We present concepts which can be used for the efficient implementation of Attribute Based Access Control (ABAC) in large applications using maybe several data storage technologies, including Hadoop, NoSQL and relational database systems. The ABAC authorization process takes place in two main stages. Firstly a sequence of permissions is derived which specifies permitted data to be retrieved for the user's transaction. Secondly, query modification is used to augment the user's transaction with code which implements the ABAC controls. This requires the storage technologies to support a high-level language such as SQL or similar. The modified user transactions are then optimized and processed using the full functionality of the underlying storage systems. We use an extended ABAC model (TCM2) which handles negative permissions and overrides in a single permissions processing mechanism. We illustrate these concepts using a compelling electronic health records scenario.
|Publication status||Published - 29 Mar 2016|
|Event||2nd IEEE International Conference on Big Data Computing Service and Applications - Oxford University, Oxford, United Kingdom|
Duration: 29 Mar 2016 → 1 Apr 2016
|Conference||2nd IEEE International Conference on Big Data Computing Service and Applications|
|Abbreviated title||BigDataService 2016|
|Period||29/03/16 → 1/04/16|