Application-level access control is a top priority when hardening software applications. In particular, run-time customization of access control policies and separation for concerns are becoming increasingly important. While these requirements are generally well-supported for request-response applications, there is a lack of support for data-focused operations, such as search or data aggregation, in a multi-tier architecture. Moreover, an ability to specify fine-grained access control policies is generally lacking for such applications. This puts at risk the security of organizations that employ existing and emerging database technologies and requires solutions that alleviate this issue. This paper approaches this issue through query rewri...