Access control and view generation for provenance graphs

Roxana Danger, Vasa Curcin*, Paolo Missier, Jeremy Bryans

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

Abstract Data provenance refers to the knowledge about data sources and operations carried out to obtain some piece of data. A provenance-enabled system maintains record of the interoperation of processes across different modules, stages and authorities to capture the full lineage of the resulting data, and typically allows data-focused audits using semantic technologies, such as ontologies, that capture domain knowledge. However, regulating access to captured provenance data is a non-trivial problem, since execution records form complex, overlapping graphs with individual nodes possibly being subject to different access policies. Applying traditional access control to provenance queries can either hide from the user the entire graph with nodes that had access to them denied, reveal too much information, or return a semantically invalid graph. An alternative approach is to answer queries with a new graph that abstracts over the missing nodes and fragments. In this paper, we present TACLP, an access control language for provenance data that supports this approach, together with an algorithm that transforms graphs according to sets of access restrictions. The algorithm produces safe and valid provenance graphs that retain the maximum amount of information allowed by the security model. The approach is demonstrated on an example of restricting access to a clinical trial provenance trace.

Original languageEnglish
Article number2704
Pages (from-to)8-27
Number of pages20
JournalFuture Generation Computer Systems
Volume49
DOIs
Publication statusPublished - Aug 2015

Bibliographical note

Publisher Copyright:
© 2015 Elsevier B.V. All rights reserved.

Keywords

  • Access Control Language
  • Provenance
  • Semantic Web

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Access control and view generation for provenance graphs'. Together they form a unique fingerprint.

Cite this