Databases Reference
In-Depth Information
or more detailed commissions. This requirement makes the values in both the
core cuboid
sensitive. The data cube is thus partitioned along the dependency lattice into
two parts. As another example, the previous requirement may only need to
be applied to the first year data, whereas data in other years can be freely
accessed. That is, the data cube should also be partitioned along the time
dimension.
To meet such security requirements, we describe a framework for speci-
fying authorization objects in data cubes. The function
Below
() partitions
the data cube along the dependency lattice, and the function
Slice
() parti-
tions the data cube along dimensions. An object is simply the intersection of
the two. For example, the above security requirements can now be specified as
Object
(
L, S
), where
L
=
quarter, employee
and the aggregation cuboid
year, employee
and
S
includes all the cells in the
first four quarters of the core cuboids. The cells included by
object
(
L, S
) must
be included by one of the two cuboids in
Below
(
L
), that is
{
year, employee
}
year, employee
and
; the cell must also be in the first year, that is their
first attribute must be one of the following values:
Q
1
through
Q
4
,
Y
1
,or
ALL
.
The object specification satisfies the following desired property. First, for
any cell in an object, the object will also include all the ancestors of that
cell. Intuitively, ancestors of a sensitive cell contain more detailed information
and should also be regarded as sensitive. For example, if an object includes
the cuboid
quarter, employee
, then it also includes the core cuboid , because
otherwise an adversary may compute the former from the latter. Second,
the definition can be easily extended to objects specified with multiple pairs
O
=
year, employee
due to the fact that
Below
() is distributive over set union.
That is,
Below
(
L
1
∪
{
L
i
,S
i
}
Below
(
L
2
). The union of the objects
Object
(
L
i
,S
i
) thus composes a new object
Object
(
O
).
L
2
)=
Below
(
L
1
)
∪
Lattice-Based Inference Control
We do not assume specific models of inferences. Instead, we consider inferences
that satisfy given algebraic properties. More specifically, given any two set of
cells in a data cube, denoted as
S
and
T
, we say a cell
c
is
redundant
with
respect to
T
if
S
includes both
c
and all its ancestors in any single cuboid;
a cell
c
is
non-comparable
to
T
, if for every
c
∈
T
,
c
is neither ancestor nor
descendant of
c
. We say a definition of inference is
reducible
, if for any
c
S
that is either redundant or non-comparable (or both) then
S
causes inferences
to
T
iff
S
∈
does so. That is, reducible inferences can be checked without
considering any redundant or non-comparable cells. For example, the infer-
ence in SUM-only data cubes, as discussed in the previous section, is indeed
reducible. For example, suppose
S
denotes the union of
−{
c
}
all, employee
and
year, employee
, and suppose
T
includes the cells of
quarter, employee
}
all, employee
is
redundant
and
in the first four quarters. Then the cell in
Y
2
,Bob
is
non-comparable
.
the cell
