M.Sc. thesis 2008


Francisco Revilla

Advanced Policy-Based Access Control in RDBMS

Current database access control mechanisms are very restricted. An adminstrator can, in the best case, specify access control to tables, rows, columns or cells to users or roles (if RBAC allowed). That works very well in closed environments such us within an organization. However, in open environments, where users are not necessarily known in advanced, RBAC approaches are not applicable. For example, a virtual organization would require to provide a list of of all their employees to the central database
server and even keep updated (together with the roles they belong too). This increases administrative work and still allows only for simple role-based conditions.

This thesis will explore how to enhance existing access control mechanism in order to allow for more expressive conditions and policies controlling who and under which conditions can access different parts of the database, while still keeping the impact of adding such a solution as low as possible, therefore keeping scalability as a goal too.

Access Control in existing Databases
  • Review of current database access control mechanisms
    • Features: what can be protected (and at which level) and how
    • How is it enforced? Algorithms or procedures to decide whether a user can access some information
  • Review of existing databases such as for example
    • MySQL
    • Postgresql
    • Oracle
Advanced Access Control Research Approaches
Protune Policy Framework (for a possible implementation with a policy engine)

Planning Overview

  • Understand perfectly the problem to be solved
  • Get familiar with the topics
  • Read the links listed above (database related ones) and check for more (both existing technology and related research papers)
  • Understand basic access control mechanisms
  • Understand how database security works: capabilities and how it is enforced
  • Write down a report with the motivation of the problem you are trying to solve (you can/should add scenarios like "if an administrator wanted to protect XYZ so no-one can access it unless ... then this is not currently possible with available technologies") and then the problem statement where you clearly state what is what you plan to solve (not yet how).
  • For each paper you read or database you analyse, write down a small report with a summary of the paper plus
    • Features it provides and how they are enforced
    • Limitations that paper has (what it cannot do in comparison to the problem statement)
    • Ideas you got from that paper that could be useful for your thesis
  • This information should fill in the motivation, problem statement and related work chapters of the final thesis.
July-August-Middle September
  • Based on the knowledge acquired from the papers read, study solutions to enhance current DB technology based on more advanced access mechanisms.
  • Analyse pros and cons for each solution.
  • Write down a formalization of the selected one.
  • Analyse possible ways of evaluating the solution (both showing its feasibility as well as the performance).
  • Report with a conceptualization of the solution to be followed
  • This information should fill in the chapters regarding the analysis of approaches and conceptual description of the adopted solution of the final thesis.
  • Develop a prototype to demonstrate the feasibility of the approach.
  • Evaluate such prototype based on the plans defined previously.
  • Analyse the results of the evaluation and possibly adapt the conceptual approach accordingly
  • Report with information about the implementation and prototype
  • Report with the results of the evaluations
  • Possibly a new version of the conceptual approach based on modifications required based on the evaluations.
  • This information should fill in the development and evaluation related chapters of the final thesis.
November (till 13th)
  • Finalize any work still left.
  • Finalize the thesis.
  • Final software, documented and tested
  • Final thesis document



Last update on 26-May-2008 11:37 AM Home