First European Symposium On Research In Computer Security (ESORICS 90)
Group-Oriented Discretionary Access Controls for Distributed Structurally Object-Oriented Database Systems
Udo Kelter
Keywords : discretionary access controls, object-oriented databases, distributed databases, complex objects, shared objects, hierarchical groups, group paradigms, denial of access
Abstract : Structurally object-oriented database systems are a new class of dedicated data storage systems which are intended to be a basis of CAD, CASE, and other design environments which shall support large development teams. This paper presents a concept for discretionary access controls for structurally object-oriented database systems. It addresses two particular problems: Structurally object-oriented database systems contain complex objects. Complex objects are nested and can overlap. Arbitrary complex objects should be units of access control. Overlapping objects cause particular problems because they might have contradicting access rights. This problem is solved by introducing certain constraints on the way in which access rights of components of an object can be granted or denied. Development projects which use design environments are typically organized as a hierarchy of nested groups. Our concept is group-oriented in the sense that it supports such subgroup hierarchies. Two different interpretations of a subgroup structure, termed group paradigms, are supported. Under one paradigm, a group is used to give several users the same rights, whereas under the other paradigm a group has the set of rights which corresponds to the task of the group. Two final noteworthy features of our concept are that it employs a 4-valued logic which supports explicit denials of access and that if makes provision for distribution of the database.
(Pages 23-33)