Databases Reference
In-Depth Information
A.r
1
.r
2
is called a
linked role
. With this credential
A
asserts that
A.r
includes
B.r
2
, for every
B
that is a member of
A.r
1
. This represents a
delegation from
A
to all the members of the role
A.r
1
.
•
Intersection Inclusion
:
A.r
←−
B
1
.r
1
∩
B
2
.r
2
.
B
1
.r
1
∩
B
2
.r
2
is called an
intersection
. With this credential
A
asserts that
A.r
includes every principal who is a member of both
B
1
.r
1
and
B
2
.r
2
.
This represents partial delegation from
A
to
B
1
and to
B
2
.
Again to illustrate the technique by which semantics are given to a set
of
RT
0
credentials, we now present the translation to Datalog. Given a set
C
of
RT
0
credentials, the corresponding
semantic program
,
SP
(
), is a Datalog
program with one ternary predicate
m
. Intuitively,
m
(
A, r, D
) indicates that
D
is a member of the role
A.r
. Given an RT statement
c
,the
semantic program
of
c
,
SP
(
c
), is defined as follows, where identifiers starting with the “?” character
are logic variables:
C
SP
(
A.r
←−
D
)=
m
(
A, r, D
)
.
SP
(
A.r
←−
B.r
1
)=
m
(
A, r,
?
X
):
−
m
(
B, r
1
,
?
X
)
.
SP
(
A.r
←−
A.r
1
.r
2
)=
m
(
A, r,
?
X
):
−
m
(
A, r
1
,
?
Y
)
,m
(?
Y,r
2
,
?
X
)
.
SP
(
A.r
←−
B
1
.r
1
∩
B
2
.r
2
)=
m
(
A, r,
?
X
):
−
m
(
B
1
,r
1
,
?
X
)
,m
(
B
2
,r
2
,
?
X
)
.
SP
extends to the set of statements in the obvious way:
SP
(
C
{
SP
(
c
)
|
c
∈
)=
C}
. Now to determine whether a principal
D
belongs to role
A.r
, one simply
evaluates a query (according to any one of a variety of evaluation mechanisms)
to determine whether it is the case that
SP
(
=
m
(
A, r, D
).
RT
1
adds parameterized roles to
RT
0
,and
RT
2
adds logical objects to
RT
1
.
Just as roles group together related entities so that their authorizations can be
assigned in fewer statements, logical objects logically group together objects
so that their permissions can be assigned together.
RT
C
[44, 45] incorporates
constraint systems, carefully selected to preserve query-answering eciency.
Constraints are very helpful for representing ranges of quantitative values and
object specifiers such as directory paths. For instance, they can very concisely
express policies such as “anyone over 65 is entitled to a senior citizen discount”
and “Alice can access the entire directory subtree of /usr/home/Alice”.
RT
T
provides manifold roles and role-product operators, which can express thresh-
old policies and separation-of-duty policies.
RT
D
provides delegation of role
activations, which can express selective use of capacities and delegation of
these capacities.
RT
D
and
RT
T
can be used, together or separately, with
each of
RT
0
,
RT
1
,or
RT
2
. The resulting combinations are written
RT
i
,
RT
i
,
RT
i
,and
RT
D
i
for
i
=0,1,2.
SDSI extended names and
RT
's linked roles both rely on agreement among
principals as to the intended meaning of role names (“identifiers” in SDSI). For
instance, a linked name such as ABET.accreditedUniversity.student is only
meaningful if there is some agreement among ABET-accredited universities as
to what it means to be a student. One technique for providing a scalable means
C
)
|