Conference PaperPDF Available

Access Control in Geographic Databases

Authors:
Liliana Kasumi Sasaoka
Liliana Kasumi Sasaoka
Liliana Kasumi Sasaoka
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Claudia Medeiros at University of Campinas
Claudia Medeiros
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

The problem of access control in databases consists of determining when (and if) users or applications can access stored data, and what kind of access they are allowed. This paper discusses this problem for geographic databases, where constraints imposed on access control management must consider the spatial location context. The model and solution provided are motivated by problems found in AM/FM applications developed in the management of telephone infrastructure in Brazil, in a real life situation.
Figures - uploaded by Claudia Medeiros
Author content
All figure content in this area was uploaded by Claudia Medeiros
Content may be subject to copyright.
Content uploaded by Claudia Medeiros
Author content
All content in this area was uploaded by Claudia Medeiros
Content may be subject to copyright.
Access Control in Geographic Databases
Liliana Kasumi Sasaoka1and Claudia Bauzer Medeiros2
1IBM Silicon Valley Lab
555 Bailey Ave, San Jose, CA 95141, USA
lilianas@us.ibm.com
2Institute of Computing, UNICAMP
13081-970 Campinas, SP Brazil
cmbm@ic.unicamp.br
Abstract. The problem of access control in databases consists of deter-
mining when (and if) users or applications can access stored data, and
what kind of access they are allowed. This paper discusses this problem
for geographic databases, where constraints imposed on access control
management must consider the spatial location context. The model and
solution provided are motivated by problems found in AM/FM applica-
tions developed in the management of telephone infrastructure in Brazil,
in a real life situation.
1 Introduction
Security amd trust in databases are intimately associated with access control
[AJS+96]. They determine who can access what data and how. In most cases,
security models and mechanisms concentrate on low level system details, and do
not consider semantics associated with the data. In particular, spatial applica-
tions present challenges not met by standard access control proposals.
Security issues are considered only at the implementation level, and not usu-
ally integrated into the modeling stage. Several access control models have been
defined for relational or ob ject-oriented databases. Specific models have also
appeared – e.g., in the case of temporal [BJS95,BBF01] or video databases
[BHAE00]. However, none of these mechanisms can be directly applied to ge-
ographic applications, because of their particular characteristics. Indeed, when
attribute semantics are associated with the spatial localization, data manage-
ment demands distinct types of control, which has to be defined in terms of
geographic region. In other words, access control becomes spatially sensitive.
Consider the following scenario, which will be used throughout the paper to
motivate our solution. A utility (telephone) company wants to develop a GIS
project that concerns infrastructure expansion in a city, for a specific geographic
region R. Several engineers and experts will be concerned – they work coopera-
tively in the expansion planning for R, having distinct needs and authorizations
for data access. At the same time, normal operations proceed (e.g., repairs and
maintenance) and other people will have access to data on the same region,
again with distinct permissions. Whereas standard access control proposals con-
cern only thematic data, spatial access control involves issues such as “John
can only update data concerning the area within blocks A and B”, or “Repairs
recorded for an area X will override any other operations being requested for
this area”. It must furthermore be possible to grant access only for one spatial
object (a pole), a set of objects (e.g., poles in a street), or a neighborhood.
A specific system that demands this kind of geographic access control is
the Brazilian CPqD Outside Plant Management System, formerly known as the
SAGRE System [Mag97]. It is an integrated set of GIS-based software appli-
cations to manage the expansion, modernization and operation of an outside
telephone plant. Used throughout Brazil by major telephone companies, it has
very large geographic databases for most of Brazil’s major cities, and hundreds
of thousands of lines of code.
SAGRE has been in operation and continuous evolution since the beginning
of the nineties. It is used in several sectors of telecom companies, by people with
different roles. This gave rise to the need to control access to the operations that
use its database taking spatial information into account.
Our paper shows how to solve this problem by extending classical models
and mechanisms to the spatial context. Though our solution is general, it was
motivated by the needs of the CPqD Outside Plant Management System.
The rest of this paper is organized as follows. Section 2 introduces related
work. Sections 3, 4 and 5 describe our model and access control mechanism.
Section 6 presents the access control problems in SAGRE and discusses the use
of the proposed mechanism in this context. Finally, section 7 presents conclusions
and possible extensions.
2 Basic concepts and related work
2.1 Authorization models
All access control mechanisms are based on some authorization model, which
defines how a database management system must implement access control. It
is generally composed by: (i) access granularity indication; (ii) structures to
represent the authorization (formal semantics of representation); (iii) a set of
policies to manage and to grant authorizations; and (iv) algorithms to analyze
access requests based on the existing authorizations.
Access granularity defines the storage unit to control data access – e.g., at
the tuple, tables or databases levels. The most common authorization structure
is represented by the triple <s, o, m>, where: sis the subject who receives the
authorization, othe object which is authorized and mthe access mode.
Objects oare the passive entities storing information, such as tables, tuples,
or even elements of a tuple. Subjects are active entities that access the objects
and can be users, user groups or processes operating on behalf of users. The
subject can also be defined in terms of roles.
The min <s, o, m>corresponds to the access mode – i.e., the type of
operation that the subject has permission to execute on the object. [BDPSN96]
defined the basic set of operations as: read, write, delete, execute and create.
Authorizations can be further refined into positive or negative (forbidden).
The set of policies to manage authorizations are rules that define: who will
grant and revoke permissions (e.g., owner, administrator, any user), operations
authorized (e.g., read, write), and how these will be executed. Policies also define
factors such as negative authorizations and authorization derivation.
Finally, in order to have a complete authorization model, one must also define
mechanisms or algorithms to validate an access request based on the stored au-
thorizations. As will be seen, the mechanism we propose specifies all the required
model components: granularity, structure, policies and algorithms.
2.2 Access control mechanisms
Current research efforts on access control can be classified in three main di-
rections [BDPSN96]: Discretionary Access Control (DAC), Mandatory Access
Control (MAC) and the combination of both, the Role Based Access Control
(RBAC). Efforts normally are defined in terms of the <s, o, m>structure.
DAC is based on granting and revoking privileges [GW76]. Discretionary
protection policies govern the access of users (the subjects) to the information,
on the basis of the users identity and the rules that specify, for any user and
any object in the system, the types of accesses allowed. A subject’s request to
access an object is checked against the specified authorizations; if there exists
an authorization stating that the subject can access the object in the specific
mode, the access is granted; otherwise, it is denied. Policies are discretionary:
they allow subjects to grant other subjects authorizations to access the objects.
MAC is based on classifying subjects and objects of the system in hierarchi-
cal levels, satisfying the requirements of military, governmental and commercial
organizations [BJS95]. This hierarchical organization assures that classified in-
formation does not flow to lower levels. It is based on two principles formulated
by Bell and LaPadula [BP76]. The first states that no subject can read an object
of an upper level. The second does not allow a sub ject to write in an object of
a lower level, ensuring that no information will flow from upper to lower levels.
Access decisions on the Role Based Access Control (RBAC) [FK92] are based
in the roles that a user can perform inside an organization. This adds flexibility
to access grants, which become context-sensitive.
New devices and applications have given rise to other kinds of concerns. The
Web has motivated research on adaptations of RBAC to this new environment
(e.g. [PSA01]), and studies on distinct granularity levels for protection of XML
documents [BCFM00]. The field of sensor networks has prompted studies on
coordination and fusion of sensor data, and protocols for access control to save
energy (e.g., [WHE04]).
Few authors are concerned with the special needs of spatial access control.
The work of [BBC+04] proposes a discretionary model that considers, among
others, derivation of authorization rules, privilege propagation and negative au-
thorizations over vector data. This work is extended to a model called GEO-
RBAC, which considers RBAC in the spatial context [BCDP05]. This model
is motivated by the needs of location-based services and mobile applications. It
provides flexibility in access specification, associating roles with a spatial context
and changing authorizations according to spatial granularity. Roles are instances
of a role schema; authorizations can be globally assigned to all roles in a schema,
or be refined for a specific role. Roles are “activated” according to a subject’s
location.
As will be seen, the main differences between these two proposals and our
model are the fact that we were motivated by the needs of cooperative work
in spatial applications, for a very large real GIS application. As a consequence,
some aspects of our solution are concerned with simplifications for performance
reasons, and specific user needs. Roles are defined by user groups.
3 Authorization model for geographic data
This section presents the main components of our model: granularity, subject,
object, access mode, adopted authorization rules, policies and algorithms.
Definition - Spatial authorization rule A spatial authorization rule is
defined by the triple < s, o, m >, where sis the authorized subject; othe set of
authorized objects and m, the access mode. The ob ject ocan be represented by
identifiers (explicit ennumeration) or by a spatial query (implicit specification).
Queries are discussed in section 5. The access mode can be read or write.
3.1 Stating and storing an authorization rule: s, o, m
We assume that all spatial data are stored in a spatial database, accessed by a
GIS. Moreover, this database also contains a special repository with the autho-
rization rules (referred to as “rule database”), which specify spatially-dependent
access control. We use a simplified spatial data model, based on OGC’s, which
is sufficient for the purposes of our explanation. We consider that data in ge-
ographic databases can be characterized as having two types of attributes: de-
scriptive and spatial features. This research is limited to vector data, geometries
being classified into three types: point (e. g., a pole), line (e. g., a street), or
polygon (e. g., a parcel).
From a high abstraction level, an authorization process can be understood
as being defined according to the following sequence of stages: (1) definition
of authorization rules, (2) mapping of these rules into some set of database
structures and (3) definition of a rule management mechanism.
In our context, the first stage – definition of authorization rules – is specified
as:
[Define <s, m >on <o>], where <o>is a result of a spatial query.
An authorization can be granted to an individual user, groups of users or user
roles associated with different operations. Object <o>defines a data partition
within the database for which that authorization holds. It can be a spatial com-
ponent or a set of components, with geometries of type polygon, point or line,
and be directly specified (through identifiers), or indirectly, as a query result.
A spatial permission is therefore directly related to the spatial query that
it must satisfy. For example, the authorization “Ann has read access to all the
rivers in S˜ao Paulo state” is nothing more than a read permission to access all
data on rivers resulting from the spatial query ”select all the information of river
features in S˜ao Paulo state” – see Section 5.
Subjects scan be defined in the same way as in conventional databases. The
model considers that subjects are end users – engineers and designers within an
AM/FM planning environment: their roles are indirectly defined by their login
group. This is a compromise between full RBAC and DAC. This can easily be
extended to include explicit roles, or software.
3.2 Granularity
Access granularity in our rules is that of the objects they define. This requires
considering trade offs between number of objects considered in a rule and in-
creased system complexity – the number of rules in the rule database increases
with smaller access granularity. Similar to [BCDP05], we support hierarchical
definitions of spatial extent, which is used to infer non-explicit rules.
Our solution considers two authorization rule specifications: < s, o, m > and
< s, Q, m >. The first one explicitly references the object identifier (for example,
a point related to a specific pole, a line related to a street, a polygon related
to a neighborhood). In this case, the authorization is executed in an individual
object in the database. The second specification contains a spatial query, which
defines the objects under control (see section 5). This solution is a compromise
between management of specific objects (< s, o, m > rules) versus flexibility in
defining authorizations (< s, Q, m > rules).
Consider the following rule: “Ann has read access to Jardim Paulista neigh-
borhood”, where object “Jardim Paulista” is a polygon identified by [id 501] –
its geometry defines access granularity. The rule which is going to be stored is
< Ann, 501, read > – Ann is allowed access to object 501 and all the objects
inside 501 (see section 5).
A rule example using a query and with point granularity is “John can access
just the subway stations in Vergueiro Street”, where subway stations are points
in the street. In this case, the rule is (John, all the subway stations in Vergueiro
Street, read), where “all the subway stations in Vergueiro Street” can be specified
as a spatial SQL query.
3.3 Set of policies to manage and administer authorizations
The model proposes a centralized administration of authorizations: just the ad-
ministrator can grant and revoke permissions. Thus, it is not necessary to worry
about the cascade and non-cascade revocation of authorizations, as in the DAC
model [GW76].
Our model does not consider negative authorizations. These must be ana-
lyzed according to the application, and introduce a major complexity in the
algorithms that evaluate an access request. If the mechanism allows negative au-
thorizations, given an access request, it is necessary to verify if there are negative
authorizations denying the use of an object, before allowing the access.
3.4 Algorithms to analyze access requests
As mentioned before, our access control mechanism assumes that authorization
rules are stored in a special repository within the database, and checked at access
request. This request can be per transaction, or apply to an entire user session,
and assumes that all the rules stored in the database are consistent according
to the policies defined by the administrator. Access right is only granted if there
is an explicit rule authorizing the subject to access that object with that ac-
cess mode, or if the user access grant can be inferred using spatial containment
properties.
Algorithm Access request validation
Input:
[1] access request (S, Qa, M ).
[2] set of database authorization rules (s, o, m) and (s, Q, m), stored in the
rule repository
Output: [1] AUTHORIZED or [2] DENIED
1. Given an access request AR =< S, Qa, M > where the query statement
Qadefines objects to be accessed, select all authorization rules ri=< s, o, m >
and rj=< s, Qj, m > from the rule database, where s=Sand m=M. The
result of this step is a set of rules RA =< S, oi, M > S< S, Qi, M >.
2. Process the queries Qiin < S, Qi, M > in order to determine the referenced
objects, obtaining the final set of rules RF =< S, ok, M >, where okare the
objects returned by the execution of all Qiqueries.
3. Process the query Qa, getting AR =< S, oa, M >, which determines the
objects involved in the access request.
4. Detect conflicts between AR and objects in R F , according to section 4.
5. Resolve the conflicts using the policies defined in section 4.
Details of steps 4 and 5 can be found in [Sas02].
4 Managing conflicts for geographic access control
Access conflicts require checking spatial relationships between access requests
and rules in the database. Generally speaking, conflicts fall into two cases: (i)
objects totally or (ii) partially contained in another.
In case of total containment, access is granted, according to inference rules
for hierarchies of objects subject to total containment. The existence of autho-
rization < s1, o2, m1>allows to infer < s1, o1, m1>, if o1is totally contained
in o2.
Partial containment, however, introduces conflicts. Again, suppose s1has ac-
cess to o2, and that object o1is partially contained in o2. Should s1be granted
access to o1? In this case, there are the following alternatives, which are consid-
ered at step 4 with possible user disambiguation:
1. yes, s1can access object o1, even if it is partially contained in o2;
2. s1can access the part of the object o1contained in o2. This requires cutting
the object in parts;
3. yes, only if there is also an authorization rule < s1, o1, m1>, which autho-
rizes s1to access the object o1explicitly;
4. yes, only if there is also an authorization rule < s1, o3, m1>in the database,
where o3contains the rest of o1not contained in o2;
5. yes, s1can access o1, if there is no negative authorization < s1, o1, m1,>;
6. no, the situation does not occur because objects partially contained in an-
other do not exist in the application domain.
7. no, the access to objects partially contained in another is denied.
5 Spatial queries for access control
The spatial attributes considered in this research for access control are of type
point (e.g., poles, trees), lines (e.g., street segments) and polygon (e.g., neigh-
borhoods). The type depends on the scale. For example, in a 1:1.000.000 scale,
cities, small woods and many types of surfaces can be represented by points.
ueries for access control involve different relationships between spatial object
types (e.g., Point x Point, or Line x Line). They return a result set, which is the
target of access control, the object oof the < s, o, m > triple. Different types of
permission can be associated with each query result. We consider topologic and
metric spatial query predicates and adopt the five topological operators defined
by Clementini et. al. [CdFvO93] – in, overlap, touch, cross and disjoint – as
sufficient to cover binary topological relationships.
The study of the objects in the database for access control must take two fac-
tors into account: (1) the result - spatial object, non-spatial object or part of an
object; and (2) the predicate - spatial, non-spatial or both. Queries can produce
descriptive or spatial attributes, or both. Query Qx“Who are the subscribers
recorded in the database” returns non-spatial objects (subscribers). The query
Qy“Which are the types of the cables installed in the Cambu´ı neighborhood”
returns descriptive attributes (types of cable) for a spatial object (cables). The
query Qz“Supermarkets with more than 5 telephones installed” returns spatial
objects (supermarkets), assuming that they have a spatial component. Query
Qxuses non-spatial predicates, while query Qyuses a spatial predicate.
Consider query Qz“Supermarkets with more than 5 telephones installed”.
An example of an authorization rule involving Qzmight be “Ann can update the
account charges data of the supermarkets with more than 5 telephones installed”,
where s: Ann; o: points (supermarkets); m: write; the predicate is defined on
descriptive attributes (number of telephones in a supermarket).
This type of reasoning, separating the definition of the permission from that
of objects subject to access control, can be repeated for combinations of spatial
objects and distinct predicates, and involve distinct kinds of geometric features.
6 Access control in SAGRE
As mentioned in section 1, our work was motivated by the need for spatially
sensitive access control for cooperative work in the CPqD Outside Plant Man-
agement System. This system will be referred to in the rest of this section by its
ancient name – SAGRE – to disambiguate references to the system and to its
modules (see [Sag] for a description of the main functionalities of the system).
It is a GIS-based system composed by a set of applications which automate pro-
cesses related to outside telephone plant management. Two of its applications
are relevant to access control issues: Adm and Cad.
The Adm application is geared towards system administrators in telecom
companies. It allows managing the system users, and groups, inserting and delet-
ing users, granting and revoking role permissions for users/groups.
The Cad application maintains the basic urban map and the telephone out-
side plant. The basic urban map [Mag97] is composed by the urban planning
basic elements, such as: streets, street segments, monuments. The outside plant
corresponds to the infrastructure information used by telecommunications ser-
vices such as poles, terminal boxes, cables. The Cad application supports the
management of projects, where a “pro ject” involves infrastructure maintenance
or expansion planning for a given region, usually within some urban area. When
creating projects, it is necessary to indicate a manager and the manager’s area
using geographic coordinates, defined as a polygon.
Our first modification concerns the Adm application, changing the internal
tables that store user roles. They must contain insert, update and delete autho-
rization rules that indicates the spatial element o, which will be authorized. User
authentication must also be changed, since it will pass through more verification
stages. Project managers can also intervene here.
Figure 1 presents a screen copy with a project developed using Cad. In normal
system usage, a user has to define the geographic limits of a project (a polygon).
Notice the area covers parts of features (e.g., lines), which complicates access
control. The polygon is only used for visualization and does not impose any
restrictions on objects to be modified by this project. The present version of
Cad contains special code that verifies some spatial access control, but it is not
flexible enough to consider different situations. An example of such a problem is
the case of update cascades, where an update in a given object may propagate to
objects outside the visible polygon. Thus, a person within a project confined to
this polygon can change objects even when they are outside the project polygon.
This means that changes must be made to allow preprocessing access re-
quests. Even though some of our solutions have been considered in SAGRE,
their full-fledged implementation would require a new module - Geographic Ac-
cess Manager - to be created to check and manage spatial access rules [Sas02].
The generic solution, using authorization rules in a database and distinct kinds
of access modes, still needs to be taken into account. Visualization must also be
restricted to prevent users from seeing certain objects.
Fig. 1. Project designed in SAGRE/Cad.
7 Conclusions and extensions
This paper presented a generic access control model for GIS applications. The
proposal is based on the definition of authorization rules < s, o, m >, where
objects oare characterized as a result of a geographic query. The main contribu-
tions of this paper are: survey of requirements for access control in geographic
databases; definition of an authorization model based on the spatial characteri-
zation; discussion of implementation aspects of this model; brief presentation of
application of the proposed mechanism for a real GIS system.
Spatially-sensitive access control is a research area that presents several chal-
lenges, with relatively few papers on the subject – e.g., [BCDP05,BBC+04]. The
main differences with our proposal were that we were forced to simplify some of
the issues, given the size and scope of SAGRE and its multiple user roles – e.g.,
we do not consider negative permissions, and roles are defined by login groups.
Moreover, our proposal is geared towards solving problems that arise in coop-
erative planning activities using a GIS, while at the same time allowing normal
operation for the same region.
Many extensions can be proposed. One concerns spatio-temporal access con-
trol. Another possibility is the incorporation of nested permissions. Also, con-
flicts among our rules must be studied, to maintain rule consistency. We have
made a preliminary study concerning performance impact of our rule checking
algorithms. Further work must be conducted along these lines.
Acknowledgements This work was partially financed by CPqD Telecom &
IT Solutions, CNPq, FAPESP, CNPq SAI, Agroflow and Web-MAPS Projects.
References
[AJS+96] V. Ashby, S. Jajodia, G. Smith, S. Wisseman, and D. Wichers. Trusted
Database Management Systems - Interpretation of the Trusted Computer
System Evaluation Criteria. Technical Report 001-005, National Computer
Security Center, 1996. 75 pages.
[BBC+04] A. Belussi, E. Bertino, B. Catania, M. Damiani, and A. Nucita. An Au-
thorization Model for Geographical Maps. In Proc. 14th ACM GIS, pages
82–91, november 2004.
[BBF01] E. Bertino, P. Bonatti, and E. Ferrari. TRBAC: Temporal Role-Based
Access Control Model. ACM Transactions on Information and System
Security, 4(3):191–223, 2001.
[BCDP05] E Bertino, B. Catania, M. Damiani, and P. Perlasca. GEO-RBAC: a spa-
tially aware RBAC. In Proc, 10th ACM Symposium on Access Control,
pages 29–37, june 2005.
[BCFM00] E. Bertino, S. Castano, E. Ferrari, and M. Mesiti. Specifying and enforc-
ing access control policies for XML document sources. World Wide Web,
3(3):139–151, 2000.
[BDPSN96] A. Baraani-Dastjerdi, J. Pieprzyk, and R. Safavi-Naini. Se-
curity in Databases: A Survey Study. February:1–39, 1996.
http://citeseer.nj.nec.com/baraani-dastjerdi96security.html.
[BHAE00] E. Bertino, M. A. Hammad, W. G. Aref, and A. K. Elmagarmid. An access
control model for video database systems. In CIKM, pages 336–343, 2000.
[BJS95] E. Bertino, S. Jajodia, and P. Samarati. Database Security - Research and
Practice. Information Systems, 20(7):537–556, 1995.
[BP76] D. E. Bell and L. J. La Padula. Secure Computer Systems: Unified ex-
position and Multics interpretation. Technical report, The Mitre Corp.,
1976.
[CdFvO93] E. Clementini, P. di Felice, and P. van Oosterom. A Small Set of Formal
Topological Relationships Suitable for End-User Interaction. Proceedings
of the 3rd Symposium Spatial Database Systems, pages 277–295, 1993.
[FK92] D. Ferraiolo and Richard Kuhn. Role-Based Access Control. Proceedings
of 15th National Computer Security Conference, 1992.
[GW76] P. G. Griffiths and B. Wade. An authorization mechanism for a relational
dabase system. ACM TODS, 1(3):243–255, 1976.
[Mag97] G. C. Magalhaes. Telecommunications outside plant management through-
out Brazil. In Proc GITA 1997, 1997.
[PSA01] J. Park, R. Sandhu, and G. Ahn. Role-Based Access Control on the Web.
ACM Transactions on Information and System Security, 4(1):37–71, 2001.
[Sag] Sagre. http://www.cpqdusa.com/solutions/outside.html, accessed on
April 2006.
[Sas02] L. K. Sasaoka. Access Control in Geographic Databases. Master’s thesis,
Universidade Estadual de Campinas, June 2002. In Portuguese.
[WHE04] W.Ye, J. Heidemann, and D. Estrin. Medium Access Control with Co-
ordinated Adaptive Sleeping for Wireless Sensor Networks. IEEE/ACM
Transactions on Networking, 12(3):493–506, 2004.
... The access control is having two main parts; they are (i) Authorization Model and (ii) the Access control mechanism (Sasaoka & Medeiros, 2006). Lin, Fang, Chen, & Wu (2008) emphasised the authorization model as a triple letter indicator called <s,o,p>, whose elements represent Subjects, Objects, and Privileges, respectively. ...
... Lin, Fang, Chen, & Wu (2008) emphasised the authorization model as a triple letter indicator called <s,o,p>, whose elements represent Subjects, Objects, and Privileges, respectively. Sasaoka & Medeiros (2006) have the same attitude on the model but they use the term "access mode" instead of "privilege". In other words, it establishes which subjects (s) are authorized to perform which operations (pprivileges) on which objects (o). ...
Tool Development for Dynamic GIS Application for Watershed Management: Case Study of The Thimbirigasyaya Ward of The Colombo Municipal Council Area
Thesis
Full-text available
  • Sep 2012
Diversion of surface runoff from housing allotments directly into stormwater drainage network along roads is a common phenomenon in urban areas which leads to the urban flooding. When urban land changes are made for development, the natural hydrology undergoes changes usually leading to high surface runoff and often flash floods. Calculating the effect of modifications and quickly proposing an optimum solution becomes a difficult task not only to non-technical persons but also to some technical persons. Screening of existing tools identified that there is no single tool which could dynamically capture the land modifications and perform hydrological calculations to manage stormwater from urban lands. Main objective of the present research was to develop a dynamic user-friendly GIS tool which would capture key land parcel changes and perform calculation of stormwater generation by looking at both pre and post development scenarios. Accordingly a user friendly Dynamic GIS tool which enables on-screen modification of a land allotment was developed for computation of a composite land parcel runoff coefficient. Then the tool was extended to incorporate a hydrologic model to perform a comparison of before and after modification and then to extend the tool for incorporation of a detention tank model for management of generated stormwater. Thimbirigasyaya ward of the Colombo Municipal Council area in the 162 hectares having 1405 land parcels was the study area. The development methodology included, requirement identification, literature survey, conceptual design, coding, testing, modification and product delivery. In the conceptual design, the tool design was carried out for land authorities to optimize development alternatives jointly with the owner. Therefore the tool demanded a high level of user friendliness. Through a detailed literature survey, soil, slope and Landcover were identified as the key parameters governing stormwater generation from a land parcel modification. Hydrologic modeling computations within the tool were based on the rational formula, unit hydrograph theory and tank model concept. Detention storage for stormwater management was based on the research monograph of Wijesinghe and Wijesekara (2010). Split, merge and adjust operations were incorporated to the tool to carryout land modifications. Summative and formative evaluation techniques were used to achieve user-friendliness and accuracy of the tool. A lookup table cited in Perera & Wijesekera (2010) for runoff coefficient computation was embedded in the tool. Tool is capable of following modifications to this lookup table as and when new research findings are known. In the land modification component the tool facilitates on-screen modifications of land parcels and updating of hydrological parameters. GIS model combines the layers and supporting data such as runoff coefficients, rainfall etc to compute the time series of stormwater generated from each land. Tool developed by the present work develops a hydrograph and permits a user to incorporate dimensions of a detention pit to observe its effect on stormwater generation. This enables a land owner and a manger to identify a suitable detention pit for the intended land modifications. Unavailability of Graphic User Interface (GUI) guidelines for GIS and the lack of suitable spatial data security algorithms that could be used with confidence, influenced the present work to contribute and develop new techniques. As main results of the work, a user friendly accurate dynamic GIS tool, capable of land management in relation to stormwater, a step by step user manual, guidelines for GUI development and contributions towards security algorithm could be mentioned. Visualization of land modifications; dynamic change capability of parameter selection, design rainfall and detention pit sizes; and visual presenting the effect of detention pit incorporation are unique features of the tool which increases the user friendliness for non-GIS decision makers. The development of a single tool which provides Hydrologic-GIS capabilities for urban property management activities through the capabilities of identify optimum solutions is a contribution towards successful GIS applications for land and water management. Due to the possession of “Muscle” to rationally manage urban land parcels, the name “Geographic Information Systems to Manage Urban Stormwater Considering Land Enhancement” abbreviated as “GIS2MUSCLE” is given to the tool contributed from the work. This study through development and testing, satisfactorily concluded that a user friendly dynamic GIS tool enabling on-screen land and attribute modifications had been developed to user satisfaction while achieving 100% accuracy. Developed tool which enables the visualization of prior and post scenarios of land development has the capabilities to successfully handle the dynamics of both stormwater generation and process of land management. Present work also concluded that in order to achieve user friendliness and user satisfaction, it is necessary to incorporate an iterative design process with careful consideration of visual clarity, consistency, compatibility, informative feedback, explicitness, appropriate functionality, flexibility and control, error prevention and correction, user guidance, user support etc., with respect to tool development.
View
... But the absent of controllability over the data ownership, data originating organization may face difficulties when such user change the information and start to share the data set informing it is the original dataset (Sebake & Coetzee, 2013). Most of the research works on this issue are attempt to build either access control security or privacy of the spatial information in the same way they are used in relational or unstructured data sets ( (Atluri & Chun, 2004), (Bertino et al., 2008), (Lin et al., 2008), (Sasaoka & Medeiros, 2006)). Nevertheless no research could be found on spatial data protection mechanism on protecting or auditing other than based on access control mechanism. ...
Development of Security Stamp for Desktop Spatial Data Modification in Unrestricted Access Platform
Conference Paper
Full-text available
  • Aug 2015
One of the challenges of the Desktop Spatial data security is providing data security when computing with tools developed with unsecured software. Modifications are often required specially in geographical databases, because of the continuous changes that take place in soil, slope, land cover and parcel boundaries. Therefore data security measures need to incorporate mechanisms that enable the users to recognise the authenticity of the modified data. In the present work, a new concept for spatial data security was incorporated to identify any unauthorised modifications to the data sets of a land use planning tool developed with the use of an off-the-shelf GIS software. This concept incorporates a two-dimensional security stamp using both the spatial attributes and non-spatial attributes of the geographic dataset, which in a unique encrypted identity for a corresponding user or a user group. The security stamp developed using this concept was incorporated to a Geographic Stormwater Management Tool and tested for its successfulness. This successfulness was evaluated based on the probability of error occurrence in the stamp value. The proposed concept identifies changes incorporated to spatial data whether they are unintentional or intentional and hence falls into the category of " Responsible Citizen " tools.
View
... In the authorisation model BS, O, P , O represents the target objects for geospatial access control. As for vector data, target objects are usually represented with ID, ID lists, or geospatial queries Q (Sasaokal and Medeiros 2006). The basic idea is to match access requests against authorisation rules in the repository, and make access decision based on the matching result. ...
Fundamental aspects of access control for geospatial data
Article
  • Jul 2009
In recent years, geographical information systems have been employed in a wide variety of application domains, and as a result many research efforts are being devoted to those upcoming problems. Geospatial data security, especially access control, has attracted increased research interests within the academic community. The tendency towards sharing and interoperability of geospatial data and applications makes it common to acquire and integrate geospatial data from multiple organisations to accomplish a complex task. Meanwhile, many organisations have the requirement for securing access to possessed sensitive or proprietary geospatial data. In this heterogeneous and distributed environment, consistent access control functionality is crucial to promote controlled accessibility. As an extension of general access control mechanisms in the IT domain, the mechanism for geospatial data access control has its own requirements and characteristics of granularity and geospatial logic. In this paper, we address several fundamental aspects concerning the design and implementation of an access control system for geospatial data, including the classification, requirements, authorisation models, storage structures and management approaches for authorisation rules, matching and decision-making algorithms between authorisation rules and access requests, and its policy enforcement mechanisms. This paper also presents a system framework for realising access control functionality for geospatial data, and explain access control procedures in detail.
View
Declarative cartography under fine-grained access control
Conference Paper
  • Jul 2018
Visualization of spatial data is of increasing importance in science and society, but opens up justified concerns about data privacy and security. A classic methodology for cartography through generalization is data selection; however, data selection can be challenging under security constraints for two main reasons. First, individual records are kept in the visualization, so a data security approach such as access control needs to be put in place to avoid leakage of information about protected records to unauthorized parties. Second, it can be computationally hard to pick out records from a large spatial dataset so as to create an aesthetically pleasing visualization respecting user constraints and optimization goals. The latter expense can get compounded by the need to additionally respect access control restrictions. This paper presents a way to integrate label-based access control into an existing technique for declarative cartography termed global selection. Through a set of theorems and new algorithms, we demonstrate that we can reuse derivation and resolution of record conflicts when computing global selections across access roles in a security hierarchy. In experiments with realistic datasets, the runtime of the best among these new methods achieves an improvement of up to 2x-5x compared with repeatedly computing the global selection in medium-to-large security hierarchies.
View
Multi-granularity spatial-temporal access control model for web GIS
Article
  • Sep 2014
  • T NONFERR METAL SOC
The multi-granularity spatial-temporal-related access control (MSTAC) model was proposed to meet the spatial access control requirements for the service-oriented spatial data infrastructure (SDI). MSTAC extends the attribute constraints of role-based access control (RBAC), which includes the user's location attribute, the role's time constraint, the layer vector constraint of a map class, the scale and time constraints of a geographic layer, the topological constraints of geographic features, the semantic attribute expression constraints of geographic features, and the field constraint of feature views. Through this model, authorized users would be limited to access different granularity spatial datasets, such as the map granularity, the graphic layer granularity, the feature object granularity and the feature view granularity. Finally, the MSTAC model is achieved in a web GIS, which shows the positive and negative authorizations to different services in different data granularities and time periods.
View
Enforcing Protection Mechanisms for Geographic Data
Conference Paper
Full-text available
  • Apr 2012
  • Lect Notes Comput Sci
In the framework of a geographic application displaying maps, there are several solutions for protecting a sensitive object. Sensitive objects can be hidden, masked, blurred or even replaced by fake objects. In this paper we suggest a framework to specify protection mechanisms to enforce whenever a prohibition is derived from the security policy. This framework includes (i) logical rules allowing us to derive protection mechanisms from prohibitions, and (ii) an algorithm which builds the map to display, according to the derived protection mechanisms.
View
Towards a Flexible Spatially Aware Access Control Model
Conference Paper
  • Oct 2010
Currently the Location Based Services (LBS) tend to be more large-scale, distribute and open, which brings up new challenges to the design of spatially aware access control models. Nowadays location based access control models encounter difficulties in both the flexibility of expression, and the scalability and efficiency of the policy management. To address these challenges, in this paper we propose a spatial extension to RBAC model towards large-scale distributed LBS applications. This model defines spatial context, presents the concepts of the parameterized spatial permission and the parameterized spatial role, and implementation architecture. This model enables the definition of spatial authorizations directly to a group of objects which greatly reduces the management cost in large distributed LBS applications.
View
Rule-based Policy Enforcement Point for Map Service
Conference Paper
Full-text available
  • Nov 2010
In the framework of a map service which creates and displays maps of information coming from multiple heterogeneous sources, implementing a prohibition can be done in several ways. A sensitive object can be erased from the returned map, or masked, or blurred or even replaced by another object. In this paper we suggest a framework to specify protection mechanisms to enforce whenever a prohibition is derived from the security policy. This framework includes (i) logical rules allowing us to derive protection mechanisms from prohibitions, and (ii) an algorithm which builds the map to display.
View
Security mechanisms for geographic data
Conference Paper
Full-text available
  • Oct 2010
In the framework of a map service which creates and displays maps of information coming from multiple heterogeneous sources, implementing a prohibition can be done in several ways. A sensitive object can be erased from the returned map, or masked, or blurred or even replaced by another object. In this paper we suggest a framework to specify protection mechanisms to enforce whenever a prohibition is derived from the security policy. This framework includes (i) logical rules allowing us to derive protection mechanisms from prohibitions, and (ii) an algorithm which builds the map to display.
View
The fine-grained security access control of spatial data
Conference Paper
  • Jun 2010
With the development of the network technologies and GIS, spatial data security is becoming more and more important because of the increasing spatial data sharing and interoperation. At the same time, advanced spatial data acquisition technologies are producing mass high-precision data. Therefore, fine-grained access restrictions to spatial data are seriously demanded. However, the existing data access control technologies are inadequate to meet the security requirement of spatial data, especially in fine-grained access control. In this paper, the fine-grained access control of the spatial data issues is discussed in detail. Then, the mechanism of authorization for the fine-grained access control is introduced. Based on Role-based Access Control (RBAC) model, a fine-grained access control model for spatial data is proposed in the grid environment. Finally, a case study is given to prove the feasibility of the proposed model above.
View
An authorization model for geographical maps
Article
Full-text available
  • Nov 2004
Access control is an important component of any database management system. Several access control models have been proposed for conventional databases. However, these models do not seem adequate for geographical databases, due to the peculiarities of geographical data. Previous work on access control models for geographical data mainly concerns raster maps (images). In this paper, we present a discretionary access control model for geographical maps. We assume that each map is composed of a set of features. Each feature is represented in one or more maps by spatial objects, described by means of different spatial properties: geometric properties, describing the shape, extension and location of the objects, and topological properties, describing the topological relationships existing among objects. The proposed access control model allows the security administrator to define authorizations against map objects at a very fine granularity level, taking into account the various spatial representations and the object dimension. The model also supports both positive and negative authorizations as well as different propagation rules that make access control very flexible.
View
Geo-rbac: A spatially aware rbac
Article
Full-text available
  • Jan 2006
Securing access to data in location-based services and mobile applications requires the definition of spatially aware access control systems. Even if some approaches have already been proposed either in the context of geographic database systems or context-aware applications, a comprehensive framework, general and flexible enough to deal with spatial aspects in real mobile applications, is still missing. In this paper, we make one step toward this direction and we present GEO-RBAC, an extension of the RBAC model enhanced with spatial and location-based information. In GEO-RBAC, spatial entities are used to model objects, user positions, and geographically bounded roles. Roles are activated based on the position of the user. Besides a physical position, obtained from a given mobile terminal or a cellular phone, users are also assigned a logical and device independent position, representing the feature (the road, the town, the region) in which they are located. To enhance flexibility and re-usability, we also introduce the concept of role schema, specifying the name of the role as well as the type of the role spatial boundary and the granularity of the logical position. We then extend GEO-RBAC to support hierarchies, modeling permission, user, and activation inheritance, and separation of duty constraints. The proposed classes of constraints extend the conventional ones to deal with different granularities (schema/instance level) and spatial information. We conclude the paper with an analysis of several properties concerning the resulting model.
View
A Small Set of Formal Topological Relationships Suitable for End-User Interaction.
Conference Paper
Full-text available
  • Jun 1993
Topological relationships between spatial objects represent important knowledge that users of geographic information systems expect to retrieve from a spatial database. A difficult task is to assign precise semantics to user queries involving concepts such as crosses, is inside, is adjacent. In this paper, we present two methods for describing topological relationships. The first method is an extension of the geometric point-set approach by taking the dimension of the intersections into account. This results in a very large number of different topological relationships for point, line, and area features. In the second method, which aims to be more suitable for humans, we propose to group all possible cases into a few meaningful topological relationships and we discuss their exclusiveness and completeness with respect to the point-set approach.
View
View
TRBAC: A temporal role-based access control model
Article
  • Jan 2001
Role-based access control (RBAC) models are receiving increasing attention as a generalized approach to access control. Roles may be available to users at certain time periods, and unavailable at others. Moreover, there can be temporal dependencies among roles. To tackle such dynamic aspects, we introduce Temporal-RBAC (TRBAC), an extension of the RBAC model. TRBAC supports periodic role enabling and disabling---possibly with individual exceptions for particular users---and temporal dependencies among such actions, expressed by means of role triggers. Role trigger actions may be either immediately executed, or deferred by an explicitly specified amount of time. Enabling and disabling actions may be given a priority, which is used to solve conflicting actions. A formal semantics for the specification language is provided, and a polynomial safeness check is introduced to reject ambiguous or inconsistent specifications. Finally, a system implementing TRBAC on top of a conventional DBMS is presented.
View
Security In Databases: A Survey Study
Article
  • Mar 1996
In this paper, we survey the security of coventional databases and object-oriented databases that have been reported in the current literature. This is an area of substantial interest in databases because (1) the use of databases is becoming very important in today's enterprises, (2) databases contain information that is a major enterprise asset. Security concerns, requirements, and problems that arise in the pursuit of meeting these requirements for security in databases are illustrated. We discuss access control issues in databases, and futher identify some promising research directions. 1 Introduction Information is a critical resource in today's enterprises, whether they are military, industrial, commercial, educational, medical, etc. These organizations are now automating not only their basic operational functions, such as invoicing, payroll, and stock control, but also managementsupport functions such as sales forecasting, budgeting, and financial control. In order to support th...
View
View
Secure Computer System: Unified Exposition and Multics Interpretation
Article
  • Mar 1976
A unified narrative exposition of the ESD/MITRE computer security model is presented. A suggestive interpretation of the model in the context of Multics and a discussion of several other important topics (such as communications paths, sabotage and integrity) conclude the report. A full, formal presentation of the model is included in the Appendix.
View
Role-Based Access Control on the Web
Article
  • Feb 2001
Current approaches to access control on Web servers do not scale to enterprise-wide systems because they are mostly based on individual user identities. Hence we were motivated by the need to manage and enforce the strong and efficient RBAC access control technology in large-scale Web environments. To satisfy this requirement, we identify two different architec-tures for RBAC on the Web, called user-pull and server-pull. To demonstrate feasibility, we implement each architecture by integrating and extending well-known technologies such as cookies, X.509, SSL, and LDAP, providing compatibility with current Web technologies. We describe the technologies we use to implement RBAC on the Web in different architectures. Based on our experience, we also compare the tradeoffs of the different approaches .
View
Database security: Research and practice
Article
  • Nov 1995
  • INFORM SYST
As an increasing number of organizations become dependent on access to their data over the Internet, the need for adequate security measures is becoming more and more critical. The most popular security measure these days is a firewall. However, a firewall is not immune to penetration, and it does not provide any protection of internal resources from insiders and successful intruders. One of the requirements for the protection of internal resources is access control to ensure that all accesses are authorized according to some specified policy. In this paper, we survey the state of the art in access control for database systems, discuss the main research issues, and outline possible directions for future research.
View