Instance-level access control for business-to-business electronic commerce

Goodwin, Richard; Goh, Sweefen; Wu, Frederick Y.

doi:10.1147/sj.412.0303

Cited by 10 publications

(13 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The grants may depend on the state of the database, constituting a reflective system to some degree, although the paper does not define a formal syntax or semantics. Several other projects implement RDBAC to some extent [2,6,11,14,33], although none of these projects define a formal model and all assume that the policy definer has omniscient access to the database.…”

Section: Related Workmentioning

confidence: 99%

A formal framework for reflective database access control policies

Olson

Gunter

Madhusudan

2008

Proceedings of the 15th ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege contained in an access control list. RDBAC aids the management of database access controls by improving the expressiveness of policies. However, such policies introduce new interactions between data managed by different users, and can lead to unexpected results if not carefully written and analyzed. We propose the use of Transaction Datalog as a formal framework for expressing reflective access control policies. We demonstrate how it provides a basis for analyzing certain types of policies and enables secure implementations that can guarantee that configurations built on these policies cannot be subverted.

show abstract

Section: Related Workmentioning

confidence: 99%

A formal framework for reflective database access control policies

Olson

Gunter

Madhusudan

2008

Proceedings of the 15th ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Since then there are many extended proposals for modeling fine-grained access control. We have role-templates [10], domain-type enforcement [2], content-based [20], team-based [9], and instance-level [11], just to name a few. Basically, they all attempt to base access control constraints on some more detailed relationships among the user, the function requested, and the data to be accessed, as we did here.…”

Section: Related Workmentioning

confidence: 99%

“…Context information for access control is investigated in [9] [14] [20]. Our work bears a closer relationship with that of Goodwin et al [11]. First, they used the four-tuple access control rules: [user group, action, resource, relationship], where a set of predefined relationship, as opposed to our general constraint, is defined for each resource type.…”

Section: Related Workmentioning

confidence: 99%

“…For example, in a B2B E-Commerce site, users from any registered organizations have the privilege to execute the "viewOrder" function, but they are allowed to view only orders of their own organization. This is called instance-level access control constraints [11]. Furthermore, within a data record, certain specific fields, such as credit card number, may have to be excluded from screen view to protect the user's privacy.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications

Chen

Huang

2005

Information Security Practice and Experience

View full text Add to dashboard Cite

Abstract. Access control is a system-wide concern that has both a generic nature and an application dependent characteristic. It is generic as many functions must be protected with restricted access, yet the rule to grant a request is highly dependent on the application state. Hence it is common to see the code for implementing access control scattered over the system and tangled with the functional code, making the system difficult to maintain. This paper addresses this issue for Web applications by presenting a practical access control framework based on aspect-oriented programming (AOP). Our approach accommodates a wide range of access control requirements of different granularity. AOP supports the modular implementation of access control while still enables the code to get a hold of the application state. Moreover, framework technology offers a balanced view between reuse and customization. As a result, our framework is able to enforce fine-grained access control for Web applications in a highly adaptable manner.

show abstract

“…An obvious example of this kind of grouping is the notion of a role. A more advanced example is implicit grouping as described in [10], where roles are assigned (dynamically) on the basis of properties of the subject.…”

Section: The Need For Expressivenessmentioning

confidence: 99%

Adaptable Access Control Policies for Medical Information Systems

Verhanneman

Jaco

Win

et al. 2003

Distributed Applications and Interoperable Systems

View full text Add to dashboard Cite

Abstract. IT enforced access control policies in medical information systems have to be fine-grained and dynamic. We justify this observation on the basis of legislation and on the basis of the evolution within the healthcare domain. Consequently, a reconfigurable or at least adaptable implementation of access control facilities has become extremely important. For this purpose, current technology provides insufficient support. We highlight a basic solution to address shortcomings by using interception techniques. In addition, we identify further research that is required to address the challenges of dynamic and fine-grained access control in the long run.

show abstract

Instance-level access control for business-to-business electronic commerce

Cited by 10 publications

References 8 publications

A formal framework for reflective database access control policies

A formal framework for reflective database access control policies

A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications

Adaptable Access Control Policies for Medical Information Systems

Contact Info

Product

Resources

About