Browse Prior Art Database

IDENTIFICATION AND AUTHORIZATION IN DATA BASE SYSTEMS

IP.com Disclosure Number: IPCOM000148691D
Original Publication Date: 1978-Feb-03
Included in the Prior Art Database: 2007-Mar-30

Publishing Venue

Software Patent Institute

Related People

Mresse, M.: AUTHOR [+2]

Abstract

RJ2161(29574) 2/3/78 Computer Science IDENTIFICATION AND AUTHORIZATION IN DATA BASE SYSTEMS M. Mresse IBM Research Laboratory San Jose, California 95193ABSTRACT: A multi-user data base system must control access to data by its users. It has to provide a means. to resrricr the circle of people who can log into the system (identification problem) and to describe the subset of data which ear$ person is allowed to access (authorization problem). We discuss these two aspects and the connection between them in the context of several different designs for dara base systems. a PAGE 1 IDENTIFICATION AND AUTHgBIZATION IN DATA BASE SYSTEMS L e t us start with a trivial example (fig. 1) fig. 1 : cashing a check in a bank Assume t h a t the person X intends to cash a check for $1000.-. The teller who is asked to pay out the money w i l l first identify X. For this purpose he lets X sign the check and also ask f o r further identification. He tries to identifx the person as X.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 29% of the total text.

Page 1 of 10

RJ2161(29574) 2/3/78
Computer Science

IDENTIFICATION AND AUTHORIZATION
IN DATA BASE SYSTEMS

M. Mresse

IBM Research Laboratory
San Jose, California 95193
ABSTRACT: A multi-user data base system must control access to data by
its users. It has to provide a means. to resrricr the circle of people
who can log into the system (identification problem) and to describe the

subset of data which ear$ person is allowed to access (authorization
problem).

We discuss these two aspects and the connection between them in the
context of several different designs for dara base systems.

a

[This page contains 1 picture or other non-text object]

Page 2 of 10

[This page contains 1 picture or other non-text object]

Page 3 of 10

PAGE 1

fig. 1 : cashing a check in a bank

   Assume t h a t the person X intends to cash a check for
$1000.-. The teller who is asked to pay out the money w i l l first identify X. For this purpose he lets X sign the check and also ask f o r further identification. He tries to identifx the person as X.

   Although X is now correctly identified we still don.' t knou whether X is authorized t o cash a check for t h i s amount. Therefore the deposit of X w i l l be checked prior t o handinq out the money. The person X is then authorized t o cash h i s check for $1000.-.

          In data base systems these two problems are handled i n t h e same way. First the system has t o find out t h e identity of the person trying t o use it and afterwards it must be
.r determined what t h i s person is allowed to do.

  The identity of the subject using the system can be checked on a hardware .or on a software level.

----

IDENTIFICATION AND AUTHgBIZATION IN DATA BASE SYSTEMS

L e t us start with a trivial example (fig. 1)

.

[This page contains 1 picture or other non-text object]

Page 4 of 10

PAGE 2

   Checking on a hardware level would mean that some kind of hardware key has t o be used before the system can he activated. Apparently t h i s solution is impractical i n a multiuser environment on a general gurpose computer,

   Checking on a software level works by means of a 'soft-key', e-g. any kind of password. This passuord may he an alphameric string of arbitrary length o r any other type of presumably secret information passed as identification t o the system, This second type of identity checking s h a l l Le
t h e subject of t h i s paper; these kin& of systems w i l l be referred to as password systems or PS,

   The obiect of a I/A-System is defined a s any unit, item or part of the system the user intends t o work with, Let's itemize a few of these possible I/A-Units:

a) a record o r a t u ~ l e

b) a file' or a t a b l e

C) a whole data base
d) the software environment of a DB-System
(eg. CPIS, OS, ZSO)

e) the hardware environment of a DB-System

[This page contains 1 picture or other non-text object]

Page 5 of 10

PAGE 3

  I n a first approach passwords will b...