Databases Reference
In-Depth Information
also
user-groups
and
location patterns
and the corresponding hierarchies.
Location patterns are however restricted by imposing that multiple wild
characters must be continuous, and that they must always appear as
rightmost elements in IP patterns and as leftmost elements in symbolic
patterns. As a consequence, location pattern hierarchies are always trees.
The user-group hierarchy and the location pattern hierarchies need to
be merged in a unique structure: the
authorization subject hierarchy
AS
, obtained as Cartesian product of the user-group hierarchy, the
IP hierarchy, and the symbolic names hierarchy. Any element in the
hierarchy is then associated with a user-id (or group), an IP address (or
pattern), and a symbolic name (or pattern). When one of these three
values corresponds to the top element in the corresponding hierarchy, the
characteristics it defines are not relevant for access control purposes, as
any value is allowed.
Object. The set of objects that should be protected is denoted as
Obj
and is
basically a set of URIs (Uniform Resources Identifiers) referring to XML
documents or DTDs. Reference to the finer element and attribute grains
is supported through path expressions, which are specified in the XPath
language.
Action. The authors limit the basic model definition to read authorizations
only. However, the support of write actions such as insert, update, and
delete does not complicate the authorization model. In [9] the authors
briefly introduce a method to handle also write operations, using a model
similar to the one proposed for read operations.
Sign. Authorizations can be either positive (permissions) or negative (de-
nials), to provide a simple and effective way to specify authorizations
applicable to sets of subjects/objects with support for
exceptions
.
Type. The type defines how the authorizations must be treated with respect
to propagation at a finer granularity and overriding.
Authorizations specified on an element can be defined as applicable to
the element's attributes only (
local
authorizations) or, in a recursive ap-
proach, to its subelements and their attributes (
recursive
authorizations).
To support exceptions (e.g., the whole content, except a specific element,
can be read), recursive propagation from a node applies until stopped by
an explicit conflicting (i.e., of different sign) authorization on the descen-
dants, following the “most specific overrides” principle. Authorizations
can be specified on single XML documents (instance level authorizations)
or on DTDs (schema level authorizations). Authorizations specified on a
DTD are applicable (i.e., are propagated) to all XML documents that are
instances of the DTD. According to the “most specific overrides” prin-
ciple, schema level authorizations being propagated to an instance are
overridden by possible authorizations specified for the instance. To ad-
dress situations where this precedence criterion should not be applied, the
model allows users to specify instance level authorizations as
soft
(i.e., to
be applied unless otherwise stated at the schema level) and schema level
