Object-Oriented Authorization

  • H. H. Brüggemann
Part of the International Centre for Mechanical Sciences book series (CISM, volume 347)


In this paper we introduce an intuitive approach to the semantics of an authorization system based on a clear object-oriented modeling of the (application) world. The authorization system consists of rights which permit or prohibit actions. Actions consist of subjects, operations (access types), and granules (objects to protect) specifying who does which operation on whom. Each of these constituents of actions may be grouped into classes. Moreover, for each of these constituents we have a separate class hierarchy. A right can be given for either one object or for all objects of a class. All rights (permissions and prohibitions) must be specified explicitly. This allows the easy specification of general rules and of exceptions to such a rule. For distinguishing between a general rule and the exception we use priorities, which allow exceptions on an arbitrary level. Moreover, we can use priorities for resolving rights conflicts. We distinguish between specified rights which may contain class names and explicit rights in which only objects are allowed and in which the priority is dropped because of it is understood that only the right with the highest priority for one action is mentioned. Since the number of explicit rights is drastically larger than the number of specified rights we need and give efficient strategies to query the authorization system. In our approach we assume that there are one or more authorization administrators for setting and changing the rights. For reducing unintended side effects if several administrators can independently modify the rights we propose partially ordered priorities.


Class Hierarchy Local Priority Database Security Simple Query Actual Conflict 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Brüggemann, H.H.: Rights in an Object-Oriented Environment, in: Landwehr, C.E., Jajodia, S. (eds.), Database Security, V: Status and Prospects, North-Holland, Amsterdam, 1992, 99–115.Google Scholar
  2. [2]
    Brüggemann, H.H.: Priorities for a Distributed, Object-Oriented Access Control (in German), in: Proc. Verläßliche Informationssysteme VIS’93, Munich, May 93, Vieweg, 51–66.Google Scholar
  3. [3]
    Ritchie, D.M., Thompson, K.: The UNIX Time-Sharing System, Communications of the ACM, Vol. 17, July 1974, 365–375.CrossRefGoogle Scholar
  4. [4]
    Griffiths, P.P., Wade, B.W.: An Authorization Mechanism for a Relational Database System, ACM Transaction on Database Systems, Vol. 1, 1976, 242–255.CrossRefGoogle Scholar
  5. [5]
    Fernandez, E.B., Summers, R.C., Wood, C.: Database Security and Integrity, Addison-Wesley, 1981.Google Scholar
  6. [6]
    Fernandez, E.B., Summers, R.C., Lang, T.: Definition and Evaluation of Access Rules in Data Management Systems, in: Proc. 1st Int. Conf. on Very Large Data Bases, Boston, 1975, 268–285.Google Scholar
  7. [7]
    Atkinson, M., Bancilhon, F., DeWitt, D., Dittrich, K., Maier, D., Zdonik, S.: The Object-Oriented Database System Manifesto, in: Proc. First International Conference on Deductive and Object-Oriented Databases, Kyoto, Dec. 1989, 40–57.Google Scholar
  8. [8]
    Stonebraker, M., Rowe, L.A., Lindsay, B., Gray, J., Carey, M., Brodie, M., Bernstein, P., Beech, D.: Third-Generation Data Base System Manifesto, TR UCB/ERL M90/28, College of Engineering, University of California, Berkeley, April 1990.Google Scholar
  9. [9]
    Kim, W.: Research Directions in Object-Oriented Database Systems, in: Proc. 9th Symposium on Principles of Database Systems, 1990, 1–15.Google Scholar
  10. [10]
    Dittrich, K.R., Härtig, M., Pfefferle, H.: Discretionary Access Control in Structurally Object-Oriented Database Systems, in: Landwehr, C. (Ed.), Database Security II: Status and Prospects, North-Holland, 1989, 105–121.Google Scholar
  11. [11]
    Rabitti, F., Woelk, D., Kim, W.: A model of Authorization for object-oriented and semantic databases, in: Proc. Int. Conf. on Extending Database Technology, Venice, March 1988, LNCS 303, Springer, 1988, 231–250.Google Scholar
  12. [12]
    Rabitti, F., Bertino, E., Kim, W., Woelk, D.: A Model of Authorization for Next-Generation Database Systems, ACM Transactions on Database Systems, Vol. 16, March 1991, 88–131.CrossRefGoogle Scholar
  13. [13]
    Fernandez, E.B., Gudes, E., Song, H.: A security model for object-oriented databases, in: Proc. IEEE Symposium on Security and Privacy, Oakland, 1989, 110115.Google Scholar
  14. [14]
    Larrondo-Petrie, M. M., Gudes, E., Song, H., Fernandez, E.B.: Security Policies in Object-oriented Databases, in: Spooner, D.L., Landwehr, C. (Eds.), Database Security III: Status and Prospects, North-Holland, 1990, 257–268.Google Scholar
  15. [15]
    Kelter, U.: Group-oriented discretionary access controls for distributed structurally object-oriented database systems, in: Proc. European Symposium on Research in Computer Security ( ESORICS ), Toulouse, Oct. 1990, 23–33.Google Scholar
  16. [16]
    Goldberg, A., Robson, D.: Smalltalk-80: The Language and its Implementation, Addison-Wesley, Reading, 1983.zbMATHGoogle Scholar
  17. [17]
    Zdonik, S.B., Maier, D.: Fundamentals of Object-Oriented Databases, in: Zdonik, S.B., Maier, D. (Eds.), Readings in Object-Oriented Database Systems, Morgan Kaufmann, 1990, 1–32.Google Scholar

Copyright information

© Springer-Verlag Wien 1994

Authors and Affiliations

  • H. H. Brüggemann
    • 1
  1. 1.University of HildesheimHildesheimGermany

Personalised recommendations