Databases Reference
In-Depth Information
models need to be defined. By analyzing the existing proposals, it is easy to
see that they are all based on the definition of a set of authorizations that at
least specify the subjects on which they apply, the objects to be protected,
and the action to be executed. The existing XML-based access control models
differentiate on the basis of the subjects, objects, and actions they can support
for access control specification and enforcement.
Subject. Subjects are usually referred to on the basis of their
identities
or
of the network
location
from which requests originate. Locations can
be expressed with reference to either the numeric IP address (e.g.,
150.100.30.8
) or the symbolic name (e.g.,
bank.com
) from which the
request comes.
It often happens that the same privilege should be granted to sets of
subjects, which share common characteristics, such as the department
where they work, or the role played in the company where they work. To
the aim of simplifying the authorizations definition, some access control
models allow the specification of authorizations having as subject:
•
a
group of users
, which is a statically defined set of users; groups can
be nested and overlapping;
•
a
location pattern
, which is an expression identifying a set of physi-
cal locations, obtained by using the wild character
*
in physical or
symbolic addresses;
•
a
role
, which is a set of privileges that can be exploited by any user
while playing the specific role; users can dynamically decide which role
to play, among the ones they are authorized to play.
Also, subjects are often organized in hierarchies, where an authorization
defined for a general subject propagates to its descendants.
Public
BankEmployee
Client
StatisticalAnalyst
CashOperator
Alice
Bob
Carol
David
Eric
Fiona Gregory Hilary Ivan
Fig. 3.
An example of user-group hierarchy
A hierarchy can be pictured as a
directed acyclic graph
containing a node
for each element in the hierarchy and an arc from element
x
to element
y
,if
x
directly dominates
y
. Dominance relationships holding in the hierarchy
correspond to paths in the graph. Figure 3 shows an example of user-group
hierarchy.
