Towards A Unifying Attribute Based Access Control Approach For Nosql Datastores

NoSQL datastores allow the efficient management of high volumes of heterogeneous and unstructured data, meeting the requirements of a variety of today ICT applications. However, most of these systems poorly support data security, and recent surveys show that their simplistic support for data protection is considered as a reason not to use them. 1 In recent years, Attribute Based Access Control (ABAC) is getting more and more popularity, for its ability to provide highly flexible and customized forms of data protection at different granularity levels. In the current work, with the aim to raise users' confidence in the protection of data managed by NoSQL systems, we define a general approach to enforce ABAC within NoSQL systems. Our approach relies on SQL++[20], a unifying query language for NoSQL platforms. In particular, we develop a novel SQL++ query rewriting mechanism able to enforce heterogeneous types of ABAC policies specified up to cell level. Experimental results show an overhead which is not negligible for policies covering high percentage of the fields characterizing the protected documents, but which is far more contained when field level policies are more sparsely specified.