Attribute-Based Database Access Control (ABDAC)

1. Attribute-Based Database Access Control (ABDAC) Hamed Okhravi, Imranul Hoque, and Sonia Jahid University of Illinois

2. Motivation • Attribute-based access control vs. ACL: • More flexible • More scalable • Easier to understand • More compact policy • Based on multiple attributes rather than a single ID • Desirable for database access control

3. Approaches • Two possible approaches for ABDAC: • Design a database from scratch with ABAC • Design an engine to understand the policy and populates an ACL-based database (e.g., MySQL) → the approach we use

4. Goals • Design a modular ABDAC • Support XACML for ABAC policy specification • Use off-the-shelf database (MySQL) • Reflective design for more flexibility (database contains the attribute information) • Use web interface for ease of use

5. Architecture XACML ABAC Policy Attribute Table (AT) <Policy> <Rule1 Allow> <Subject> </Subject> <Resource> </Resource> <Action> </Action> <Rule2 Deny> <Subject> </Subject> <Resource> </Resource> <Action> </Action>… </Policy> MySQL DB Policy Processing Engine Query AT Attribute Analysis and User Extraction Module Response Policy Parsing Module Access Control Decision Conflict Discovery and Resolution Module ACL Building Module Web Interface Populate Access Control List (ACL)