Rewriting Graph-DB Queries to Enforce Attribute-Based Access Control

To provide Attribute-Based Access Control (ABAC) in a data-store, we can either rely on built-in features or, especially if they are not present, implement access control as a service (ACaaS) on top of the database. We address the latter, in particular for graph databases, by rewriting queries which are violating access control conditions. We intercept the insecure queries right before sending them to the database to add additional filters. Thus, the database returns only authorized data and implicitly enforces ABAC beyond its own access control features. Our contributions are an authorization policy model influenced by XACML and a query rewriting algorithm for enforcing the defined authorizations with respect to this model. Our concept is application- and database-independent and operates on simple freely formulated queries, i.e. the queries do not have to follow a predefined structure. A proof-of-concept prototype has been implemented for Neo4j and its query language Cypher.