Databases Reference
In-Depth Information
11.3.1.1 The System R Authorization Model
In the System R authorization model, objects to be protected are represented
by tables and views on which subjects can exercise several privileges. Privi-
leges supported by the model include select, to select tuples from a table,
update, to modify tuples in a table, insert and delete, to add and delete tuples
from a table, and drop, to delete an entire table. Groups and roles are not
supported. The System R authorization model supports decentralized
administration facilities. Whenever a subject creates a table, it receives the
own privilege on it. The owner of a table can exercise all the privileges on the
table as well as grant or revoke other subjects all the privileges (except drop)
on the table. Moreover, the owner can grant authorizations with the grant
option. If a subject owns an authorization for a privilege on a table with the
grant option, it can grant the privilege, as well as the grant option, to other
subjects.
The System R authorization model enforces recursive revocation:
Whenever a subject revokes an authorization on a table from another user,
all the authorizations that the revokee had granted because of the revoked
authorization are removed. The revocation is iteratively applied to all the
subjects that received the access authorization from the revokee.
11.3.1.2 Extensions to the System R Authorization Model
The System R authorization model has been extended in several directions,
which is graphically illustrated in Figure 11.3. Wilms and Lindsay [8] have
extended it to deal with group management capabilities. In the model of
Wilms and Lindsay, authorizations can be granted to groups of users, as well
as to single users. Authorizations granted to groups apply to all the members
of the group. Moreover, in [8] the System R authorization model has been
extended for the distributed DBMS System R
*
. Bertino and Haas [9] further
extended the System R
authorization model to deal with distributed views.
Additional extensions to the System R authorization model have been
proposed by Bertino et al. in [10]. The first extension concerns a new type of
revoke operation, called noncascading revocation: Whenever a subject revokes
a privilege on a table to another subject, all the authorizations the subject
may have granted by using the privilege received by the revoker are restated
as if they had been granted by the revoker. Then the cascading revocation
is applied to the resulting state. The second extension concerns negative
authorizations. The authorization mechanism of System R, like those of
most DBMSs, does not allow explicit denials to be expressed. The second
extension proposed in [10] concerns the support for negative authorizations.
*
