Granular Access Scopes in Modern Systems

• Granular access scopes are a framework for defining fine-grained boundaries over data and operations through multidimensional policies that integrate context, provenance, and runtime constraints.
• They leverage techniques such as provenance-based access control, immutable views, and middleware-driven policy filtering to enforce dynamic, selective authorization in distributed systems.
• These methods enhance security and regulatory compliance by combining layered access controls, attribute-level filtering, and performance-optimized query rewriting across diverse platforms.

Granular access scopes specify fine-grained boundaries over which data, resources, or operations may be accessed, typically governed by multidimensional policies that integrate context, data semantics, and runtime constraints. This concept is fundamental for systems seeking to balance functionality against strict confidentiality, regulatory compliance, and operational security. Across distributed databases, personal clouds, IoT infrastructure, policy-based security platforms, and event-driven process mining, granular access scopes enable selective authorization, contextual filtering, and dynamic adaptation of access rights, often leveraging provenance, capabilities, rule-based overlays, or policy matrices.

1. Provenance-Based Access Control in Distributed Rule Systems

WebdamLog (Abiteboul et al., 2013) exemplifies granular access by stratifying extensional (base) and intentional (derived) data and leveraging provenance as a vehicle for policy propagation. Extensional facts are protected using traditional ACLs, with a unique owner and explicit grant semantics per relation. Intentional facts—constructed via rules from base facts—are protected more selectively: each derived fact F in an intentional relation carries provenance tokens marking contributing base facts. The access condition is formally defined as:

$$\text{Access}(F, c) = \text{[c has read access on } F] \land \bigcup_{p \in \text{Prov}(F)} \text{ read}(p, c)$$

A reader must possess not only permissions on the view but also all provenance sources along at least one derivation path. Granularity is preserved even in non-monotonic derivations (joins, unions), and strict propagation prevents implicit permissions leakage. Flexibility is introduced by the \texttt{\textbackslash hide} annotation, which explicitly masks certain provenance elements, mitigating over-constraining policies in practical use-cases.

Delegation in this system is governed by sandboxing: remotely deployed rules execute under the credentials of the delegator, not the host. Thus, both side effects and access checks are attributed and restricted according to the rules’ original author, reinforcing and preserving fine granularity even in distributed computation and rule exchange.

2. Immutable Views and Layered Policy Filtering in Personal Data Stores

The concept of “immutable views” (Shvartzshnaider, 2015) constitutes a graph-based model for finely partitioned access scopes over personal clouds and data stores. Access control is structured in three principle layers:

• Global Information Space (GIS): The source repository holding raw data and all policy assertions.
• Policy View (Policy MAP): A graph query operates as a filter to generate a subspace matching defined policies, producing a view $P(G)$ where $G$ is the global dataset and $P$ is the policy mapping.
• Interest View (Interest MAP): Further restriction is applied based on the requester’s specific context or query, yielding $V = (I \circ P)(G)$.

This layered MAP chaining enables precise scope definition: the first MAP applies static policies, while the second map adapts to runtime user context or queries. Immutable views, guaranteed by snapshotting and enforced isolation, ensure no cross-user queryability. Updates occur by creating new view instances via the ADD operation, analogous to branching in Git; these branches can later be merged (subject to policies) into the global repository.

Deployment using Mirage OS unikernels for each authorized instance further enforces isolation and policy adherence at the virtualization layer. Scalability is achieved by leveraging Irmin, a distributed git-like backend, and the protocol’s native support for concurrent updates and merging. The approach supports highly granular access, including attribute-level filtering, and aligns with privacy and security requirements in multi-tenant environments.

3. Policy-Based Granular Access in Database Applications

Estrela (Bichhawat et al., 2018) introduces a middleware architecture for contextual and granular policy enforcement in database-backed applications. Policies are attached to database schema using constructs specifying:

• Targeted fields $t_i.f_i$
• Phase $\phi$ (pre-evaluation, post-evaluation)
• Optionally, API endpoint $A$ (context binding)
• Policy body $P$ (enforcement logic)

Pre-eval policies rewrite queries by injecting additional filtering clauses—enforcing granular selection before data retrieval. Post-eval policies act on result sets, modifying or masking sensitive data fields according to context, supporting partial data release (e.g., revealing city but not full address).

Algorithmically, policies are selected based on both fields accessed and contextual information (API endpoint). The framework’s enforcement algorithm calls $GetPolicy(P, fields, A, def)$ to select matching policies, favoring policies bound to specific endpoints. The use of post-eval logic prevents implicit leaks arising from multi-field queries. Monkey-patching of Django ORM guarantees all queries are mediated, and measured overhead remains minimal (typically less than 1%).

Challenges include complex context-aware requirements, need for partial disclosure, and prevention of implicit information leaks. The separation of policy specification from code addresses auditability and maintainability. Granular scopes are thus mediated at both access and result levels, tightly coupled to context and usage.

4. Scalable Fine-Grained Access Control in Database Management Systems

SIEVE (Pappachan et al., 2020) targets scalable enforcement of fine-grained access control (FGAC) in DBMS environments hosting thousands of policies, such as smart spaces and environments governed by GDPR and CCPA. The middleware operates by:

• Filtering policies using query context and tuple attributes.
• Transforming large disjunctive policy expressions into guarded policy partitions:

$$G = G_1 \lor G_2 \lor \dots \lor G_n, \text{ with } G_i = i_g \land (\text{policy partition})$$

Each guard $i_g$ is a predicate over an indexed attribute, rapidly filtering tuples before expensive policy evaluation. Guard merging is executed using a formal cost model:

$$\text{cost}(G_i) = \#_i\{g\} \cdot (c_r + \text{cost}(\text{eval}(G_i, t)))$$

Merging guards occurs when significant interval overlap decreases overall evaluation cost, as formalized in the paper’s derivation.

A UDF-based policy check operator $\Delta$ is used to dynamically select and evaluate policy subsets per tuple. Query rewriting occurs via WITH clauses and index hints in SQL. SIEVE adaptively selects strategy (inlining versus UDF) based on EXPLAIN output and measured cost.

Empirical results demonstrate that SIEVE can evaluate queries over millions of rows and thousands of policies in subsecond timescales, outperforming baselines by up to $5.6\times$ in some settings. This efficiency enables real-time, granular policy enforcement for individual tuples and attributes.

5. Modular Multi-Policy Analysis for Granular Access in System Security

PolyScope (Lee et al., 2020, Lee et al., 2023) presents a framework for static triage of Android’s multilayered access control policies (MAC via SEAndroid/SELinux, DAC via UNIX permissions, Android permissions, and Scoped Storage). Subjects and objects are cross-labeled by all applicable policy mechanisms, and access is granted only if all policies permit the operation (intersection semantics).

Permission expansion—through granting of additional discretionary privileges or manipulation of resource ownership—expands effective access scopes. The analysis tracks integrity violations via formulas such as:

$$\{read\, |\, write\, |\, exec\}(\text{file},\, victim) \land \text{adv\_expand}(\text{file},\, adversary) \land write(\text{file},\, adversary) \rightarrow \{\text{read},\, \text{write},\, \text{exec}\}-IV(\text{file},\, victim,\, adversary)$$

Only a subset of authorized flows are exploitable as attack operations, with PolyScope finding that permission expansion can multiply the attack surface by up to $10\times$, although typically only $15$–$20\%$ translate to practical attacks.

Scoped Storage reduces adversary access by restricting external data access to package-private directories and limiting global write/group delegation. PolyScope’s modular architecture independently extends/analyzes policy models—for example, integrating Scoped Storage—then computes intersections to derive effective granular access scopes. This enables precise, policy-driven reduction and triage of the attack surface for OEM-customized Android releases.

6. Capabilities-Based Granular Access Control in Data Spaces

A modular, semantically-driven capabilities model underpins fine-grained access control in “data spaces” (Fotiou et al., 18 Apr 2025). Data owners specify policies in Policy Administration Points (PAPs), which are either centralized or distributed. Access validation is executed by a Policy Decision Point (PDP) that leverages policy semantics and context metadata (via a Policy Information Point, PIP) when evaluating operations over URLs representing object types and instances.

The decision procedure is formalized:

$$\text{Decide}(Consumer_{id},\, operation,\, URL) \rightarrow \{true,\; false\}$$

URL coverage (object type ≥ object instance, etc.) is determined per summarized rules. Integration of W3C Verifiable Credentials (VCs) supports cryptographically secure, privacy-preserving assignment and revocation of access rights. Dynamic usage control is enforced via continuous evaluation, caching, and periodic VC revocation list checks.

Granularity derives from attaching policies at both the type and attribute level, and distributed PAPs permit independent, highly localized policy specification and revocation. Application scenarios include IoT device management, industrial exchange, and dynamic event subscription, exemplifying both attribute-level (“status”, “color”) and type-level (“all smart lamps”) scoping.

7. Policy-Driven, OAuth and Runtime Context-Based Granular Access in AI Tooling

Security enhancements for AI tooling protocols (MCP) are addressed by the Enhanced Tool Definition Interface (ETDI) (Bhatt et al., 2 Jun 2025), which introduces cryptographically signed, immutable, versioned tool definitions, combined with explicit OAuth 2.0 permission management. Each tool definition encapsulates required scopes, and every invocation is authenticated via signed JWT tokens, with binding to tool identity and version.

Beyond static OAuth scope validation, a dedicated policy engine (based on Open Policy Agent or similar) evaluates requests against richer context attributes (user origin, time, network, call-stack) at runtime:

$$\text{Decision} = PDP(\text{Principal},\, \text{Action},\, \text{Resource},\, \text{Context})$$

This layered model ensures that a tool’s access is authorized not only statically but also dynamically, yielding granular scope enforcement per action, resource, context, and version. The incremental burden of this approach includes performance overhead in runtime evaluation and increased complexity in key management and user approval workflows. Nevertheless, it constitutes an auditable, highly granular access model appropriate for modern AI ecosystems facing sophisticated attack vectors.

---

Granular access scopes, as articulated in contemporary systems, are achieved through a combination of provenance tracking, layered policy filtering, context- and attribute-aware enforcement, modular policy composition, cryptographically verifiable credentials, and dynamic runtime evaluation. Each paradigm—be it distributed DBMS, personal data stores, system call mediation, process mining enrichment, or AI tool integration—demonstrates domain-specific strategies for demarcating, enforcing, and adapting the granularity of access control boundaries.