Performance Evaluation of a Rule-based Access Control Framework

Attribute-based access control is a flexible approach to security policy specification in an information system: access permission for particular operation on an object is granted depending not only on user's membership in a role, but on the object attributes as well. As object attributes could be difficult to compute (e.g. complex SQL queries might be involved in the computation), the performance of rule-based access control systems is a serious concern in real life applications. In this paper the evaluation results for a rule-based access control system are presented. This access control system dynamically translates access rules into SQL queries and uses various heuristics in order to minimize overall database workload induced by access control checks. The evaluation was performed using the real workload to an information system with millions of objects and thousands of users divided into a dozen roles.