Fine-grained access control for relational data defines user authorizations at the tuple level. Role Based Access Control (RBAC) has been proposed for relational data where roles are allowed access to tuples based on the authorized view defined by a selection predicate. During the last few years, extensive research has been conducted in the area of role engineering. The existing approaches for role engineering are top-down (using domain experts), bottom-up (role-mining), or a hybrid of both. However, no research has been conducted for role engineering in relational data. In this paper, we address this problem. The challenge is to extract an RBAC policy with authorized selection predicates for users given an existing tuple-level fine-grained access control policy. We formulate the problem for relational data, propose a role mining algorithm and conduct experimental evaluation. Experiments demonstrate that the proposed algorithm can achieve up to 400% improvement in performance for relational data as compared to existing role mining techniques.

A variety of programming accidents, i.e., models, methods, artifacts, and tools, are examined to determine that each has a step that programmers find painful enough that they habitually avoid or postpone the step. This pain is generally where the programming accident meets requirements, the essence of software, and their relentless volatility. Hence, there is no silver bullet.

Publish/subscribe (pub/sub) systems support highly scalable, manyto- many communications among loosely coupled publishers and subscribers. Modern pub/sub systems perform message routing based on the message content and allow subscribers to receive messages related to their subscriptions and the current context. However, both content and context encode sensitive information which should be protected from third-party brokers that make routing decisions. In this work, we address this issue by proposing an approach for constructing a privacy preserving context-based pub/sub system. In particular, our approach assures the confidentiality of the messages being published and subscriptions being issued while allowing the brokers to make routing decisions without decrypting individual messages and subscriptions, and without learning the context. Further, subscribers with a frequently changing context such as location are able to issue and update subscriptions without revealing the subscriptions in plaintext to the broker and without the need to contact a trusted third party for each subscription change resulting from a change in the context. Our approach is based on a modified version of the Paillier additive homomorphic cryptosystem and a recent expressive group key management scheme. The former construct is used to perform privacy preserving matching and covering, and the latter construct is used to enforce fine-grained encryption based access control on the messages being published. We optimize our approach in order to efficiently handle frequently changing contexts. We have implemented our approach in a prototype using an industry strength JMS broker middleware. The experimental results show that our approach is highly practical.