Access Control Policy Translation and Verification within Heterogeneous Data Federations

Data federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies across the federation becomes a challenge. In this paper, we first consider the problem of translating existing access control policies defined over source databases in a manner that allows the original semantics to be observed, while becoming applicable across the entire data federation. We show that such a translation is always possible, and provide an algorithm for automating the translation. We then show that verifying that a translated policy obeys the semantics of the original access control policy defined over a source database is intractable, even under restrictive scenarios. Finally, we describe a practical algorithmic framework for translating relational access control policies into their XML equivalent, expressed in the eXtensible Access Control Markup Language.