Download presentation
Presentation is loading. Please wait.
1
Compressed Accessibility Map: Efficient Access Control for XML Ting Yu : University of Illinois Divesh Srivastava : AT&T Labs Laks V.S. Lakshmanan : University of British Columbia H.V. Jagadish : University of Michigan
2
Information Sharing in business over the Internet XML as a standard information exchange/sharing format Direct access to XML documents Offer advantages in terms of cost, accuracy and timeliness Security is crucial Nature of selective access in this context is complex
3
Access Control for XML Fine-grained access control Business relationship is sophisticated Constraints on tag/attribute level instead of only on document level Complex access control rules Efficient evaluation of data’s accessibility is desired Focus of this talk
4
An Example XML Document with Access Control Info. … The purpose of … Access Control … … ….. *based on examples in [Damiani et al. 2000]
5
Two Potential Approaches Approach 1: use access control rules directly Pros: Flexible Cons: Time-inefficient Approach 2: fully materialized accessibility map (access control list) Pros: Time-efficient Cons: Space-inefficient
6
Our Approach Compressed Accessibility Map (CAM) Take advantage of structural locality of accessibility Index accessibility information in a compressed way Both time-efficient and space-efficient
7
Structural Locality of Accessibility Data items grouped together have similar accessibility properties Common in hierarchically-structured data like XML [Bertino et al. 1999][Damiani et al. 2000] Declarative authorization rules based on hierarchical structures Accessibility propagation and overriding
8
Compressed Accessibility Map (CAM) Essentially an accessibility index Maintain a CAM for each user and access type Identify “crucial” data items and store extra accessibility information on them Other data items’ accessibility can be inferred efficiently
9
Identify Crucial Data Items A BG CD EF H IJ Accessible node Inaccessible node A B (d+,s+) (d-,s+)
10
Ancestor Accessibility and Unit Regions If a node is accessible, so are its ancestors A unit region is a maximal subgraph of an XML database such that ancestor accessibility holds Easy to partition an XML database into unit regions
11
Unit Region Partition A C EFIJ Accessible node Inaccessible node B D G H
12
CAM for Unit Regions Allowed labels in unit region cam (d+,s+), (d-,s+) and (d-,s-) Inference rules Label on a node is most specific, thus overrides other inferences Ancestor accessibility overrides descendents’ inference Nearest labeled ancestor overrides other labeled ancestors
13
J I A DKL CEFM GH B Valid CAM A DL F Accessible node Inaccessible node KB CE GH IM A D IF B E GHLK M (d-,s+) (d+,s+) J C J Accessibility Unknown
14
CAM Lookup Algorithm Given a node e, look up CAM If e is labeled, check the sign of self label s If e has labeled descendents, e is accessible Get e’s nearest labeled ancestor f. e’s accessibility is determined by the sign of f’s label d. Complexity: proportion to the product of the depth of e in the XML tree and log of the size of CAM.
15
Optimal Unit Region CAM CAM with minimum size Space-efficient Also reduce lookup time Build optimal CAM Assign labels to each data node in a bottom- up way Remove redundant labels
16
Redundant Labels: Induced labels Labels that are the same as what is inferred from its ancestors’ labels A B C DE (d+,s+) (d-,s+) (d-,s-) redundant Accessible node Inaccessible node
17
Redundant Labels: Upward Redundant Labels labels that can be inferred from its descendents’ labels A B (d-,s+) (d+,s+) C E DF (d-,s+) Accessible node Inaccessible node redundant
18
Build Optimal CAM Assign labels in a bottom-up way Accessible leaf (d+,s+), inaccessible leaf (d-,s-) Internal nodes’ labels is assigned according to children’s labels Remove redundant labels First remove induced labels Then remove upward redundant labels
19
Build Optimal CAM Accessible node Inaccessible node A DL F KB CE GH IM J (d?,s+) (d+,s+) (d-,s+)(d+,s+) (d-,s-) (d-,s+) (d-,s-) (d+,s+) (d-,s-) (d-,s+)
20
CAM for Multi Unit Regions Only need to mark out those nodes (marker nodes) that start a unit region Build optimal CAM for each unit region Combine CAM for each unit regions Lookup algorithm is almost the same, but need to take marker nodes into consideration. complexity remains the same
21
Further Compression in CAM for Multiple Unit Regions A C EFIJ B D G H HH (d+,s+)
22
Experimental Verification Metric – compression ratio Size of CAM / fully materialized accessibility map Synthetic data set Generated by IBM XML generator Study accessibility locality’s impact on compression ratio of CAM Real data set Large file systems with real access control data
23
Impact of Accessibility Locality Compression ratio when accessible nodes are uniformly distributed in the XML tree
24
Impact of Accessibility Locality Compression ratio when accessibility locality is high
25
Conclusion Compressed accessibility map as an efficient way to evaluate access control data for XML documents Time-efficient and space-efficient Future work Better support for incremental CAM updates Take advantage of commonalities of users’ access rights and globally optimize CAM
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.