Scalable Enforcement of Fine Grained Access Control Policies in Relational Database Management Systems

Abstract

The proliferation of smart technologies and evolving privacy regulations such as the GDPR and CPRA has increased the need to manage fine-grained access control (FGAC) policies in database management systems (DBMSs). Existing approaches to enforcing FGAC policies do not scale to thousands of policies, leading to degraded query performance and reduced system effectiveness. We present Sieve, a middleware for relational DBMSs that combines query rewriting and caching to optimize FGAC policy enforcement. Sieve rewrites a query with guarded expressions that group and filter policies and can efficiently use indexes in the DBMS. It also integrates a caching mechanism with an effective replacement strategy and a refresh mechanism to adapt to dynamic workloads. Experiments on two DBMSs with real and synthetic datasets show that Sieve scales to large datasets and policy corpora, maintaining low query latency and system load and improving policy evaluation performance by between 2x and 10x on workloads with 200 to 1,200 policies. The caching extension further improves query performance by between 6 and 22 percent under dynamic workloads, especially with larger cache sizes. These results highlight Sieve's applicability for real-time access control in smart environments and its support for efficient, scalable management of user preferences and privacy policies.