Databases Reference
In-Depth Information
a multi-resolution browsing from low resolution images to high resolution
images, or vice versa.
The copying modes, download and download-data, allow source files to be
downloaded. Unlike the text data where the display privilege implies the copy-
ing privilege, the viewing and copying are distinguished as separate privileges
with geospatial data since the objects displayed on the Web browser often
are image gif files, but not the original source files. The maintenance modes
include insert, delete, update and compose. The users with compose privilege
can create and insert value-added images, using images in the database.
Geospatial Authorization
An authorization is represented as a 5-tuple
that specifies whether the set of subjects represented by
re
has an access
privilege to an object or a set of objects represented by
ge
during the period.
The sign is indicates allow or deny the privilege.
re, ge
,
privilege, period, sign
Access Control Evaluation
The user's access request can be represented as a tuple
r
=
where
gtc
is a geotemporal credential expression of the user with the contextual
information such as the current location and time the user is situated in,
gto
is a geotemporal object expression that can include a particular image type,
a spatial area with certain temporal footprint, and
p
is a permission type.
The geotemporal credentials are matched with the geotemporal role ex-
pression in the policy statement, and when the spatial and temporal extents
are included in the geotemporal role extents, the role is activated. Given
the activated roles and its corresponding policies, the requested object
gto
is
matched with the authorized geotemporal expression in the policy. The match-
ing operations between the requested and policy geotemporal extents include
predicates to check the spatial and temporal relationships such as contain-
ment, total and partial overlap, meet, and no-overlap. When the geotemporal
extent
gto
is contained, or totally or partially overlapping with the object's
geotemporal extents
ge
in the authorization, and the requested permission
matches with the one in the authorization, the authorization is allowed. In
case of partial overlap, only the overlapping area of the object should be deliv-
ered, which requires post-processing of the retrieved objects, such as cropping
of images and mosaicking of multiple cropped objects.
gtc, gto, p
3.2 GEO-RBAC: Geospatial Role-based Access Control
In this section, we present different approaches where location-aware applica-
tions require access control on spatial data. There are many approaches on
context-aware and spatially-aware access control [10, 9, 28, 25, 2]. We present
