Authorization
Authorization in
Object-oriented Databases
Anna Vapen
David Hall
December 2008
• ”the permission or power given to sb to do sth:
enter a security area without authorization”
Oxford Advanced Learner's Dictionary
• authorization is the concept of allowing access to
resources only to those permitted to use them.
“Authorization.” Wikipedia, The Free Encyc
Real world example
Real world example
Manager
Roles: Manager, researcher, PR person, employee
Manager
Documents
Researcher
Strategic documents
Secret
Can read/write any document
Research
S1
S2
Can read public PR-material and
read/write research material
Researcher
R1
R2
PR
PR
Employee
PR material
Public PR material
Employee
P1
Future ads
P2
Can read/write public PR material and
non-public PR material (work in progress)
Can only read public PR material
Object orientation
Authorization model in relational DBs
• Coarse-grained
• Units of authorization:
– Relation (record)
– Attribute (field)
•
•
•
•
Classes (composite*)
Objects
Inheritance
Versions
* leads to class-composition hierarchy
F1
F2
Objects
•
•
•
•
Class-composition
Unique id.
State (values of attributes)
Behavior (methods)
Instance of a class (may be a primitive)
Rim
Car
Tire
Composite class
Inheritance
Station
wagon
Boat
Sedan
• Authorize users to call methods within a class.
• Also must check any operations performed by
the method (e.g. reading/writing attribute
values)
Car
Amphibious
vehicle
Component classes
Methods
• Class hierarchy (single inheritance)
• Class lattice (multiple inheritance)
Car
Wheel
Sedan
Instances
• Want to read all instances of a class except
one or a few?
Employee
• Employees shouldn’t be able to see future
ads.
Database granularity hierarchy
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
Basic authorization concepts
• (s,o,a)
s∈S
o∈O
a∈A
F: S×O×A →(True, false)
• Subject (an user or group of users)
• Authorization object (single object, group of
objects, entire database)
• Authorization type (read, update, create, …)
Role lattice
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
grants
Object lattice
Type lattice
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
Implicit authorization
•
•
•
•
Rabitti, Woelk, Kim 1988
Rabitti, Bertino, Woelk, Kim 1991
Explicit setting <s,o,a> triplets
The rest of <s,o,a> combinations are implicitly
defined
Implicit authorization
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
Weak authorization
Strong authorization
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
Implicit authorization
• Pros:
– No need to store all combinations
– No need to set all combinations
• Cons:
– Sometimes hard to grasp why a specific
authorization is determined as it is
– Conflicts
– Computational overhead
Positive/negative authorization
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
Applied real world example
Applied real world example
Researcher: Can read public PR-material and read/write research material
Manager: Can read/write any document
Documents
Strategic
Secret
Documents
Strategic
PR material
Research
Secret
Public PR material
Explicit, strong, positive auth
PR material
Research
Public PR material
Future ads
Future ads
Explicit, strong, negative auth
Implicit, strong, negative auth
Explicit, weak, positive auth
Implicit, weak, positive auth
Implicit, strong, positive auth
Applied real world example
PR person: Can read/write public PR material and non-public PR material
Applied real world example
Employee: Can only read public PR material
Documents
Strategic
Documents
Strategic
PR material
Secret
Research
Secret
Public PR material
PR material
Research
Future ads
Explicit, strong, negative auth
Implicit, strong, negative auth
Explicit, weak, positive auth
Implicit, weak, positive auth
Public PR material
Future ads
Explicit, strong, negative auth
Implicit, weak, positive auth
Explicit, weak, negative auth
Implicit, weak, negative auth
Explicit, weak, positive auth
Alternatives
• Access policies implemented by methods
– Guard functions and proxy functions
– Method implementor and method principal
• Media access control (MAC)
– Single-level models
– Multilevel models
Versions
Object lattice for versions of objects
Rabitti, F., Bertino, E., Kim, W., Woelk, D. 1991
Discuss
• Papers:
1. Franzoni, S; Mazzoleni, P; Valtolina, S; Bertino,
E., Towards a Fine-Grained Access Control Model
and Mechanisms for Semantic Databases
2. Jajodia, R.; Samarati, P.; Subrahmanian, V. S.;
Bertino, E., A Unified Framework for Enforcing
Multiple Access Control Policies
3. Bertino, E.; Bettini, C.; Ferrari, E.; Samarati, P., A
Temporal Access Control Mechanism for
Database Systems
Discuss
• Questions:
– What problem are they trying to solve?
– What solution do they suggest?
– What are the limitations of this solution?
Exercise scenario
Exercise scenario
In this scenario there is a bank where there are
employees and a manager. The bank has
several customers that have one or several
accounts each. There are two types of
accounts: savings accounts and fund
accounts. A savings account can be either a
salary account or a long-time savings
account, while a fund account can be equity
fund account or a fixed-income fund account.
Every sub-type of account has an interest that
can only be changed by the manager.
Customers can withdraw money from their
salary account and see their account balance
on any of their accounts.
Exercise scenario
Exercise tasks
The employees at the bank can see the account
balance of the customers and they can also
open and close accounts, but opening and
closing of accounts (together with viewing of
the balance done by the employees on other
accounts than their own) can only be done
between 9 and 15 Monday to Friday.
1. Draw a graph that shows the different
account types, their variables and methods.
Show the access rights for a manager, an
employee and a customer by marking explicit
/ implicit, weak / strong and positive /
negative authorization in the graph.
2. Draw a role lattice showing shared and nonshared rights of managers, employees and
customers.