The benefits of providing access control with groups of users rather than with individuals as the unit of granularity are well known. These benefits are enhanced if the groups are organized in a subgroup partial order. A class of such partial orders, called ntrees, is defined by using a forest of rooted trees or inverted rooted trees as basic partial orders and combining these by refinement. Refinement explodes an existing group into a partially ordered ntree of new groups while maintaining the same relationship between each new group and the nonexploded groups that the exploded group had. Examples are discussed to show the practical significance of ntrees and the refinement operation. It is shown that ntrees can be represented by assigning a pair of integers called lr-values to each group so that g is a subgroup of h if and only if l[g] ≤ l[h] and r[g] ≤ r[h]. Refinement allows a complex ntree to be developed incrementally in a top-down manner and is useful for the initial definition of an ntree as well as for subsequent modifications. To make the latter use of refinement practical, a method is presented for assigning lr-values to the new groups introduced by refinement so lr-values assigned to nonexploded groups need not be changed. It is also shown how to guarantee that the lr-values of the exploded group will get assigned to one of the new groups.
[1]
T. Hiraguchi.
On the Dimension of Orders
,
1955
.
[2]
M. Golummc.
Algorithmic graph theory and perfect graphs
,
1980
.
[3]
R. Möhring.
Algorithmic graph theory and perfect graphs
,
1986
.
[4]
Oliver Pretzel,et al.
On the Dimension of Partially Ordered Sets
,
1977,
J. Comb. Theory, Ser. A.
[5]
Peter C. Fishburn,et al.
Interval orders and interval graphs : a study of partially ordered sets
,
1985
.
[6]
Ken Thompson,et al.
The UNIX time-sharing system
,
1974,
CACM.
[7]
Carl E. Landwehr,et al.
Formal Models for Computer Security
,
1981,
CSUR.
[8]
Peter J. Denning,et al.
Data Security
,
1979,
CSUR.
[9]
A. Lempel,et al.
Transitive Orientation of Graphs and Identification of Permutation Graphs
,
1971,
Canadian Journal of Mathematics.
[10]
Jerome H. Saltzer,et al.
Protection and the control of information sharing in multics
,
1974,
CACM.
[11]
Dorothy E. Denning,et al.
A lattice model of secure information flow
,
1976,
CACM.
[12]
Wojciech A. Trybulec.
Partially Ordered Sets
,
1990
.
[13]
A. Retrospective,et al.
The UNIX Time-sharing System
,
1977
.