Motivated by the increased use of XML as a flexible data encoding format, we consider the secure publishing of XML documents. In this setting, read-only role-based access control policies (RBACs) are used to specify fragments of static XML documents, which are made accessible to various users. Recent implementations of such RBACs rely on disseminating a single document super-encrypted with multiple cryptographic keys, in such a way that the stated policy is enforced. 

Our research deals with the design and implementation of two new techniques designed to increase the efficiency of multi-encryption, in which each XML element is encrypted with at most one key; namely, schema-level RBACs (SRBACs) and parameterized document-level RBACs (PRBACs).
Since secure publishing uses similar documents, i.e. documents based on a selected schema, using SRBAC we define access control policies at the schema level, and then generate the minimal set of keys required to enforce the policy. The main advantage of our approach is that for any application involving a fixed number of schemas, keys can be generated (or pre-generated) only once, and then reused in all documents valid for the given schema. While in general, key generation at the schema level has to be pessimistic, we analyze the schema and then use one of the two alternative techniques aimed at minimizing the number of generated keys. Incoming XML documents are efficiently encrypted using single-pass SAX parsing in a manner that disguises the original structure of hidden sub-trees. Each user receives only these keys that are needed for decrypting accessible nodes. Our experiments showed the superiority of multi-encryption over super-encryption, in terms of the encryption and decryption time operations, and they also proved the scalability of our approach.
    A novel approach to parameterized RBACs supports role parameterization to address the problem of role proliferation that may occur in policies such as these with roles that provide access to the user with the specific name. We have completed the design and the implementation of the document-level PRBAC.