Sieve: A Middleware Approach to Scalable Access Control for Database Management Systems
Current approaches of enforcing FGAC in Database Management Systems (DBMS) do not scale in scenarios when the number of policies are in the order of thousands. This paper identifies such a use case in the context of emerging smart spaces wherein systems may be required by legislation, such as Europe's GDPR and California's CCPA, to empower users to specify who may have access to their data and for what purposes. We present Sieve, a layered approach of implementing FGAC in existing database systems, that exploits a variety of it's features such as UDFs, index usage hints, query explain; to scale to large number of policies. Given a query, Sieve exploits it's context to filter the policies that need to be checked. Sieve also generates guarded expressions that saves on evaluation cost by grouping the policies and cuts the read cost by exploiting database indices. Our experimental results, on two DBMS and two different datasets, show that Sieve scales to large data sets and to large policy corpus thus supporting real-time access in applications including emerging smart environments.
READ FULL TEXT