An Extended Authorization Model for Relational Databases

We propose two extensions to the authorization model for relational databases defined originally by P.G. Griffiths and B. Wade (1976). The first extension concerns a new type of revoke operation, called noncascading revoke operation. The original model contains a single, cascading revoke operation, meaning that when a privilege is revoked from a user, a recursive revocation takes place that deletes all authorizations granted by this user that do not have other supporting authorizations. The new type of revocation avoids the recursive revocation of authorizations. The second extension concerns negative authorization which permits specification of explicit denial for a user to access an object under a particular mode. We also address the management of views and groups with respect to the proposed extensions.

[1]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[2]  Irving L. Traiger,et al.  A history and evaluation of System R , 1981, CACM.

[3]  Rom Langerak,et al.  View updates in relational databases with an independent scheme , 1990, TODS.

[4]  Ehud Gudes,et al.  A Model of Methods Access Authorization in Object-oriented Databases , 1993, VLDB.

[5]  R.W. Baldwin,et al.  Naming and grouping privileges to simplify security management in large databases , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Elisa Bertino,et al.  Views and Security in Distributed Database Management Systems , 1988, EDBT.

[7]  Teresa F. Lunt,et al.  Access Control Policies for Database Systems , 1988, DBSec.

[8]  Ronald Fagin,et al.  On an authorization mechanism , 1978, TODS.

[9]  Irving L. Traiger,et al.  System R: relational approach to database management , 1976, TODS.

[10]  Bruce G. Lindsay,et al.  A Database Authorization Mechanism Supporting Individual and Group Authorization , 1981, DDSS.

[11]  Bradford W. Wade,et al.  An authorization mechanism for a relational database system , 1976, TODS.

[12]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[13]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[14]  Elisa Bertino,et al.  A temporal authorization model , 1994, CCS '94.

[15]  Nicolas Spyratos,et al.  Update semantics of relational views , 1981, TODS.

[16]  Gottfried Vossen,et al.  Update and retrieval in a relational database through a universal schema interface , 1988, TODS.

[17]  Mahadev Satyanarayanan,et al.  Integrating security in a large distributed system , 1989, TOCS.