Databases Reference
In-Depth Information
Personnel
Administration
Medical
Nurse
Doctor
David
Ann
Bob
Carol
Fig. 3.
An example of user-group hierarchy
•
Abstractions.
To simplify the authorization definition process, discre-
tionary access control supports also
user groups
and
classes of objects
,
which may also be hierarchically organized. Typically, authorizations spec-
ified on an abstraction propagate to all its members according to different
propagation policies
[7]. Figure 3 illustrates an example of user-group hi-
erarchy. Here, for example, an authorization specified for the
Nurse
group
applies also to
Bob
and
Carol
.
•
Exceptions.
The definition of abstractions naturally leads to the need of
supporting exceptions in authorization definition. Suppose, for example,
that all users belonging to a group but
u
can access resource
r
. If exceptions
were not supported, it would be necessary to associate an authorization
with each user in the group but
u
, therefore not exploiting the possibility
of specifying the authorization of the group. This situation can be easily
solved by supporting both
positive
and
negative
authorizations: the system
would have a positive authorization for the group and a negative autho-
rization for
u
.
The introduction of both positive and negative authorizations brings to
two problems:
inconsistency
, when conflicting authorizations are associ-
ated with the same element in a hierarchy; and
incompleteness
, when
some accesses are neither authorized nor denied.
Incompleteness is usually easily solved by assuming a
default policy
,open
or closed (this latter being more common), where no authorization applies.
In this case, an open policy approach allows the access, while the closed
policy approach denies it.
To solve the inconsistency problem, different
conflict resolution policies
have been proposed [7, 8], such as:
-
No conflict
. The presence of a conflict is considered an error.
-
Denials take precedence
. Negative authorizations take precedence.
-
Permissions take precedence
. Positive authorizations take precedence.
-
Nothing takes precedence
. Conflicts remain unsolved.
Most specific takes precedence.
An authorization associated with an
element
n
overrides a contradicting authorization (i.e., an authoriza-
tion with the same subject, object, and action but with a different
sign) associated with an ancestor of
n
for all the descendants of
n
.For
instance, consider the user-group hierarchy in Fig. 3 and the autho-
-
