Supporting multiple access control policies in database systems

Although there are several choices of policies for protection of information, access control models have been developed for a fixed set pre-defined access control policies that are then built into the corresponding access control mechanisms. This becomes a problem, however, if the access control requirements of an application are different from the policies built into a mechanism. In most cases, the only solution is to enforce the requirements as part of the application code, but this makes verification, modification, and adequate enforcement of these policies impossible. In this paper, we propose a flexible authorization mechanism that can support different security policies. The mechanism enforces a general authorization model onto which multiple access control policies can be mapped. The model permits negative and positive authorizations, authorizations that must be strongly obeyed and authorizations that allow for exceptions, and enforces ownership together with delegation of administrative privileges.

[1]  Elisa Bertino,et al.  Access Control in Object-Oriented Database Systems - Some Approaches and Issues , 1993, Advanced Database Systems.

[2]  Gio Wiederhold,et al.  Mediators in the architecture of future information systems , 1992, Computer.

[3]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[4]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[5]  R.W. Baldwin,et al.  Naming and grouping privileges to simplify security management in large databases , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Ronald Fagin,et al.  On an authorization mechanism , 1978, TODS.

[7]  Prasun Dewan,et al.  Access control for collaborative environments , 1992, CSCW '92.

[8]  John E. Dobson,et al.  A framework for expressing models of security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[9]  Bruce G. Lindsay,et al.  A Database Authorization Mechanism Supporting Individual and Group Authorization , 1981, DDSS.

[10]  Elisa Bertino,et al.  Authorizations in relational database management systems , 1993, CCS '93.

[11]  Hans Hermann Brüggemann,et al.  Rights in an Object-Oriented Environment , 1991, DBSec.

[12]  David Elliott Bell,et al.  Modeling the "Multipolicy Machine" , 1994, Proceedings New Security Paradigms Workshop.

[13]  Teresa F. Lunt,et al.  Access Control Policies for Database Systems , 1988, DBSec.

[14]  Sarit Kraus,et al.  Foundations of Secure Deductive Databases , 1995, IEEE Trans. Knowl. Data Eng..

[15]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[16]  Bradford W. Wade,et al.  An authorization mechanism for a relational database system , 1976, TODS.

[17]  Eduardo B. Fernandez,et al.  Database Security and Integrity , 1981 .

[18]  Elisa Bertino,et al.  An Extended Authorization Model for Relational Databases , 1997, IEEE Trans. Knowl. Data Eng..

[19]  Klaus R. Dittrich,et al.  Argos - A Configurable Access Control System for Interoperable Environments , 1995, DBSec.

[20]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[21]  Mahadev Satyanarayanan,et al.  Integrating security in a large distributed system , 1989, TOCS.

[22]  Ehud Gudes,et al.  A Model of Methods Access Authorization in Object-oriented Databases , 1993, VLDB.