
 
document not granted to be read are replaced by 
dummy (fake) values. The purpose of this type of 
reading operation is to obtain the document which is 
in accordance with its XML schema. Since the XML 
Schema standard supports a large number of data 
types and defining new ones, generating dummy 
values according to the given data type may be very 
complex. We have opted to use the approach that 
multiple dummy value generators may be 
implemented and integrated into the XXACF, each 
targeting a specific data type. 
The pruned reading and dummy reading 
operations are executed on user demand, i.e. on each 
request for reading a document. In case of a large 
number of users accesses the documents, mostly for 
reading, using previously described reading operati-
ons that can seriously impact the system 
performance.  
The effective alternative to these approaches is to 
use  encrypted reading – by creating a new 
document based on the original one, according to the 
access control policies defined for the original 
document. The users can access only the parts of the 
new document for which they are authorized. One of 
the methods to form that kind of document is to use 
cryptographic techniques based on keys (Stallings, 
1998; Schneier, 1996). According to access control 
policies, different parts of document are encrypted 
with different keys. The user possesses only those 
keys that enable him or her to decrypt the parts of 
the documents that he or she is allowed to access. 
The major problem for this type of reading is to 
determine which document parts will be encrypted 
by which key. The simplest approach is to encrypt 
each document node with a different key, while this 
key is accessible only to the users authorized for the 
access to the node. This approach is simple for 
implementation, but can cause generation of large 
number of keys. Our solution to this problem is to 
determine role groups, where each group is 
consisted of all roles to which the access to some 
node(s) is granted. One key is generated for each 
role group; all nodes for which that group has the 
access right are encrypted by that key. 
Activity diagram in Figure 6 describes the 
XXACF procedure of determining the list of the root 
nodes of the subtrees which each node should be 
encrypted by the same key, as well as the possible 
subtrees transformation. All nodes of the each 
subtree own same role group. If the node is an XML 
element, the method is recursively invoked for its 
attributes and child nodes. If the node is not an XML 
element, it is inserted in the list. In case that the node 
is an element, and that it has no attributes or child 
nodes (the element is a leaf node), it is inserted in 
the list. If the element node is not a leaf, it is verified 
if all its attributes and child nodes are in the list and 
whether they all have the same role group as the 
element node. If all these conditions are met, the 
whole subtree having the given element as a root can 
be encrypted by the same key. Therefore, all 
attributes and child nodes are removed from list, and 
the node is inserted. If one of these conditions is not 
satisfied, the transformations of attributes, as well as 
all child nodes that are not elements, are performed 
in order to enable the encryption with different keys. 
The XML Encryption specification allows only the 
encryption on the element level and it is possible to 
encrypt the whole element or its content only (XML 
Encryption, 2002). If an attribute’s role group differs 
from the role group of its element parent, it is 
necessary to encrypt that attribute with another key. 
In order to enable attribute encryption and maintain 
conformance with XML Encryption specification, it 
is necessary to transform it into the element. The 
similar case occurs if it is necessary to encrypt the 
element content (child node) with different keys. 
Since it is not possible to encrypt the whole element 
with one key, it is necessary to transform all 
attributes to subelements of the given element. For 
the same reason, there are the situations when all 
not-element subnodes must be transformed. At the 
end of this activity encryption list will contain the 
root nodes of the subtrees which nodes will be 
encrypted by the one key. Also, all root nodes 
(subtreees) with the same role group should be 
encrypted by the same key. 
5 CONCLUSIONS 
This paper presents the main features of the 
eXtensible XML Role-Based Access Control 
Framework (XXACF). The language for access 
control definition provides its representation 
according to the RBAC model and enables definition 
of context-sensitive access control. The system 
supports specifying access control policies on 
document schema, document instance, and 
document fragment levels. Also, content-dependent 
access control policies specification is possible. 
XXACF provides access control enforcement for 
different operations on a document, as well as the 
possibility of different ways of access control 
enforcement for the same operation. XXACF is a 
Java-based application. The system extensibility and 
configurability facilitates the customization of a 
specific implementation to users’ needs, on the basis 
EXTENSIBLE ACCESS CONTROL MODEL FOR XML DOCUMENT COLLECTIONS
379