IDENTIFICATION AND AUTHORIZATION IN DATA BASE SYSTEMS
Original Publication Date: 1978-Feb-03
Included in the Prior Art Database: 2007-Mar-30
Software Patent Institute
Mresse, M.: AUTHOR [+2]
RJ2161(29574) 2/3/78 Computer Science
IDENTIFICATION AND AUTHORIZATION
IN DATA BASE SYSTEMS
IBM Research Laboratory
San Jose, California 95193
ABSTRACT: A multi-user data base system must control access to data by
its users. It has to provide a means. to resrricr the circle of people
who can log into the system (identification problem) and to describe the
subset of data which ear$ person is allowed to access (authorization
We discuss these two aspects and the connection between them in the
context of several different designs for dara base systems.
fig. 1 : cashing a check in a bank
Assume t h a t the person X intends to cash a check for
$1000.-. The teller who is asked to pay out the money w i l l first identify X. For this purpose he lets X sign the check and also ask f o r further identification. He tries to identifx the person as X.
Although X is now correctly identified we still don.' t knou whether X is authorized t o cash a check for t h i s amount. Therefore the deposit of X w i l l be checked prior t o handinq out the money. The person X is then authorized t o cash h i s check for $1000.-.
In data base systems these two problems are handled i n t h e same way. First the system has t o find out t h e identity of the person trying t o use it and afterwards it must be
.r determined what t h i s person is allowed to do.
The identity of the subject using the system can be checked on a hardware .or on a software level.
IDENTIFICATION AND AUTHgBIZATION IN DATA BASE SYSTEMS
L e t us start with a trivial example (fig. 1)
Checking on a hardware level would mean that some kind of hardware key has t o be used before the system can he activated. Apparently t h i s solution is impractical i n a multiuser environment on a general gurpose computer,
Checking on a software level works by means of a 'soft-key', e-g. any kind of password. This passuord may he an alphameric string of arbitrary length o r any other type of presumably secret information passed as identification t o the system, This second type of identity checking s h a l l Le
t h e subject of t h i s paper; these kin& of systems w i l l be referred to as password systems or PS,
The obiect of a I/A-System is defined a s any unit, item or part of the system the user intends t o work with, Let's itemize a few of these possible I/A-Units:
a) a record o r a t u ~ l e
b) a file' or a t a b l e
C) a whole data base
d) the software environment of a DB-System
(eg. CPIS, OS, ZSO)
e) the hardware environment of a DB-System
I n a first approach passwords will b...