Model-based Characterization of fine-grained Access Control Authorization for SQL Queries

By: Hoàng Nguyen Phuoc Bao, Manuel Clavel


We propose a model-based characterization of fine-grained access control (FGAC) authorization for SQL queries. More specifically, we define a predicate AuthQuery() that represents whether a user is authorized by an FGAC-policy to execute a SQL query on a database. It is characteristic of FGAC-policies that access control decisions depend on dynamic information, namely whether the current state of the system satisfies some “authorization constraints”. In our proposal, FGAC- policies are modeled using a dialect of SecureUML, and authorization constraints are specified using the Object Constraint Language (OCL). To illustrate our definition of the predicate AuthQuery(), we provide examples of authorization decisions for different SQL queries, attempted by different users, in different scenarios, and with respect to different FGAC-policies. Interestingly, the availability of mappings from OCL to SQL opens up the possibility of implementing AuthQuery() within the database and, consequently, of enforcing FGAC-policies following a model-driven approach.


Model-driven security, SQL, Fine-grained access control, Authorization, SecureUML, OCL.

Cite as:

Hoàng Nguyen Phuoc Bao, Manuel Clavel, “Model-based Characterization of fine-grained Access Control Authorization for SQL Queries”, Journal of Object Technology, Volume 19, no. 3 (October 2020), pp. 3:1-13, doi:10.5381/jot.2020.19.3.a15.

PDF | DOI | BiBTeX | Tweet this | Post to CiteULike | Share on LinkedIn

This article is accompanied by a video realized by the author(s).

The JOT Journal   |   ISSN 1660-1769   |   DOI 10.5381/jot   |   AITO   |   Open Access   |    Contact