TRDBAC: Temporal reflective database access control

Database access control policies can become extremely complicated and complex in large databases such as hospital medical systems, banks and enterprise resource planning systems of large enterprises etc. The complexity in access control policies may results in security breaches if the policies are ambiguous, not well defined and implemented incorrectly. e.g. HSBC database security breach reported in year 2006 in which an ex-employee swiped away almost 24,000 customers accounts due to incorrect access policies. The access control policies define the rights and privileges of users on database objects. In order to keep these database systems secure, the database security should provide controlled, protected access to the contents of a database as well as preserve the integrity, consistency, and overall quality of the data. In order to implement the consistent database access control policies, a number of models have been developed by the database security community such as, discretionary (DAC) and mandatory (MAC) access control models, role-based access control model (RBAC), reflective database access control (RDBAC). RDBAC is a relatively new and more expressive access control model that provides a more fine-grained level control than the previous models. Move over database privilege is expressed as a database query itself, rather than as a static privilege contained in an access control matrix. In this paper, we propose Temporal Reflective Database Access Control (TRDBAC)- a new access control policy designed to address a limitation of RDBAC: the inability to express time-constraints, just as TRBAC extends RBAC to incorporate the notion of time. To show how our new policy works we have demonstrated a case study on students result information system, in which policies are written in a time based extension of reflective database access control (RDBAC) and converted to SQL queries. Finally we analyze the behavior of our new model.