Acten (Action Entity) Model

Similar documents
Database Security Overview. Murat Kantarcioglu

Multilevel relations: Schema and multiple instances based on each access class. A multilevel relation consists of two parts:

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Copyright 2016 Ramez Elmasri and Shamkant B. Navathe

Synchronization mechanisms between SAP BW and SAP HANA authorizations

Enhanced Entity-Relationship (EER) Modeling

Discretionary Vs. Mandatory

Techno India Batanagar Computer Science and Engineering. Model Questions. Subject Name: Database Management System Subject Code: CS 601

Chapter 10 Advanced topics in relational databases

COSC 304 Introduction to Database Systems Enhanced Entity-Relationship (EER) Modeling

The Relational Model. Chapter 3. Comp 521 Files and Databases Fall

Relational Databases

CSE 530A. ER Model. Washington University Fall 2013

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

CSC 474/574 Information Systems Security

B.C.A DATA BASE MANAGEMENT SYSTEM MODULE SPECIFICATION SHEET. Course Outline

Database Security Lecture 10

THE ENTITY- RELATIONSHIP (ER) MODEL CHAPTER 7 (6/E) CHAPTER 3 (5/E)

Access Control. Protects against accidental and malicious threats by

COSC 304 Introduction to Database Systems. Views and Security. Dr. Ramon Lawrence University of British Columbia Okanagan

Database Design. ER Model. Overview. Introduction to Database Design. UVic C SC 370. Database design can be divided in six major steps:

normalization are being violated o Apply the rule of Third Normal Form to resolve a violation in the model

CHAPTER 5 SECURITY ADVANCED DATABASE SYSTEMS. Assist. Prof. Dr. Volkan TUNALI

LAB 2 Notes. Conceptual Design ER. Logical DB Design (relational) Schema Refinement. Physical DD

Overview. Introduction to Database Design. ER Model. Database Design

Mobile and Heterogeneous databases Security. A.R. Hurson Computer Science Missouri Science & Technology

Conceptual Design. The Entity-Relationship (ER) Model

Relational DB Design by ER- and EER-to-Relational Mapping Design & Analysis of Database Systems

CSE 565 Computer Security Fall 2018

The Relational Model. Chapter 3. Comp 521 Files and Databases Fall

Chapter 4. Enhanced Entity- Relationship Modeling. Enhanced-ER (EER) Model Concepts. Subclasses and Superclasses (1)

1. Considering functional dependency, one in which removal from some attributes must affect dependency is called

Chapter (4) Enhanced Entity-Relationship and Object Modeling

Basant Group of Institution

Review for Exam 1 CS474 (Norton)

Mahathma Gandhi University

Chapter 9: Relational DB Design byer/eer to Relational Mapping Relational Database Design Using ER-to- Relational Mapping Mapping EER Model

Assignment Session : July-March

Database Architecture 1

Definitions. Database Architecture 1. Database Schema. Database Instance. Data Item (Schema Construct) The description of a database.

CSC 261/461 Database Systems Lecture 6. Fall 2017

Real Application Security Administration

Copyright 2007 Ramez Elmasri and Shamkant B. Navathe Slide 25-1

Introduction to Database Design

Solved MCQ on fundamental of DBMS. Set-1

SYLLABUS ADMIN DATABASE SYSTEMS I WEEK 2 THE ENTITY-RELATIONSHIP MODEL. Assignment #2 changed. A2Q1 moved to A3Q1

Fundamentals of Design, Implementation, and Management Tenth Edition

Query formalisms for relational model relational calculus

Database Management System (15ECSC208) UNIT I: Chapter 2: Relational Data Model and Relational Algebra

Ders # 7. Veri Bütünlüğü Programlama ve Güvenlik. From Elmasri/Navathe textbook Ch9,26 Sciore textbook, Ch 9-10

CS 4604: Introduction to Database Management Systems. B. Aditya Prakash Lecture #5: Entity/Relational Models---Part 1

Textbook: Chapter 4. Chapter 5: Intermediate SQL. CS425 Fall 2016 Boris Glavic. Chapter 5: Intermediate SQL. View Definition.

SOME TYPES AND USES OF DATA MODELS

Translation of ER-diagram into Relational Schema. Dr. Sunnie S. Chung CIS430/530

DATABASE SECURITY AND PRIVACY. Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security

1. Data Model, Categories, Schemas and Instances. Outline

Conceptual Data Models for Database Design

Sample Question Paper

Database Security. Authentification: verifying the id of a user. Authorization: checking the access privileges

Computer Science Applications to Cultural Heritage. Relational Databases

Views. COSC 304 Introduction to Database Systems. Views and Security. Creating Views. Views Example. Removing Views.

COSC344 Database Theory and Applications. σ a= c (P) S. Lecture 4 Relational algebra. π A, P X Q. COSC344 Lecture 4 1

CS425 Fall 2017 Boris Glavic Chapter 5: Intermediate SQL

CPS510 Database System Design Primitive SYSTEM STRUCTURE

Introduction to Database Design

Chapter 2 Conceptual Modeling. Objectives

DB Creation with SQL DDL

Copyright 2004 Pearson Education, Inc.

Data Modelling and Databases. Exercise Session 7: Integrity Constraints

CS 377 Database Systems

Chapter 8 The Enhanced Entity- Relationship (EER) Model

II. Data Models. Importance of Data Models. Entity Set (and its attributes) Data Modeling and Data Models. Data Model Basic Building Blocks

Chapter 8: Enhanced ER Model

Advance Database Management System

DATA MODELING USING THE ENTITY-RELATIONSHIP MODEL. 1 Powered by POeT Solvers Limited

A7-R3: INTRODUCTION TO DATABASE MANAGEMENT SYSTEMS

ITCS 3160 DATA BASE DESIGN AND IMPLEMENTATION

Chapter 1 Database System Concepts and Architecture. Nguyen Thi Ai Thao

Fundamentals of Database Systems

The Entity-Relationship Model

Relational Model, Relational Algebra, and SQL

Administration of RBAC

Chapter 4: Intermediate SQL

CS 338 The Enhanced Entity-Relationship (EER) Model

Roma, 28 Ottobre 2014 Centro Congressi Banca d Italia. Training Session: Access Rights

Conceptual Modeling in ER and UML

CS 146 Database Systems

SQL Introduction. CS 377: Database Systems

OVERVIEW OF DATABASE DEVELOPMENT

Non-overlappingoverlapping. Final outcome of the worked example On pages R&C pages R&C page 157 Fig 3.52

Entity-Relationship Model

Chapter 4: Intermediate SQL

Transforming ER to Relational Schema

NOTES ON OBJECT-ORIENTED MODELING AND DESIGN

II B.Sc(IT) [ BATCH] IV SEMESTER CORE: RELATIONAL DATABASE MANAGEMENT SYSTEM - 412A Multiple Choice Questions.

ADVANCED DATABASES ; Spring 2015 Prof. Sang-goo Lee (11:00pm: Mon & Wed: Room ) Advanced DB Copyright by S.-g.

Essay Question: Explain 4 different means by which constrains are represented in the Conceptual Data Model (CDM).

UNIVERSITY OF TORONTO MIDTERM TEST SUMMER 2017 CSC343H Introduction to Databases Instructor Tamanna Chhabra Duration 120 min No aids allowed

CS403- Database Management Systems Solved Objective Midterm Papers For Preparation of Midterm Exam

MIS Database Systems Entity-Relationship Model.

Transcription:

Acten (Action Entity) Model Proposed by Bussolati et al 1983 As an extension to the TG model Further administrative privileges Predicates on authorization Two separate graphs Access Authorizations Administrative privileges Aim of the extension: Correcting the non-selectivity of admin privileges Enlarging the controls on the priv. transport flow Acten -2 Every security-relevant element of the system is viewed as entity. Entity regards both subjects and objects. Entities are resource types. Access modes Static Dynamic Both are called actions. 1

Static Actions Their execution does not modify the auth. State of the system Consists of Use: between users, operators and I/O resources, applications, Read: to access the contents of an entity Write Create: of entities Delete: of an entity Dynamic Actions Their execution modify the auth. State of the system Are: Grant: held by E i towards E j related to an static mode m and referred to E k allows E i to grant E j,m on E k. Revoke: Delegate: Allows E i to grant E j,the dynamic authorization grant related to m on E k. Authorization to delegate/abrogate are limited to a few entities. Abrogate 2

Acten If Ei hold the highest level access mode (create/remove), and the delegate/abrogate on Ej, then Ei is the owner of Ej. The owner of an entity is unique. The delegate/abrogate access modes are given exclusively to the owner. Hierarchy of access modes Create/Delete 4 Update 3 Delegate/abrogate 2 Read 2 Grant/revoke 1 Use 1 Acten When Ei is authorized to access Ej in mode at level L, it is also authorized to access Ej according to all access modes at levels L L. When an access mode is revoked, all the modes at a higher classification are revoked 3

Authorizations Authorization is a binary relation between entities: characterized by the involved entities and access mode, by a direction and one or more attributes (predicates). A static authorization is indicated as: A ij = a ~{P ij }, where a is the access mode of E i on E j if the condition in P ij is satisfied The predicate considers only the system conditions (time or origin) Value dependent predicates should be applied to the entity itself to create a more restricted entity (similar to VIEW) Authorizations Dynamic access modes are characterized by exp of the form A i j/k = a ~ {P ij } For each entity there are two sets: the auth set and the protection set as: S a (E i ) S p (E i ) S a (E i ) is all the authorization that Ei holds on the other entities S p (E i ) is all authorization held by the system entities onto E i 4

Entity classification Based on S a (E i ) and S p (E i ), entities are classified as: Active entity: if S a (E i ) 0; E i can execute actions on the other entities Passive entity: if S p (E i ) 0; Active/passive entity: if S a (E i ) 0; and S p (E i ) 0; e.g. processes, transactions, Acton model structures The model elements are represented in two graphs: SG: auth for static actions. Nodes are entities, arcs are the auth. If an auth is constrained, the arc is crossed. 5

Acten. DG: auth for dynamic actions: nodes: entities; arcs are the auths. Arcs are labeled of the form DA SA {M}, M is only used for deleg/ab Data structures in Acten Table of security classes: for each entity Ei, The static action Ai+ at the highest level that Ei can execute on the system entities:: Active potentiality of Ei. The static action Ai- is the highest level that can be executed on Ei by the system entities:: Passive potentiality of Ei. No Active potentiality is defined for the passive entities and no passive potentiality is defined for the active entities. The table allows the admin to assign an auth. level and a prot. level to each entity. 6

Security class table E1: user E2: application E3: Peripheral E4: Data Record E5: Application Potentiality A1+ A2- A1- A2+ A3- A3+ A4- A4+ A5+ A5- Action Update - Update Create/delete Create/delete Use - Create/delete Create/delete Create/delete Acten. Table of entity states: shows the entities that own the other entities and the list of owned entities. Owner entity E1 E4 E7 Owned entities E8, E5, E7 E6 E3, E2 Table of action hierarchy: The list of static and dynamic action hierarchies. 7

Consistency and transformation rules Rules during the system life cycle: Internal consistency rules: the structure of SG and DG should be consistent regarding to the nature of the represented protection system. Mutual consistency rules: SG and DG should be consistent in representing the privileges. E.g. a privilege should not be propagated if the grantor does not hold that privilege. Transformation rules: control the indirect authorizations and the access right propagation. Internal consistency for SG A system entity can execute or undergo only those access modes which are compatible with its type and role. A peripheral system cannot be deleted! Use is inapplicable for a file! 8

Internal consistency for DG 4 basic rules: Let E j be the owner of E k, no other entities E i, i, k j, k i; can hold the authorization A ij/k of type GRANT SA ; SA is any static action. This means that owner is the only entity who has the highest right on E k An entity E i can be authorized for delegate/ abrogate actions on E k, if E i is the owner of E k. Let E j is authorized to grant to E m a static action of level L with parameter E k. E i, (owner of E k ) can run Aij/k of type Delegate SA only if L(SA) > L. Recipient of a SA of level L through a delegate action (E i ) can grant this SA to E m whose active potentiality (A+) has level L > L. Transformation rules for SG Purpose: show all privileges held indirectly by an entity on the other entities. Defined for groups of 3 entities E i, E j, E z and 2 authorizations A ij, A jz. Each rule determines the static action A iz that can be executed via the A ij -A jz. A transf. rule is A iz = F(A ij, A jz, E i, E z ) The level of A iz cannot be higher than the level of active potentiality of E i, nor less than the level of passive potentiality of E j. 9

Algorithm If L(A ij ) > L(A jz ) then L(A iz ) = L(A jz ) If L(A ij ) L(A jz ) then check the active potentiality of E i if L(A jz ) > L(Ai+) then L(A iz ) = L(Ai+) -- if L(A jz ) < L(Ai+) then L(A iz ) = L(A jz ) If A ij, A jz are constrained by some predicates P ij, P jz, then P iz = P ij P jz Next slide as an example Example 10

Transformation rules for DG Control the flow of privileges in the system: the flow of static and dynamic actions due to the execution of dynamic actions. Indirect authorization Each rule is defined for a group of 3 entities Ei, Ej, Ek and two actions Aij/k, Ajz/k defined on the same parameter entity Ek... 11

Mutual consistency rules for SG & DG Ensuring that dynamic privileges are consistent with the state of auth. for access modes and vs. 1. Ei can grant Ej the privilege to execute a static action SA of level L upon Ek only if in the SG, Ei can execute SA of level L L on Ek. 2. If Ei can execute a static action Ajk of level L, then in DG Ei can grant to Ej the privilege to execute only static auth of level Li > L on Ek. 3. For each Aij/k of type Delegate SA, the corresponding auth Aij must exist in the SG of type create/delete. Woods et al model 12

Woods. 1979 by Woods Orientation is on auth management and access control in multilevel schema DB. This aim is distinguished from Multilevel security models and arch. The model considers the 3-level arch of ANSI/SPARC including External level: nearest to the user Conceptual level: representation of the data Internal level: closest to the physical storing, not bound to the hardware elements. Woods 13

Woods Each schema may be based on a different data model. This model focuses on the consistency among the auth. rules in different levels. The model considers a relational DB model for the external level and ER model for the conceptual level. Subjects: users of the system Authorizer, who administer the authorizations Users, who access data Objects, next slide Woods Objects: Conceptual-level objects: each O belongs to a type category, specified by a function n, specifies its type category ( n(o) ). Type categories at conceptual level are: entity set, relationship type, and attribute. An attribute may be associated with one entity set and maps the entity set to a value set. A relationship type is a bidirectional association between two entity set, and may have two names. External-level objects: Type categories are table, view, and field (column). x.y indicates field x of table y. 14

Access modes in Woods... model At each level (conc. & ext.), a set TP of operations is defined At the conceptual level: TP entity = {insert, delete} TP attribute = {insert, read, use} TP relationship = {insert, read, use} Type category C = {entity, attribute, relation} T C = TP entity TP attribute TP relation = {insert, delete, read, use} At the external level: TP table = {insert, delete} TP field = {update, read, use} Type category E = {table, field} T C = TP table TP field = {insert, delete, update, use} Mapping between operation at the levels. Mapping function R v :T E X E T C X C Maps the external level operations into the conceptual level operations At the element level, it is: R v :<t r, e i > <t s k, C j k > k, t s k T cj k 15

Woods Auth. state are stated by access rules. Access rules are of the form <s, o, t, p>, where subject s exercises the access mode t on object o, under the condition p. Access rules are defined by an authorizer. Basic rules are specified at the conc. level, which is a global view of data of an org. A table definition (at the external level) includes access constraints specifying which access types are legal for each external object e (each table and its fields) These constraints are stored in an Access Constraint table (AC). e.g. next slide AC in Woods E EMPLOYEE EMPLOYEE EMPLOYEE.name EMPLOYEE.ssn EMPLOYEE.manager EMPLOYEE.salary EMPLOYEE.manager EMPLOYEE.salary T delete insert read read read read update update 16

Access rules specified on conceptual objects are transformed into access rights on external objects. Access to external objects can be specified in two ways: By accepting the access rules derived from the conc. level rules. Defining some new, more restrictive rules. Fig. in next slide 17

Access rules at the conc. level In the form of <s,o,t,p> Stored in the conceptual rule (CR) table. Next slide The specified access type in these rules must belong to the set of legal access types for the corresponding category Conceptual Rule Table Subject Conceptual object Access Type P Javad EMPLOYEE.name read Javad EMPLOYEE.ssn read Javad EMPLOYEE.manager read Javad EMPLOYEE.salary read Javad EMPLOYEE.salary update WHERE EMPLOYEE.manager = javad Saeed EMPLOYEE.name read Saeed EMPLOYEE.ssn update 18

Access rules at the external level External level access rules. Stored in an External Rules (ER) table Rules are either explicitly defined or derived from the underlying conceptual level access rules. The predicates in rules are a conjunction of a system predicate and a data predicate. When an ER is defined, it must be checked for consistency with both the access constraints (AC) and the underlying conceptual access rules Let <s i, e i, t i, p i > be an ER, where e i is a table or a field, the following two consistency conditions should be satisfied: 1- Consistency of the access rule with the access constraints specified for table t. 2- Consistency of the access rule with the underlying conceptual level rules. 19

Access Control in Woods model An access request is a 4-tuple <s,o,t,p >, p specifies the specific occurrence of o requested by s The model considers a close policy On the request, the system controls the existence of an ER, <s,o,t,p>, where s=s, o=o, t=t. If exists, then access is granted for the occurrences of o satisfying p and p. Then the intersection of p and p is computed and is substitute to p in the user query. The query on the external object e is transformed into the set of <operations, object-subset>, where an object-subset is a set of occurrences of conceptual-level objects corresponding e. Each <operations, object-subset> is then modified to be restricted by the predicates specified in the conceptual-level rules. 20

SQL DEPARTMENT EMPLOYEE () SQL!" A4 A1 A2 A3 DBA!" ( A1 #$ %& ' : DEPARTMENT EMPLOYEE GRANT CREATETAB TO A1; CREATE SCHEMA EXAMPLE AUTHORIZATION A1; :SQL2 21

() SQL *+, - %.! A2 %& A1 %1 2 A1. / % % :% 3" %.! 4" 2 A2 GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2; () SQL /56 -&.! A3 %& A1.! 7. 8 49% / % :% 3" SELECT GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTIONS; SELECT.! 2: A3 : / A4 EMPLOYEE GRANT SELECT ON EMPLOYEE TO A4; 22

() SQL SELECT.! 3 ;<: A1 : = ' A3 EMPLOYEE REVOKE SELECT ON EMPLOYEE FROM A3; () SQL SELECT.! A3 %& ' A1 /.! 4" >2 7. 8 '% EMPLOYEE.('? @ ) NAME % <<1 -&. A B/ A"? 4" : DNO = 5 % #$ ADDRESS BDATE CREATE VIEW A3EMPLOYEE AS SELECT NAME, BDATE, ADDRESS FROM EMPLOYEE WHERE DNO = 5; 23

() SQL " SELECT.! A3 2: A1 : /.! 4" >2 7. 8 '% A3EMPLOYEE GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION; <<1 2 #$ A4 % '. 8 %& A1 :% =: EMPLOYEE. SALARY GRANT UPDATE ON EMPLOYEE (SALARY) TO A4; 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback