Access control is a key service of any data management system. It allows regulating the access to data resources at different granularity levels on the basis of access control models which vary on the protection options they offer. The more powerful is the access control model in terms of protection requirements, the more difficult is for security administrators to understand the effect of a set of access control policies on the protected resources. This is further complicated within schemaless systems, like NoSQL datastores, when fine grained access control policies are specified for data resources characterized by heterogeneous structures. The lack of a reference data model and related manipulation languages exacerbates this issue. To the best of our knowledge, a general approach to evaluate the impact of access control policies on the protected resources within NoSQL systems is still missing. In this paper, we start to fill this void, by proposing a data model agnostic approach, which, starting from schemaless datasets protected by different discretionary access control models, derives a view of the protected resources that points out authorized and unauthorized contents. Experimental results show the approach efficiency even with large datasets.

访问控制是任何数据管理系统的关键服务。它允许基于访问控制模型来调节对不同粒度级别的数据资源的访问，访问控制模型根据它们提供的保护选项而有所不同。就保护要求而言，访问控制模型越强大，安全管理员就越难理解一组访问控制策略对受保护资源的影响。当为以异构结构为特征的数据资源指定细粒度的访问控制策略时，在无模式系统（如NoSQL数据存储）中，这将变得更加复杂。缺少参考数据模型和相关的操作语言加剧了此问题。据我们所知，仍然缺少评估访问控制策略对NoSQL系统内受保护资源的影响的通用方法。在本文中，我们通过提出一种数据模型不可知的方法来填补这一空白，该方法从受不同自由访问控制模型保护的无模式数据集开始，得出指出受保护和授权内容的受保护资源视图。实验结果表明，即使使用大型数据集，该方法的效率也很高。