An extended model-based characterization of fine-grained access control for SQL queries.

In the context of a project in model-driven security that focuses on the development of model-driven techniques for building secure data-centric (web) applications, we extend, in three (inter-related) dimensions, a recently proposed model-based characterization of fine-grained access control (FGAC) authorization for SQL queries. First, we extend the FGAC policies’ underlying data models by considering association-classes. Secondly, we extend the FGAC policies’ security modeling language by considering, as protected resources, the classes and the (explicit and implicit) associations introduced by the association-classes. Thirdly, we extend the clauses that define whether a user is authorized by an FGAC policy to execute a SQL query, to cover the case of queries retrieving information related to the association-classes. To illustrate our extensions and to demonstrate their applicability, we provide examples of authorization decisions for SQL queries with respect to FGAC policies. The arte-fact comprising the implementation of this model-based characterization and an executable version of the example is available at https://doi.org/10.5281/zenodo.8176237.