论文信息 - An authorization mechanism for a relational database system

An authorization mechanism for a relational database system

A multiuser database system must selectively permit users to share data, while retaining the ability to restrict data access. There must be a mechanism to provide protection and security, permitting information to be accessed only by properly authorized users. Further, when tables or restricted views of tables are created and destroyed dynamically, the granting, authentication, and revocation of authorization to use them must also be dynamic. Each of these issues and their solutions in the context of the relational database management system System R are discussed. When a database user creates a table, he is fully and solely authorized to perform upon it actions such as read, insert, update, and delete. He may explicitly grant to any other user any or all of his privileges on the table. In addition he may specify that that user is authorized to further grant these privileges to still other users. The result is a directed graph of granted privileges originating from the table creator. At some later time a user A may revoke some or all of the privileges which he previously granted to another user B. This action usually revokes the entire subgraph of the grants originating from A's grant to B. It may be, however, that B will still possess the revoked privileges by means of a grant from another user C, and therefore some or all of B's grants should not be revoked. This problem is discussed in detail, and an algorithm for detecting exactly which of B's grants should be revoked is presented.

Bradford W. Wade | Patricia P. Griffiths | B. W. Wade

[1] Donald D. Chamberlin,et al. SEQUEL: A structured English query language , 1974, SIGFIDET '74.

[2] E. F. Codd,et al. A data base sublanguage founded on the relational calculus , 1971, SIGFIDET '71.

[3] E. F. Codd,et al. Relational Completeness of Data Base Sublanguages , 1972, Research Report / RJ / IBM / San Jose, California.

[4] Peter J. Denning,et al. Protection: principles and practice , 1972, AFIPS '72 (Spring).

[5] Anita K. Jones,et al. Protection in programmed systems. , 1973 .

[6] Michael Stonebraker,et al. Access control in a relational data base management system by query modification , 1974, ACM '74.

[7] Irving L. Traiger,et al. Views, authorization, and locking in a relational data base system , 1975, AFIPS '75.

[8] Irving L. Traiger,et al. System R: relational approach to database management , 1976, TODS.

[9] David D. Redell,et al. NAMING AND PROTECTION IN EXTENDABLE OPERATING SYSTEMS , 1974 .

[10] Donald D. Chamberlin,et al. Using a Structured English Query Language as a Data Definition Facility , 1973, Research Report / RJ / IBM / San Jose, California.

[11] E. F. Codd,et al. Further Normalization of the Data Base Relational Model , 1971, Research Report / RJ / IBM / San Jose, California.

[12] E. F. Codd,et al. Recent Investigations in Relational Data Base Systems , 1974, ACM Pacific.

[13] R. C. Owens. PRIMARY ACCESS CONTROL IN LARGE-SCALE TIME-SHARED DECISION SYSTEMS , 1971 .