1. Field of the Invention
This invention relates to XML access control and more particular to fine-grained, label-based, XML access control models.
2. Description of the Related Art
XML has rapidly emerged as the prevalent standard for representing and exchanging business and other sensitive data over the Internet. The current trend to add XML support to database systems, however, poses new security challenges in an environment where both relational and XML data coexist. In particular, fine-grained access control methodologies may be even more important for XML data than for relational data, given the more flexible and less homogeneous structure of XML data compared to relational tables and rows.
Controlling access to XML data may be more difficult than controlling access to relational data for several reasons. First, the semi-structured nature of XML data, where a schema may be absent, or, even if present, may allow significantly more flexibility and variability in the structure of the document than is allowed by a relational schema. Second, the hierarchical structure of XML may require specifying how access privileges to certain nodes propagate to and from the nodes' ancestors and descendants.
In almost all models for controlling access to XML, the smallest unit of protection is a node of an XML document, which is typically specified using an XPath fragment. Access to ancestor/descendant and sibling relationships among nodes has typically not been considered. In general, an access control policy consists of positive or negative authorization rules that grant or deny access to selected nodes of an XML document. The main difference between most XML access control models lies in privilege propagation. For example, some models forbid access to entire sub-trees that are rooted at inaccessible nodes.
In other models, an ancestor node for which access is denied may be masked as an empty node if access is granted to a descendant node. However, this model may make the literal of the forbidden ancestor visible in the path from the root node to the authorized node. In some cases, this situation may be improved by replacing the literal of an ancestor node literal with a dummy value. However, this still does not solve the problem that different descendant nodes may require their ancestor's literal to be visible or invisible in a different manner. Accordingly, each of the above models makes it difficult to define a view that precisely describes the path leading to an authorized node.
In view of the foregoing, what is needed is an access control model for XML that provides a more fine-grained level of control. Ideally, such a model would be able to protect relationships between nodes as opposed to the nodes themselves. Further needed is a model that utilizes security labels to protect these relationships.