Databases Reference
In-Depth Information
research on authorization models for ODBMSs is still in its early stages.
Indeed, although several proposals exist [1723], of the existing ODBMSs,
only Orion [23] and Iris [17] have an authorization model comparable to
those of relational DBMSs.
11.3.2.1 The Orion Authorization Model
The Orion authorization model [17] supports positive and negative authori-
zations, as well as weak and strong authorizations. Strong authorizations
always have higher priority than weak authorizations. Authorizations are
granted to roles instead of to single users, and a user is authorized to exercise
a privilege on an object, if there exists a role possessing the authorization
and the user is authorized to play such role. Roles, objects, and privileges are
organized into hierarchies to which a set of propagation rules applies. Propa-
gation rules allow the derivation of implicit authorizations, according to the
following criteria.
If a role has an authorization to access an object, all the roles that
precede it in the role hierarchy have the same authorization.
·
If a role has a negative authorization to access an object, all the roles
that
·
follow
it
in
the
role
hierarchy
have
the
same
negative
authorization.
Similar propagation rules are defined for privileges. Finally, propagation
rules on objects allow authorizations on an object to be derived from the
authorizations on objects semantically related to it. For example, the authori-
zation to read a class implies the authorization to read all its instances.
A consistency condition is defined on propagation rules, which requires
that, given a weak or a strong authorization, the application of the propa-
gation rules supported by the model to the authorization does not generate
conflicting authorizations. Moreover, a further property is required: For any
weak authorization (either positive or negative), there must not exist a strong
conflicting authorization. The system ensures that this property is always sat-
isfied. In particular, if the insertion of a weak authorization would not satisfy
the above property, it is rejected. By contrast, if the insertion of a strong
authorization would not satisfy the property, the strong authorization is
inserted and all the weak authorizations causing the nonsatisfaction of the
property are removed.
