Databases Reference
In-Depth Information
which can be queried and executed, respectively, from a database user account.
The figure shows several cases that are typical in real-world settings. We first
discuss these cases in more detail, and then elaborate on how an instance of
the access path model is obtained before we cover some more formal properties
of the model.
Application Layer
Figure 3 shows three applications A
1
,A
2
, and A
3
to
which some persons have access. At application A
1
,eachuserhasasepa-
rate application account, and each application account is associated with
a database user account. At application A
2
, again each user has a separate
application account, but the application uses only one database account.
For application A
3
, two persons share an application account, and the ap-
plication uses different database accounts. An important observation from
the latter two cases is that
accounts are shared
, which obviously causes
problems in correlating data accesses to a particular person.
Database Layer
With each database user account, one or more database
roles are associated. For application A
1
, each application user account
corresponds to a database user account, and each database user account
has two roles. For application A
2
, there is only one (default) role for the
database account through which all accesses to the database occur.
More formally, an
instance
of the access path model consists of a set of paths
P⊂U
p
×U
a
×
×DB
obj
, with the vertices defined as follows.
•U
p
is a set of persons, typically those who possess a (shared) application
account.
•U
a
is a set of application accounts.
•U
db
is a set of database user accounts, and
(
U
db
×R
db
)
R
db
is a set of database roles;
∈U
db
×R
db
specifies that the account
u
db
has been assigned the role
r
db
. Several roles can be associated with one
database account
u
db
.
•DB
obj
is a set of database objects such as relations, views, and stored
procedures managed in the database.
Role hierarchies [24] are not explicitly represented in the access path model,
because only individual roles are enabled by users.
How are these sets obtained for creating an instance of the access path
model for a particular application and database setting? For this, one has to
recognize that the security re-engineering tasks described thus far not only
concern the database that is eventually to be better secured but the whole
infrastructure on top of the database, in particular all applications. That is,
all applications that operate on the database should be known. Consequently,
for each application, the application accounts
an account/role pair (
u
db
,r
db
)
U
a
should be determined. If a
good security policy enforcement and maintenance strategy is in place at the
organization, then it should also be known what persons
U
p
have what appli-
U
a
. This is admittedly one of the most complicated tasks in
the security re-design, because the set of applications and their user accounts
cation accounts
