XML is becoming the prominent standard for the representation and exchange of Web data. As the number of users who are publishing and exchanging their data over the Internet is continuously increasing, it is important to control access to XML content of sensitive nature. In this talk I am going to focus on the work I have done on the following subjects: (1) Formalization of the semantics of access control models for read and update operations and (2) Specification and Efficient enforcement of access control policies for update operations.

In the first part of the talk I will discuss the formalization of the semantics of access control policies. State of the art approaches on XML access control use often ambiguous natural language descriptions to specify the meaning of an access control policy. I will present a solution that makes use of XPath 1.0 for specifying the semantics of access policies for both read and update operations.

In the second part of the talk I will present the XML Access Control specification language for Update operations (XACU). The update operations in XACU are based on the operations introduced in the W3C XQuery Update Facility Document. I will discuss our approach on efficiently enforcing access control statically, without accessing the database, by employing tools such as XPath intersection and containment.