Abstract
A multiuser database system must selectively permit users to share data, while retaining the ability to restrict data access. There must be a mechanism to provide protection and security, permitting information to be accessed only by properly authorized users. Further, when tables or restricted views of tables are created and destroyed dynamically, the granting, authentication, and revocation of authorization to use them must also be dynamic. Each of these issues and their solutions in the context of the relational database management system System R are discussed.
When a database user creates a table, he is fully and solely authorized to perform upon it actions such as read, insert, update, and delete. He may explicitly grant to any other user any or all of his privileges on the table. In addition he may specify that that user is authorized to further grant these privileges to still other users. The result is a directed graph of granted privileges originating from the table creator.
At some later time a user A may revoke some or all of the privileges which he previously granted to another user B. This action usually revokes the entire subgraph of the grants originating from A's grant to B. It may be, however, that B will still possess the revoked privileges by means of a grant from another user C, and therefore some or all of B's grants should not be revoked. This problem is discussed in detail, and an algorithm for detecting exactly which of B's grants should be revoked is presented.
- 1 ASTRAHAN, M.M., ~T AL. System R' Relational approach to "database management. ACM Trans. on Database Systems 1, 2 (June 1976), pp. 97-137. Google ScholarDigital Library
- 2 BOYCE, R.F., AND CHAMBERLIN, D.D. Using a structured English query language as a data definition facility. Res. Rep. RJ1318, IBM Research Laboratory, San jose, Calif., Dec. 10, 1973.Google Scholar
- 3 CrlAMB~.RLIN, D.D., AND BOYCE, R.F. SEQUEL: A structured English query language. Proc. ACM:-SIGMOD Workshop on Data Description, Access, and Control, Ann Arbor, Mich., May 1-3, 1974, pp. 249-264. Google ScholarDigital Library
- 4 CHAMBERLIN, D.D., GrtAv, J.N., AND TRAIGER, I.L. Views, authorization, and locking in a relational data base system. Proc. AFIPS 1975 NCC, Vol. 44, AFIPS Press, Montvale, N.J., pp. 425-430.Google Scholar
- 5 CODD, E.F. A relational model of data for large shared data banks. Comm. ACM 13, 6 (June 1970), 377-387. Google ScholarDigital Library
- 6 CODD, E.F. A data base sublanguage founded on the relational calculus. Proc. 1971 ACM- SIGFIDET Workshop on Data Description, Access, and Control, San Diego, Calif., Nov. 11-12, 1971, pp. 35-68.Google ScholarDigital Library
- 7 Corn), E.F. Further normalization of the data base relational model, in Courant Computer Science Symposium, Vol. 6: Data Base Systems, R. Rustin, Ed., Prentice-Hall, Englewood Cliffs, N.J., 1971, pp. 33-64.Google Scholar
- 8 CODD, E.F. Relational completeness of data base sublanguages. In Courant Computer Science Symposium, Vol. 6: Data Base Systems, R. Rustin, Ed., Prentice-Hall, Englewood Cliffs, N.J., 1971, pp. 65-98.Google Scholar
- 9 CODD, E.F. Recent investigations in relational data base systems. Proc. IFIP Congr. 1974, North-Holland Pub. Co., Amsterdam, pp. 1017-1021.Google Scholar
- 10 DATE, C.J. An Introduction to Data Base Systems. Addison-Wesley, Reading, Mass., 1975. Google ScholarDigital Library
- 11 GRAHAM, G.S., AND DENNING, P.J. Protection--principles and practice. Proc. AFIPS 1972 SJCC, Vol. 40, AFIPS Press, Montvale, N.J., pp. 417-429.Google Scholar
- 12 JONES, A.K. Protection in programmed systems. Ph.D. th., Carnegie-Mellon U., Pittsburgh, Pa., 1973. Google ScholarDigital Library
- 13 LAMPSON, B.W. Protection. Proc. Fifth Annual Princeton Conf., Princeton U., Princeton, N.J., March 1971, pp. 437-443.Google Scholar
- 14 MINSKY, N. Protection of data-bases and the process of user data-base interaction. Tech. Rep. SOSAP-TR-11, Rutgers U., New Brunswick, N.J., Sept. 1974.Google Scholar
- 15 OWENS, R.C., JR. Primary access control in large-scale time-shared decision systems. Tech. Rep. TR-89, Project MAC, M.I.T., Cambridge, Mass., July 1971. Google ScholarDigital Library
- 16 REDELL, D.D. Naming and protection in extendible operating systems. Ph.D. th., U. of California, Berkeley, Calif., Sept. 1974.Google Scholar
- 17 STONEBRAKER, M.R., hnD WONG, E. Access control in a relational data base management system by query modification. Memo No. ERL-M438, Electronics Research Lab., U. of California, Berkeley, Calif., May 1974.Google Scholar
- 18 SUMMERS, R.C., COLEMAN, C.D., AND FERNANDEZ, E.B. A programming language approach to secure data base access. Tech. Rep. G320-2662, IBM Los Angeles Scientific Center, May 1974.Google Scholar
Index Terms
- An authorization mechanism for a relational database system
Recommendations
On an authorization mechanism
Griffiths and Wade (ACM Trans. Database Syst. 1,3, (Sept. 1976), 242-255) have defined a dynamic authorization mechanism that goes beyond the traditional password approach. A database user can grant or revoke privileges (such as to read, insert, or ...
An Extended Authorization Model for Relational Databases
We propose two extensions to the authorization model for relational databases defined originally by Griffiths and Wade. The first extension concerns a new type of revoke operation, called noncascading revoke operation. The original model contains a ...
A flexible authorization mechanism for relational data management systems
In this article, we present an authorization model that can be used to express a number of discretionary access control policies for relational data management systems. The model permits both positive and negative authorizations and supports exceptions ...
Comments