Secure Logical Schema and Decomposition Algorithm for Proactive Context Dependent Attribute Based Access Control

Traditional database access control mechanisms use role based methods, with generally row based and attribute based constraints for granularity, and privacy is achieved mainly by using views. However if only a set of views according to policy are made accessible to users, then this set should be checked against the policy for the whole probable query history. The aim of this work is to define a proactive decomposition algorithm according to the attribute based policy rules and build a secure logical schema in which relations are decomposed into several ones in order to inhibit joins or inferences that may violate predefined privacy constraints. The attributes whose association should not be inferred, are defined as having security dependency among them and they form a new kind of context dependent attribute based policy rule named as security dependent set. The decomposition algorithm works on a logical schema with given security dependent sets and aims to prohibit the inference of the association among the elements of these sets. It is also proven that the decomposition technique generates a secure logical schema that is in compliance with the given security dependent set constraints.