330 likes | 687 Views
Orion - A model for authorizaton. By Gigi Shum and Chi-Fung Wong. Introduction. Database security Protect data in the Database Do so by restricting/determining access Most models on authorizations thus far have been on relational databases.
E N D
Orion - A model for authorizaton By Gigi Shum and Chi-Fung Wong
Introduction • Database security • Protect data in the Database • Do so by restricting/determining access • Most models on authorizations thus far have been on relational databases
Object oriented features not found in relational database require new security mechanisms to provide access to objects in a database. • Object Oriented database features such as class inheritance, composite classes need additional rules to govern access
Overview • Establishes a set of relationships between objects, the user, and the authorization modes for the object • Defines rules which are used to define implicit authorizations based on explicit authorizations • Proposes authorization methods for object oriented features such as inheritance and complex objects.
Overview cont.. • Supports the following authorization types • Positive • Negative • Strong • Weak • Explicit • Implicit • Expands the definition and utilizes implicit authorizations • Outlines the calculation of implicit authorizations
Authorization Types • Positive authorization • ‘Yes’ • Negative authorization • ‘No’ • Explicit • Specifically saying if you have access • Implicit • Implying you have access • Strong • Authorization that can’t be overridden • Weak • Authorization than CAN be overridden
Weak and Strong Access Bases • This model defines two access bases • Weak • Strong • Both access bases include positive and negative rights • Weak authorization can be overridden allowing exceptions to be made in implicit authorization
Basics… • Authorizations are determined by three items • Subject (who) • Authorization Object (desired access) • Access privileges (r, w, rd, c)
Implicit Authorization • The core of this model • Authorization of a user for access of an object in the database implies it has other authorizations • Saves space • Don’t need to store all the explicit authorizations • Just calculate the implicit authorizations based on the minimally stored explicit authorizations
Implicit Authorization cont… • There is overhead in calculating implicit authorizations • May not be ‘cost effective’ if there is no need to define many authorizations on an individual object • In relational db, access is usually made on a relation (table) and not on a specific tuple (row in the table) • Therefore defining authorizations (explict or implict )for individual tuples is not very strong
Implicit authorizations cont… • In this model, there are implicit authorizations for subjects, objects and privileges • The number of objects in a database can be very large, so saving space by using implicit authorizations makes sense
Basics cont…… • Explicit authorizations may imply authorizations along any combination of the 3 items previously listed • A group of users has write/update access on a set of objects • E.g. Group of users = the people who work at admissions and records on campus • Set of objects = student/faculty records • Implies one member from the group of users has update access on any one of the objects in the set • Also implies that any one user also has read access to an object in the set
Basics still cont… • Hierarchies • The authorization triplet is organized into hierarchies • Role hierarchy e.g. Government leaders . .(other leaders) . .Average citizen
Basics – keep going… • Role Hierarchies • Implies if Average Joe has access, President Bush will have access • Implies if President Bush doesn’t have access, Average Joe doesn’t have access • However, just because President Bush has access, doesn’t mean Average Joe will have access
Basics - ..and going • Access Privileges Hierarchy W>R, W>C, R>RD, C>RD W>RD
Authorization Object Schema (AOS) • Entities are also grouped into a hierarchal structure • Each is an authorization object type
Authorization Object Lattice (AOL) • A virtual structure derived from the AOS • Used to compute implicit authorizations • Each node belongs to one authorization type • Implication links to the set of authorization object at the next lower level (e.g. setof-instances) or only one implication link to the next lower level (e.g class)
Authorization Object Lattice (AOL) cont… • Implication links to the set of authorization object at the next lower level (e.g. setof-instances – links to all instance authorization objects of the class) • Or only one implication link to the next lower level (e.g class – links to only one setof-instances authorization object)
Authorization Association Matrix (AAM) • Note how authorization types propagate through the AOL • A.down • E.g. W&R access on an object high in the hierarchy implies you have W & R access on the set of authorization objects at the next lower level • A.up • E.g. RD of an instance means RD on a class, RD on a class means RD on a Database where the class resides • A.Nil • Having a create access on one thing does not imply that you have create access on anything else
The authorizations are specified by the users who have authorization for a given access privilege on a object. They can grant authorizations to other users. When they explicitly grant authorizations, implicit authorizations based on the implication relationships between the access privileges and the rules of propagation are automatically given.
Other implications from this model • A read or write privilege on a class of a inheritance implies R/W access on all the classes in the inheritance hierarchy • However, it does allow for the option that no authorization will be given to the subclass • This is to protect data in the subclass from other people that might have access to the parent class.
Other implications cont… • Authorization on a composite class (class made up of other classes) means implicit authorization on the component classes • Note: this is for one instance only, not all instances of the component classes • Partial and total authorizations: • A total write access on a component of a composite class means total write access on all descendents and partial write access on all ancestors • A partial read access on a component of a composite class means the same privileges on the top level components
Main points of this model… • Usage of implicit authorizations • Usage of explicit negative authorizations • Usage of weak authorizations as exceptions to the implicit authorizations • Extends the authorization models of today to object oriented databases • Lacking object and subject classification for mandatory access control.