Abstract

Online Analytical Processing (OLAP) has become an increasingly important and prevalent component of enterprise Decision Support Systems. OLAP is associated with a data model known as a Cube, a multi-dimensional representation that allows for the extraction and intuitive visualization of broad patterns and trends that would
otherwise not be obvious to the user. One must note, however, that not all of the collected data should be universally accessible. Specifically, DW/OLAP systems
almost always house confidential and sensitive data — identification information, medical data, or even religious beliefs and ideologies — that must, by definition, be
restricted to authorized users. In this thesis, we provide models and algorithms for protecting the data in multi-dimensional data cube spaces.
To this end, the thesis addresses three distinct but related themes. In the opening part of this study, we propose an authentication and authorization framework
that builds upon an algebra designed specifically for OLAP domains. It relies on robust query re-writing rules to ensure consistent data access across all levels of
the conceptual data cube model. In the second part, we present a framework for controlling malicious inferences caused by unprotected access to coarser level aggregations.
Our framework prevents complicated inferences through a combination of initial query restrictions and the removal of the remaining inferences. In the final part,
we enhance the core framework with an object-oriented security design model and client side language extensions that collectively produce a more intuitive and usable
infrastructure.
The purpose of this study is to design a comprehensive end-to-end framework for OLAP security that is flexible, intuitive, and powerful. In short, the framework allows
administrators to associate security policies with an intuitive conceptual model that maps directly to the model that users see. Restrictions then can be propagated
transparently from users to all the hierarchical data. Moreover, the framework provides an automatic form of inference control that is fast enough in practice to
not affect query time.
To ground our conceptual work, we have integrated our research themes on the top of an OLAP-specific DBMS server (Sidera). Sidera gives us the opportunity to
explore performance and correctness issues that would not be possible without such direct access to a DBMS. In addition, we have evaluated its efficiency with a pair
of common industrial DBMS, a row-based DBMS (PostgreSQL) and a column-store DBMS (MonetDB). The evaluation is done using two common benchmarks (e.g., SSB and APB). The results show the ratio of checking time to execution time varies considerable, depending on the specification of the underlying query. These times are acceptable, particularly given that checking costs do not grow with data set size.