Browse Prior Art Database

Data Grouping Scheme for Authorization Purposes

IP.com Disclosure Number: IPCOM000088965D
Original Publication Date: 1977-Aug-01
Included in the Prior Art Database: 2005-Mar-04
Document File: 4 page(s) / 38K

Publishing Venue

IBM

Related People

Fernandez, EB: AUTHOR [+2]

Abstract

A data structuring scheme for grouping of data base objects into classes and a set of semantic rules assigning users access of a given type to the classes are described. The scheme groups elementary data units into classes, which, in turn, can be grouped into classes of classes, up to an arbitrary level of structuring. These classes do not have to be disjoint, which results in groupings whose structure can be described by arbitrary partial orderings. If some hierarchical precedence is assumed for the levels of the structure, then the access rules for many of the lower level elements need not be explicitly given or stored, but can be generated by the system, starting from explicit specifications at a higher level.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 33% of the total text.

Page 1 of 4

Data Grouping Scheme for Authorization Purposes

A data structuring scheme for grouping of data base objects into classes and a set of semantic rules assigning users access of a given type to the classes are described. The scheme groups elementary data units into classes, which, in turn, can be grouped into classes of classes, up to an arbitrary level of structuring. These classes do not have to be disjoint, which results in groupings whose structure can be described by arbitrary partial orderings. If some hierarchical precedence is assumed for the levels of the structure, then the access rules for many of the lower level elements need not be explicitly given or stored, but can be generated by the system, starting from explicit specifications at a higher level.

In a conventional system, where data structuring for authorization purposes is not used, the following operations have to be performed: i) the data base administrator (DBA) explicitly defines rules of access for each data unit that can be accessed by a given user; ii) these rules are stored in an access matrix; and
iii) a matrix row is searched to determine the access rights of the user to a given data unit.

In contrast, if there exists a data structuring of the type described, the DBA has to specify rules for only some data classes and only some rules have to be stored. This reduces the burden on the DBA and reduces the amount of storage required.

We assume that the data structuring is known to the system through a directory or catalog. Rules defined at a given level may or may not be explicitly multiplied into rules for access to lower level units. Keeping the lower level access rules implicit saves storage but requires a more complex access evaluation strategy combining use of the directory with a reduced access matrix. Explicit multiplication of rules simplifies the evaluation algorithm which now becomes a simple search through a larger access matrix, but requires a larger amount of storage.

If the users interact with the data base through a language where data requests are explicit, the compiler can decide to which data classes the more elementary data requests belong, and check access rights with respect to these classes. If such a language is not used, or in the case of an interactive query system, a similar strategy can be applied by requesting the users to declare which data elements they are referring to.

We consider a shared data base system where users have access to data units in specific ways. In other words, the type of access to a given piece of information depends on the requesting entity. The form of an access rule is

(Image Omitted)

indicating that the requesting entity or subject S(i) has access of type t(i) to object o . Typical subjects are classes of users and applications; typical objects are data structures, data items, and applications. The access types t(j) form a set {t(0),t(1),t(2),...t(w)}, such that t(0) represents no access (or null access), a...