Daniel Hofer, Aya Mohamed, Dagmar Auer, Stefan Nadschläger, Josef Küng,
"Rewriting Graph-DB Queries to Enforce Attribute-Based Access Control"
, in Christine Strauss, Toshiyuki Amagasa, Gabriele Kotsis, A Min Tjoa, Ismail Khalil: Database and Expert Systems Applications, Serie Lecture Notes in Computer Science (LNCS), Vol. 14146, Springer, Cham, Seite(n) 431-436, 8-2023, ISBN: 978-3-031-39847-6
Original Titel:
Rewriting Graph-DB Queries to Enforce Attribute-Based Access Control
Sprache des Titels:
Englisch
Original Buchtitel:
Database and Expert Systems Applications
Original Kurzfassung:
To provide Attribute-Based Access Control (ABAC) in a data-store, we can either rely on built-in features or, especially if they are not present, implement access control as a service (ACaaS) on top of the database. We address the latter, in particular for graph databases, by rewriting queries which are violating access control conditions. We intercept the insecure queries right before sending them to the database to add additional filters. Thus, the database returns only authorized data and implicitly enforces ABAC beyond its own access control features. Our contributions are an authorization policy model influenced by XACML and a query rewriting algorithm for enforcing the defined authorizations with respect to this model. Our concept is application- and database-independent and operates on simple freely formulated queries, i.e. the queries do not have to follow a predefined structure. A proof-of-concept prototype has been implemented for Neo4j and its query language Cypher.