Databases Reference
In-Depth Information
manage different parts of the DB), and it is seldom used in current
DBMSs except in the simplest systems.
Object-owner administration. Under this policy, which is commonly
adopted by DBMSs and operating systems, the creator of the object
is the owner of the object and is the only one authorized to adminis-
ter the object.
·
Object curator administration. Under this policy, a subject, not
necessarily the creator of the object, is named administrator of the
object. Under such policy, even the object creator must be explicitly
authorized to access the object.
·
The second and third administration policies listed above can be further
combined with administration delegation and administration transfer. Those
two options are not mutually exclusive. Administration delegation means
that the administrator of an object can delegate other subjects the
administration function on the object. Delegation can be specified for
selected privileges, for example, for only read operations. In most cases, dele-
gation of administration to another subject implies also granting the subject
the privilege of accessing the object according to the same privilege specified
in the delegation. Most current DBMSs support the administration policy
based on the owner administration with delegation. Note that, under the
delegation approach, the initial administrator of the object does not lose his
or her privilege to administer the object. Therefore, different administrators
can grant authorizations on the same object.
Administration transfer, like delegation, has the effect of giving another
subject the right to administer a certain object. However, the original admin-
istrator loses his or her administration privileges. When dealing with transfer,
an important question concerns the authorizations granted by the former
administrator. The following two approaches can be adopted:
Recursive revoke. All authorizations granted by the former adminis-
trator are recursively revoked.
·
Grantor transfer. All authorizations granted by the former admin-
istrator are kept; however, the new administrator replaces the old
one as grantor of the authorizations (and is able to revoke them).
The
·
grantor
transfer
is
not
recursive.
Therefore,
if
the
older
