Aya Mohamed,
"Fine-grained Dynamic Authorization and Access Control in the Context of Graph-Structured Data"
, Universitätsbibliothek, Linz, 6-2024
Original Titel:
Fine-grained Dynamic Authorization and Access Control in the Context of Graph-Structured Data
Sprache des Titels:
Englisch
Original Kurzfassung:
With the continuous growth of data and its complexity, advanced requirements have to be considered to protect resources and private information against unauthorized disclosure (secrecy) and improper modifications (integrity) as well as ensuring their availability to legitimate users (no denials of service). Authorization and access control are crucial to regulate and check the flow of information. Authorization refers to the specification of access rights, while access control is about their enforcement.
Graph databases are currently applied in different industries and used in a wide variety of applications. The increasing use of graph-structured data for business and privacy-critical applications requires sophisticated, flexible and fine-grained authorization and access control. Currently, role-based access control is supported in graph databases, where access to objects is restricted via roles. Furthermore, existing policy languages typically deal with the subject (i.e., access requester), the requested resource, and the action to be performed. This does not take special properties of graphs into account, such as vertices and edges along the path between a given subject and resource. For instance, we need to describe fine-grained constraints on graph elements that are neither subjects nor resources, but exist somewhere on a path in-between. Not only attributes of vertices and edges have to be considered, but also the vertex label along with the edge type and direction.
This thesis contributes to enhancing authorization and access control in the context of graph-structured data. More than one systematic literature research on authorization and access control has been conducted to prepare and improve the knowledge base, including definition of the inconsistently used terms, identification of authorization strategies, classification of the access control models, and derivation of authorization and access control requirements for different database models. A design science research approach is followed to iteratively develop a fine-grained authorization policy language and datastore-independent enforcement model for graph-structured data.
A flexible graph pattern is introduced within policy rules to describe a path from the subject to the resource and define authorization constraints for vertices and edges at the attribute level. Pattern-related conditions can be additionally specified on path elements. The eXtensible Access Control Markup Language (XACML), a standard authorization policy language and reference architecture, is extended to apply the proposed concept, which is called XACML for graphs (XACML4G) accordingly. The XACML policy language model and conceptual components are extended to consider specification and evaluation of graph patterns. Access requests are also extended to express paths to be checked and evaluated against the policy. XACML4G policies can be enforced in property graph-compatible database systems.
A prototypical implementation is provided to prove the feasibility of the concept. XACML4G is demonstrated with different access control scenarios and graph data models, including a real case. XACML4G is compared with related work, conceptually assessed in terms of quality metrics of access control systems defined by the National Institute of Standards and Technology (NIST), and evaluated with respect to performance. Results of this thesis not only enhance access control in graph databases to be fine-grained based on attributes, but also the authorization policy is extended to deal with graph-structured data.
Forschungs-