Databases Reference
In-Depth Information
that a subject can access a given object only if another subject has an
explicit denial to access it.
Moreover, different models use different propagation policies, that is, they
make different choices with respect to whether or how the authorizations
propagate along the hierarchies. For instance, consider a model in which
roles are hierarchically organized and let r be a generic role. The propagation
policy must determine which authorizations granted to r propagate to roles
connected to r through the role hierarchy. The most common approaches are
the following.
A positive authorization given to a role r propagates to all the roles
preceding r in the role hierarchy.
·
A negative authorization given to a role r propagates to all the roles
following r in the role hierarchy.
·
In some models privileges also are hierarchically organized, and that hier-
archy is used to derive new authorizations, according to propagation rules
similar to those illustrated for the role hierarchy. By contrast, for the group
hierarchy, the most common approach is that an authorization given to a
group propagates to all the members of the group. A similar approach is usu-
ally applied to the object hierarchy. In models that support both positive and
negative authorizations and implicit and explicit authorizations, the propaga-
tion policy should also state what happens in case a subject holds an explicit
authorization that conflicts with the propagated authorizations. The most
common approaches are:
No overriding. All the authorizations are propagated (regardless of
the presence of other conflicting authorizations). Conflicts among
authorizations are solved according to one of the conflict resolution
policies previously explained.
·
Most specific overrides. The most specific authorizations (with respect
to the defined hierarchies) prevail.
·
Finally, when the model supports several hierarchies, the derivation policy
should also take into account the interactions among the hierarchies. The
most common approach is to establish a priority among the hierarchies.
