fact that the ReBAC model and its requirements are nowadays rather clearly specified, this paradigm has been applied incompletely or only partially by most of the available commercial OSNs, where the user is provided only a limited number of options to protect his/her personal data. Additionally, with difference to traditional contexts, OSN users create joint content; for instance, Alice uploads a photo, Bob tags it to say that Dave appears in it and Ann comments on Bob’s tag. This calls for new and efficient ways to protect digital artifacts with multiple stakeholders within an OSN. Therefore, we need alternative paradigms to perform access control, wrt traditional ones, where additional information, such as for instance trust relationships and risks, are considered in the access control decision process.

Big Data. Big Data platforms are now considered the new frontier for innovation, competition, and productivity, and the integrated analysis of large volumes of data they make possible is becoming a strategic asset for many companies and organizations. Using innovative distributed computational paradigms and simple but effective data models, Big Data storage and analysis services feature high levels of scalability, performance, and availability. However, the analyzed data sources can contain data of any category, including personal, sensitive, and identifiable information. Privacy and confidentiality of the managed data is therefore among the most challenging aspects to be addressed within Big Data platforms [12], but today Big Data platforms only provide poor privacy enforcement mechanisms. The variety of existing Big Data platforms, along with their data models and query languages, make the definition of privacy-enhanced solutions a very challenging task. This is mainly due to the strict performance requirements, the heterogeneity of the data, the speed at which data are generated and must be analyzed, and the distributed nature of these systems.

Cloud computing. In the era of cloud computing, resources and applications are provided as a service over the Internet. Main benefits of the cloud computing paradigm are well known and range from cost reduction, scalability, better quality of service, and more effective allocation of internal resources. In this scenario, an important role is played by data management services, where a new emerging option is represented by the Database as a Service (DbaaS) paradigm. DbaaS is regulated by the same principles as Software as a Service (SaaS): data owners do not have to install and maintain the data management system on their own. In contrast, this is done by the service provider, whereas data owners only pay according to the system usage. Data outsourcing enacted by DBaaS poses challenging access control issues. The challenge is how to ensure data confidentiality and integrity, even if data are not directly managed by the owner but by a third party. The solutions that can be adopted can be classified into two main categories, depending on the trust residing in the service provider. In the case of trusted providers, that is, providers that correctly enforce the access control policies of the data owner, what is mainly required is the extension of traditional access control models to fulfill the needs of the cloud computing environment (see [13] for more details). In contrast, under the untrusted provider model, data protection should be ensured both wrt the users querying the data and the providers themself, since no assumption is made on their trustworthiness. Both these data protection requirements have been achieved so far by mainly exploiting cryptographic-based techniques. The idea is that data are encrypted by the owner before their delivering to the provider. Since the provider does not receive any decryption key, it is not able to read the data it manages, whereas users receive keys only for the data portions they are allowed to access according to the owner access control policies. The most challenging issues in this scenario are related to the efficiency of key management and the development of query processing techniques for encrypted data.


Recommended Reading

  1. 1.
    Lampson BW. Protection. Fifth Princeton symposium on information science and systems. Reprinted in ACM Operat Syst Rev. 1974;8(1):18–24.Google Scholar
  2. 2.
    Fagin R. On an authorization mechanism. ACM Trans Database Syst. 1978;3(3):310–9.CrossRefGoogle Scholar
  3. 3.
    Griffiths PP, Wade BW. An authorization mechanism for a relational database system. ACM Trans Database Syst. 1976;1(3):242–55.CrossRefGoogle Scholar
  4. 4.
    Air Force Studies Board, Committee on Multilevel Data Management Security. Multilevel data management security. National Research Council; 1983.Google Scholar
  5. 5.
    Castano S, Fugini MG, Martella G, Samarati P. Database security. Addison-Wesley & ACM Press; 1995.Google Scholar
  6. 6.
    Ferrari E. Access control in data management systems. Synthesis lectures on data management. Morgan & Claypool Publishers; 2010.Google Scholar
  7. 7.
    Ferraiolo DF, Sandhu RS, Gavrila SI, Kuhn DR, Chandramouli R. Proposed NIST standard for role-based access control. ACM Trans Inf Syst Secur. 2001;4(3):224–74.CrossRefGoogle Scholar
  8. 8.
    Bertino E, Khan LR, Sandhu RS, Thuraisingham BM. Secure knowledge management: confidentiality, trust, and privacy. IEEE Trans Syst Man Cybern A. 2006;36(3):429–38.CrossRefGoogle Scholar
  9. 9.
    Bertino E, Kirkpatrick MS. Location-based access control systems for mobile users: concepts and research directions. SPRINGL; 2011.Google Scholar
  10. 10.
    Carminati B, Ferrari E, Tan KL. A framework to enforce access control over data streams. ACM Trans Inf Syst Secur. 2011;8(3):337–52.Google Scholar
  11. 11.
    Carminati B, Ferrari E, Viviani M. Security and trust in online social networks, synthesis lectures on information security, privacy and trust. Morgan & Claypool; 2013.Google Scholar
  12. 12.
    Kuner C, Cate F, Millard C, Svantesson D. The challenge of big data for data protection. Int Data Priv Law. 2012;2(2).Google Scholar
  13. 13.
    Takabi H, Joshi James BD, Gail-Joon A. Security and privacy challenges in cloud computing environments. IEEE Secur Priv. 2010;8(6):24–31.CrossRefGoogle Scholar
  14. 14.
    Ferrari E, Thuraisingham BM. Security and privacy for web databases and services. In: Advances in Database Technology, Proceedings of 9th International Conference on Extending Database Technology; 2004. p. 17–28.Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.DiSTAUniversity of InsubriaVareseItaly

Section editors and affiliations

  • Elena Ferrari
    • 1
  1. 1.DiSTAUniv. of InsubriaVareseItaly