Abstract

Problem. Access control in database-backed systems conventionally uses separate mechanisms for read and write paths: read-path filtering (row-level security, query rewriting, view predicates) paired with write-path per-row post-image checks (e.g. SQL WITH CHECK OPTION) or ad-hoc application logic. The two specifications drift apart; per-row write checks miss indirect effects from triggers, referential cascades, derived-data maintenance, and secondary-index side effects; and externalized authorization services introduce staleness hazards.

Technique. A single visibility predicate, derived from the request context, governs both paths. Reads are evaluated against a projection of the database from which elements failing the predicate are absent. A write is authorized iff the candidate transaction produces equivalent effect sets under two speculative executions: one against the unfiltered database, one against the filtered projection. Equivalence under a chosen relation admits commit; any difference denies.

The effect set under comparison encompasses direct writes, retractions, reads, return values of database-internal transaction-embedded procedures, and writes induced indirectly by triggers, cascades, derived-data maintenance, and secondary-index updates. The speculative-execution primitive is substrate-agnostic: database forking via structural sharing (immutable and temporal stores), savepoint/rollback (mutable relational), MVCC snapshots, shadow paging, copy-on-write overlays (document and key-value stores), or zero-copy branching (columnar and lakehouse systems). Advantages. One predicate specifies both read and write policy; policy drift is eliminated by construction. Indirect effects are captured by the differential comparison. Authorization decisions evaluate against authoritative database state, avoiding staleness.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Download

Share

COinS