Databases Reference
In-Depth Information
in the family incorporate different features, but all members are designed
to permit ecient (polynomial time) evaluation of ordinary authorization
queries. Like SD3,
RT
is based on Datalog. However, rather than writing
arbitrary Datalog clauses, the
RT
policy author uses a distinct
RT
syntax or-
ganized around
RT
language abstractions whose semantics is given by a formal
translation of
RT
statements (
i.e.
, credentials) into Datalog. This approach
enforces an orderly policy-definition discipline while obtaining significant ben-
efits from using what is in effect a subset of Datalog: (1) the semantics are
unambiguous and can be constructed in several well understood and equiv-
alent manners (logical entailment, fixpoint, top down, bottom up,
etc.
); (2)
authorization queries are easily generalized to ask, for example, which prin-
cipals are authorized to access a given resource, or which resources a given
principal is authorized to access; (3) the complexity of the
RT
features is eas-
ily determined by making use of established complexity results for evaluation
of Datalog queries. In addition, the way in which the Datalog clauses gener-
ated from
RT
statements are restricted enables
RT
credentials to be stored
in a manner that is more flexible than is possible with QCM or SD3. As we
will see in Section 4, because of these restrictions,
RT
credentials that are
stored with either their subject or their issuer can be located and retrieved as
needed during authorization query evaluation. In QCM and SD3, credentials
must be stored with their issuers.
The definition and use of roles in
RT
is based on and extends that of groups
in SDSI. Keys are called
principals
. Each principal
A
controls the definition
of a collection of roles of the form
A.R
in which
R
is called a
role name
and
is either an identifier
r
or, in members of the
RT
family of languages that
support parameterized roles, an identifier applied to a list of parameters, as
in
r
(
t
1
,...,t
k
). Parameters are quite helpful for the purpose of expressing
quantitative attributes, such as age or budget, as well as for enabling roles
to express relationships between principals and data objects. For instance,
Alice.read
(
/usr/alice/research
) might represent principals allowed to read
Alice's research directory.
Certificates in
RT
are called
statements
or
credentials
. For concreteness,
we consider the forms these can take in
RT
0
. There are four types of credentials
that an entity
A
can issue, each corresponding to a different way of defining
the membership of one of
A
's roles,
A.r
.
•
Simple Member
:
A.r
D
.
With this credential
A
asserts that
D
is a member of
A.r
.
←−
•
Simple Inclusion
:
A.r
B.r
1
.
With this credential
A
asserts that
A.r
includes (all members of)
B.r
1
.
This represents a delegation from
A
to
B
,as
B
may cause new entities
to become members of the role
A.r
by issuing credentials defining (and
extending)
B.r
1
.
←−
•
Linking Inclusion
:
A.r
←−
A.r
1
.r
2
.