Lightweight implementation of ABAC mechanism on Database Firewall

We propose a lightweight non-invasive method for implementing attribute based access control for RDBMS $MySQL$ on $Database Firewall$. Implemented access control mechanism consists of two parts. According to NIST ABAC terminology, the first part is Policy Enforcement Point (PEP) and the second one is Policy Decision Point (PDP). PDP and PEP communicate using HTTP protocol. PEP is handling SQL queries from client, parsing it and sending to PDP via HTTP. PDP implements lightweight core of ABAC. The main purpose of this part is taking a decision to permit or deny access based on stored policies. After the decision is made, PDP sends it to PEP. We developed a new role view mechanism to combine RBAC and ABAC. This mechanism is used to translate privileges from RBAC roles to ABAC rules. ABAC rules are configured using a special language named AF Rules and specified in JSON format. These rules are translated to PDP code, which implements access control checks.