Group-Oriented Discretionary Access Controls for Distributed Structurally Object-Oriented Database Systems

Structurally object-oriented database systems [Di86] are a new class of dedicated data storage systems which are intended to be a basis of CAD, CASE, and other design environments which shall support large development teams. This paper presents a concept for discretionary access controls for structurally object-oriented database systems. lt addresses two particular problems: A distinguishing feature of the data model of structurally object-oriented database systems are complex objects. Complex objects are nested and can overlap, i.e. they can share components. Arbitrary complex objects should be units of access control. Shared components cause particular problems because the objects in which they are contained might have contradicting access rights. This problem is solved by introducing certain constraints on the way in which access rights can be granted or denied. A second major problem results from the organization of development projects which use design environments: typically, this is a hierarchy of nested groups. Our concept is group-oriented in the sense that it supports such subgroup hierarchies. Two different interpretations of a subgroup structure, termed group paradigms, are supported. Under one paradigm, a group is used to give several users the same rights, whereas under the other paradigm a group has the set of rights which corresponds to the task of the group. Two final noteworthy features of our concept are that it employs a 4-valued logic which supports explicit denials of access and that it makes provision for distribution of the database.