In this paper we introduce an intuitive approach to the semantics of an authorization system based on a clear object-oriented modeling of the (application) world. The authorization system consists of rights which permit or prohibit actions. Actions consist of subjects, operations (access types), and granules (objects to protect) specifying who does which operation on whom. Each of these constituents of actions may be grouped into classes. Moreover, for each of these constituents we have a separate class hierarchy. A right can be given for either one object or for all objects of a class. All rights (permissions and prohibitions) must be specified explicitly. This allows the easy specification of general rules and of exceptions to such a rule. For distinguishing between a general rule and the exception we use priorities, which allow exceptions on an arbitrary level. Moreover, we can use priorities for resolving rights conflicts. We distinguish between specified rights which may contain class names and explicit rights in which only objects are allowed and in which the priority is dropped because of it is understood that only the right with the highest priority for one action is mentioned. Since the number of explicit rights is drastically larger than the number of specified rights we need and give efficient strategies to query the authorization system. In our approach we assume that there are one or more authorization administrators for setting and changing the rights. For reducing unintended side effects if several administrators can independently modify the rights we propose partially ordered priorities.
KeywordsClass Hierarchy Local Priority Database Security Simple Query Actual Conflict
Unable to display preview. Download preview PDF.
- Brüggemann, H.H.: Rights in an Object-Oriented Environment, in: Landwehr, C.E., Jajodia, S. (eds.), Database Security, V: Status and Prospects, North-Holland, Amsterdam, 1992, 99–115.Google Scholar
- Brüggemann, H.H.: Priorities for a Distributed, Object-Oriented Access Control (in German), in: Proc. Verläßliche Informationssysteme VIS’93, Munich, May 93, Vieweg, 51–66.Google Scholar
- Fernandez, E.B., Summers, R.C., Wood, C.: Database Security and Integrity, Addison-Wesley, 1981.Google Scholar
- Fernandez, E.B., Summers, R.C., Lang, T.: Definition and Evaluation of Access Rules in Data Management Systems, in: Proc. 1st Int. Conf. on Very Large Data Bases, Boston, 1975, 268–285.Google Scholar
- Atkinson, M., Bancilhon, F., DeWitt, D., Dittrich, K., Maier, D., Zdonik, S.: The Object-Oriented Database System Manifesto, in: Proc. First International Conference on Deductive and Object-Oriented Databases, Kyoto, Dec. 1989, 40–57.Google Scholar
- Stonebraker, M., Rowe, L.A., Lindsay, B., Gray, J., Carey, M., Brodie, M., Bernstein, P., Beech, D.: Third-Generation Data Base System Manifesto, TR UCB/ERL M90/28, College of Engineering, University of California, Berkeley, April 1990.Google Scholar
- Kim, W.: Research Directions in Object-Oriented Database Systems, in: Proc. 9th Symposium on Principles of Database Systems, 1990, 1–15.Google Scholar
- Dittrich, K.R., Härtig, M., Pfefferle, H.: Discretionary Access Control in Structurally Object-Oriented Database Systems, in: Landwehr, C. (Ed.), Database Security II: Status and Prospects, North-Holland, 1989, 105–121.Google Scholar
- Rabitti, F., Woelk, D., Kim, W.: A model of Authorization for object-oriented and semantic databases, in: Proc. Int. Conf. on Extending Database Technology, Venice, March 1988, LNCS 303, Springer, 1988, 231–250.Google Scholar
- Fernandez, E.B., Gudes, E., Song, H.: A security model for object-oriented databases, in: Proc. IEEE Symposium on Security and Privacy, Oakland, 1989, 110115.Google Scholar
- Larrondo-Petrie, M. M., Gudes, E., Song, H., Fernandez, E.B.: Security Policies in Object-oriented Databases, in: Spooner, D.L., Landwehr, C. (Eds.), Database Security III: Status and Prospects, North-Holland, 1990, 257–268.Google Scholar
- Kelter, U.: Group-oriented discretionary access controls for distributed structurally object-oriented database systems, in: Proc. European Symposium on Research in Computer Security ( ESORICS ), Toulouse, Oct. 1990, 23–33.Google Scholar
- Zdonik, S.B., Maier, D.: Fundamentals of Object-Oriented Databases, in: Zdonik, S.B., Maier, D. (Eds.), Readings in Object-Oriented Database Systems, Morgan Kaufmann, 1990, 1–32.Google Scholar