|
| This Article | ||
| ||
| Share | ||
| Bibliographic References | ||
| Add to: | ||
 Digg  Furl  Spurl  Blink  Simpy  Google  Del.icio.us  Y!MyWeb | ||
| Search | ||
| ||
| ASCII Text | x | ||
| Elisa Bertino, Claudio Bettini, Elena Ferrari, Pierangela Samarati, "A Temporal Access Control Mechanism for Database Systems," IEEE Transactions on Knowledge and Data Engineering, vol. 8, no. 1, pp. 67-80, February, 1996. | |||
| BibTex | x | ||
| @article{ 10.1109/69.485637, author = {Elisa Bertino and Claudio Bettini and Elena Ferrari and Pierangela Samarati}, title = {A Temporal Access Control Mechanism for Database Systems}, journal ={IEEE Transactions on Knowledge and Data Engineering}, volume = {8}, number = {1}, issn = {1041-4347}, year = {1996}, pages = {67-80}, doi = {http://doi.ieeecomputersociety.org/10.1109/69.485637}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, } | |||
| RefWorks Procite/RefMan/Endnote | x | ||
| TY - JOUR JO - IEEE Transactions on Knowledge and Data Engineering TI - A Temporal Access Control Mechanism for Database Systems IS - 1 SN - 1041-4347 SP67 EP80 EPD - 67-80 A1 - Elisa Bertino, A1 - Claudio Bettini, A1 - Elena Ferrari, A1 - Pierangela Samarati, PY - 1996 KW - Database security KW - temporal authorization KW - database management KW - temporal reasoning KW - general logic programs KW - access control. VL - 8 JA - IEEE Transactions on Knowledge and Data Engineering ER - | |||
Abstract—This paper presents a discretionary access control model in which authorizations contain temporal intervals of validity. An authorization is automatically revoked when the associated temporal interval expires. The proposed model provides rules for the automatic derivation of new authorizations from those explicitly specified. Both positive and negative authorizations are supported. A formal definition of those concepts is presented in the paper, together with the semantic interpretation of authorizations and derivation rules as clauses of a general logic program. Issues deriving from the presence of negative authorizations are discussed. We also allow negation in rules: it is possible to derive new authorizations on the basis of the absence of other authorizations. The presence of this type of rules may lead to the generation of different sets of authorizations, depending on the evaluation order. An approach is presented, based on establishing an ordering among authorizations and derivation rules, which guarantees a unique set of valid authorizations. Moreover, we give an algorithm detecting whether such an ordering can be established for a given set of authorizations and rules. Administrative operations for adding, removing, or modifying authorizations and derivation rules are presented and efficiency issues related to these operations are also tackled in the paper. A materialization approach is proposed, allowing to efficiently perform access control.
[1] M. Abadi,M. Burrows,B.W. Lampson, and G. Plotkin,"A calculus for access control in distributed systems," ACM Trans. Programming Languages and Systems, vol. 15, no. 4, pp. 706-734, Sept. 1993.
[2] M. Baudinet,M. Niézette, and P. Wolper,"On the representation of infinite temporal data and queries (extended abstract)," Proc. ACM Symp. Principles of Database Systems, pp. 280-290,Denver, May 1991.
[3] E. Bertino,C. Bettini,E. Ferrari, and P. Samarati,"A temporal access control model for database systems," Technical Report 137-95, DSI-Univ. of Milano, 1995.
[4] E. Bertino,C. Bettini, and P. Samarati,"A temporal authorization model," Proc. Second ACM Conf. Computer and Communications Security, pp. 126-135,Fairfax,Va., Nov. 1994.
[5] E. Bertino,P. Samarati, and S. Jajodia,"Authorizations in relational database management systems," Proc. First ACM Conf. Computer and Comm. Security,Fairfax, Va., Nov. 1993.
[6] S. Ceri and J. Widom,"Deriving production rules for incremental view maintenance," Proc. 17th VLDB, pp. 735-749,Barcelona, 1991.
[7] M. Gelfond and V. Lifschitz,"The stable model semantics for logic programming," Proc. Fifth Int'l Conf. Logic Programming, R. Kowalski and K. Bowen, eds., pp. 1,070-1,080,Cambridge, Mass.: MIT Press, 1988.
[8] I.S. Gupta,A. Mumick, and V.S. Subrahmanian,"Maintaining views incrementally," Proc. ACM SIGMOD Int'l Conf. Management of Data, pp. 157-166,Portland, Ore., May 1993.
[9] W.T. Maimone and I.B. Greenberg,"Single-level multiversion schedulers for multilevel secure database systems," Proc. Sixth Ann. Computer Security Applications Conf., pp. 137-147,Tucson, Ariz., Dec. 1990.
[10] J.G. Steiner,C. Neuman, and J.I. Schiller,"Kerberos: An authentication service for open network systems," USENIX Conf. Proc., pp. 191-202,Dallas, Winter 1988.
[11] R.K. Thomas and R.S. Sandhu,"Discretionary access control in object-oriented databases: Issues and research directions," Proc. 16th Nat'l Computer Security Conf., pp. 63-74,Baltimore, Sept. 1993.
[12] A. van Gelder,K. Ross, and J.S. Schlipf,"The well-founded semantics for general logic programs," J. ACM, vol. 38, no. 3, pp. 620-650, July 1991.
[13] T.Y.C. Woo and S.S. Lam,"Authorizations in distributed systems: A new approach," J. Computer Security, vol. 2, nos. 2-3, pp. 107-136, 1993.