Model-based Characterization of fine-grained Access Control Authorization for SQL Queries.

We propose a model-based characterization of fine-grained access control (FGAC) authorization for SQL queries. More specifically, we define a predicate AuthQuery() that represents whether a user is authorized by an FGAC-policy to execute a SQL query on a database. It is characteristic of FGAC-policies that access control decisions depend on dynamic information, namely whether the current state of the system satisfies some "authorization constraints". In our proposal, FGAC-policies are modeled using a dialect of SecureUML, and authorization constraints are specified using the Object Constraint Language (OCL). To illustrate our definition of the predicate AuthQuery(), we provide examples of authorization decisions for different SQL queries, attempted by different users, in different scenarios, and with respect to different FGAC-policies. Interestingly, the availability of mappings from OCL to SQL opens up the possibility of implementing AuthQuery() within the database and, consequently, of enforcing FGAC-policies following a model-driven approach.