In: Proc. 12th IEEE Int. Conf. on Data Engineering (ICDE’96), New Orleans, Luisiana, USA, Feb. 1996, IEEE Computer Society Press, 1996
Authorization and Access Control in IRO-DB *) W. Eßmayr 1) , F. Kastner 1), G. Pernul 2), S. Preishuber 1), A M. Tjoa 3) 1)
Research Institute for Applied Knowledge Processing Softwarepark Hagenberg Hauptstraße 99, A-4232 Hagenberg, Austria e-mail: {wolfgang, fritz, spr}@faw.uni-linz.ac.at 2)
Information Systems Department University of Essen Altendorfer Straße 97, D-45143 Essen, Germany e-mail:
[email protected] 3)
Institute of Software Technology Technical University of Vienna Resselgasse 3, A-1040 Vienna, Austria e-mail:
[email protected] Abstract The paper describes authorization and access control in the IRO-DB database system, a system supporting interoperable access between relational and object-oriented databases. The security policy developed is a federated, administrative discretionary access control policy which supports positive, negative, as well as implied authorization, includes a procedure for conflict resolution within the set of specified authorization rules, and concentrates on role-based security.
1 Introduction An increasing number of database applications need to work on data which are stored by using several different file systems or are spread over existing possibly heterogeneous databases. This has led to a lot of research and classifications in the field of heterogeneous database systems, database federations,
*)
This work is supported by European ESPRIT III, project Nr. 8629.
multidatabases, and interoperable systems. A classification of federated database systems (FDBS) depending on the management of the federation is given in [15]. A federated database system (FDBS) consists of a uniform interoperable layer consisting of integrated component database systems (CDBSs) and gives the users the illusion of a homogeneous central database system. FDBSs may be characterized as loosely coupled or tightly coupled (comp. [15]). This classification depends on the management of the federation. In a loosely coupled federation the user is responsible to create and maintain the federation and no control is enforced by the federated system and its administrator(s), whereas in a tightly coupled federation the administrator(s) are responsible for creating and maintaining the federation and actively control the component databases (CDBSs). IRO-DB (interoperable relational and objectoriented databases) is a FDBS which provides access to several heterogeneous relational and object-oriented CDBSs. One of the most important issues in IRO-DB is
and also the viewpoints of several authors are summarized. Interdatabase dependencies in multidatabase environments are specified in [14]. The authors consider dependency specifications, mutual consistency requirements, and consistency restoration techniques for maintaining consistency of related data in multidatabases. Pernul ([12]) discusses integration of heterogeneous access control strategies, in particular discretionary and mandatory protected CDBSs, in a database federation. His work is within the AMAC access control technique.
security, i.e. the development and implementation of authorization and access control mechanisms in order to protect the information and to restrict user access according to the security policy of the organization. In this paper we describe the security subsystem of IRO-DB, in particular its access control concepts included in the interoperable layer; authorization propagation between users; positive, negative and implied authorizations, and role-based access controls. In general, authorization models for databases may be discretionary or mandatory. Discretionary access controls (DAC) assume the ownership of information by users or a central authority and access to information may be granted and revoked from the users. Mandatory access controls address a higher degree of security as they additionally control the flow of information between users. They assume data at different classification levels and a level-based security policy. Within IRO-DB we deal with DAC-based protection only.
Related to our work are also some approaches made for access control in homogeneous central database management systems. In [5] an authorization model for object-oriented databases is developed. This authorization model contains user access control and administration of authorization and consists of a set of policies, a structure for authorization rules and algorithms to evaluate access requests against the authorization rules. In [6] the authors deal with user group structures in object-oriented database authorization. A generalized approach to user group structures based on object-oriented concepts is presented. Nyanchama and Osborn ([11]) present access rights administration in role-based security systems. They develop a model for role organization using graph theory. An authorization model for database systems which support object-oriented concepts as well as semantic data modeling concepts is presented in [2] and [3]. Special effort is given to the development of computing implicit authorizations from an explicitly defined authorization.
The outline of this paper is as follows: In the remaining part of section 1 we discuss related work. In section 2 we give a general overview of the IRO-DB architecture and show how the security subsystem fits into it. Section 3 deals with the major design choices in the security subsystem we had to decide. Some crucial points are role-based protection, granularity of authorization objects, authorization subjects, authorization types, and negative authorization. In section 4 we discuss the implication rules for implied authorizations and section 5 consists of the conclusion.
The work reported in this paper extends previous work by developing an integrated authorization and access control policy for interoperable relational and object-oriented databases. The major components of this policy are
Related Work Although considered as an important topic for general databases (for example, see [13]) providing security and access controls in an interoperable heterogeneous database environment has not been studied frequently in the literature so far. Wang and Spooner ([16]) were the first who address discretionary access control in heterogeneous database management systems. They propose a solution to the problems of content-dependent access control in a heterogeneous database by introducing views and present a framework for investigation of further security issues. Jonscher and Dittrich ([8], [9]) discuss confidentiality for database federations enforced by discretionary access control. They present the CHASSIS project which aims at providing an integration framework to support the secure construction and operation of interoperable information systems. A panel contribution on security issues for federated database systems is given in [10]
• a mixed administration and ownership paradigm for authorization propagation, • positive and negative authorization rules and related conflict resolution, • implied authorization through the structuring of subjects, objects, access types, as well as database federations, and • role-based access controls for database federations.
2 General overview 2.1 The IRO-DB architecture
2
The goal of IRO-DB is to provide homogeneous access to heterogeneous and distributed databases. To fulfill this demand a three-layered architecture was chosen consisting of a local layer, a communication layer and an interoperable layer (see [7] for details).
The IRO-DB security subsystem can be characterized as a Federated Administrative Discretionary Access Control (FADAC) system which is a combination of ownership and administration paradigm together with an integration of local authorizations.
The local layer supports access to heterogeneous component database systems on the basis of a uniform data model (ODMG, compare [1]). The local database adapters translate local database schemata into ODMG compliant schemata and local results into ODMG objects. The communication layer provides services for remote database and object access. These services are used for exchanging local schemata with the interoperable layer and for query and result management. The interoperable layer integrates the various local schemata into an interoperable schema which is able to combine related data from the local databases and to overcome inconsistencies in structure, naming, scaling behavior and semantics.
• Usually, in discretionary access controls each authorization object (e.g. a database, a class, an instance of a class etc.) is owned by the creator of the object (e.g. a user, a role etc.). The owner has unrestricted access to his/her authorization objects. Additionally, owners have the right to delegate access under their discretion to other authorization subjects. Although this concept is very flexible in administrating authorizations it seems to be dangerous for database federations to leave security administration in the hand of a possibly large number of users distributed over several CDBSs. • In administrative systems the granting of authorizations is centralized in the hand of an administrative authority and not decentralized in the hand of local users. Following the administration paradigm intends to prevent the well known problems of cascading and cyclic authorizations and addresses the need to administer security issues properly in a federation of many CDBSs. Combining the administration paradigm with the ownership paradigm tries to preserve flexibility and prevents the case, that authorization subjects initially have no access to authorization objects they just created.
The IRO-DB security system (ISS) is located at the interoperable layer and communicates with the user application in providing identification and authentication mechanisms, with the interoperable query processor and the interoperable object manager in providing access control features and with the interoperable data dictionary from which information about authorization subjects, objects and rules is retrieved.
3 Design choices of the IRO-DB security system (ISS)
• Additionally, FADAC has to deal with the integration of local authorizations which are most likely heterogeneous in structure and possibly make use of different concepts. As pointed out by Jonscher and Dittrich ([8]) this is a central requirement because in order to enforce elaborated security policies the ISS has to provide powerful access control concepts at the interoperable layer with the aim to ensure consistency between global and local authorization states.
In a previous work ([4]) we proposed a taxonomy of necessary design choices for developing an access control system in federated database environments. Based on this work the particular design choices meeting the specific requirements of the IRO-DB security system evolved and are presented in detail in the following sub-sections. Sub-section 3.1 explains the basic concepts of the ISS which uses role-based, administrative, discretionary access controls and federates heterogeneous, local access control systems. Sub-section 3.2 describes the structure of authorization rules and sub-section 3.3 explains the features of combining administration and ownership paradigm. Also related is sub-section 4.5 which gives a conflict resolution schema necessary to resolve conflicting authorizations.
The ISS assumes a closed world for security reasons meaning that a request is prohibited unless a positive authorization can be inferred. Additionally, we use a mixed system in the sense that positive and negative authorizations (permissions and prohibitions) for accessing authorization objects may be granted to authorization subjects. Negative authorizations augment the flexibility of the security system since they allow to exclude particular subjects from a particular type of access. Negative authorization rules can also be used to stop the sequence of implications along any of the implication domains (see section 4). Furthermore,
3.1 Basic concepts
3
In: Proc. 12th IEEE Int. Conf. on Data Engineering (ICDE’96), New Orleans, Luisiana, USA, Feb. 1996, IEEE Computer Society Press, 1996
related-class
User
has-a
name
authorized-to
Class
Role name
access
name compclass
type
plays-a
sub-role
sub-class
Figure 1: Security Meta Classes of the IRO-DB security system
types for handling schema modifications are Read Definition (RD), Write Definition (WD), Create Definition (CD) and Delete Definition (DD)). Finally, ownership (O) is the most powerful authorization type which implies all other possible types.
the concept of implied authorization is used which leads to a reduced number of explicit authorizations and a set of implicit authorizations which can be inferred using implication rules. Due to the existence of the concepts of ownership, implied, positive and negative authorizations several conflicts may arise which are solved with a conflict resolution schema (see sub-section 4.5).
3.2 Authorization rules
The ISS consists of several security meta classes which can be illustrated together with their relationships as shown in Figure 1.
An IRO-DB authorization rule is defined as a triple ( s, t , o ) , where
Roles are the authorization subjects (AS) of IRODB and are regarded as jobs describing what has to be done regardless of who does it. Roles should have exactly those authorizations that are needed to fulfill the duties of the job (principle of least privilege). A role hierarchy can be designed using the sub-role relationship which reflects the organizational and functional structure of a company. Users are the existing persons of the system and need to play a role in order to access data. They can choose among several roles they have but may only play one role at a time. This policy prevents authorization conflicts among the roles of a user and it seems to be no limitation to real-life situations as long as users can easily change the role they have to play. The authorization objects (AO) of IRO-DB are classes which may, according to ODMG, be structured with relationships (related-class), with a class hierarchy (sub-class) and a class composition hierarchy (compclass). Authorizations may also be granted to higher level authorization objects (e.g. database, database system or federation) which mainly represent authorizations for sets of classes. The authorization type (AT) with which a role may access a class can either be Read (R), Write (W), Create (C) and Delete (D) for covering relational CDBSs, or method-access for covering object-oriented CDBSs. The
s ∈ S , the set of authorization subjects (roles), t ∈ T , the set of authorization types (e.g. R, W, C, D...) and o ∈ O , the set of authorization objects (e.g. class, database...). A positive authorization ( s, t , o ) means that subject s is permitted to access authorization object o with type t. Additionally, negative authorization rules may be specified which are of the form ( s, ¬t , o) meaning that subject s is prohibited to access the authorization object o with type t. An authorization base (AB) is a set of authorizations ( s, t , o ) with t positive or negative; that is, AB ⊆ S × T × O . Predicates are not included in the authorization rule because of the existence of derived classes at the interoperable layer, which are an IRO-DB extension to ODMG. These classes are primarily used to integrate different local import schemata into an interoperable schema. As derived classes determine their instances by executing an OQL query, they also can be used to provide view-based protection which allows for any predicate that can be realized in an OQL statement. Furthermore, methods can be used to realize very specific predicates, if needed.
3.3 Combining administration and ownership paradigm
specified authorization may imply authorizations along any combination of the three parameters in an authorization rule, namely, the subject, type, and object. This is realized by introducing rules for implicit authorizations which can be computed from the set of explicit authorizations defined in the authorization base.
As mentioned earlier we choose a combination of administration and ownership paradigm. Ownership paradigm in IRO-DB means the following: • The role that creates an authorization object becomes its owner (a corresponding authorization rule with type ownership is added automatically to the authorization base). • Each authorization object has to be owned by at least one role.
4.1 Implications at the AS domain
• authorization objects may be owned by more than one role (shared ownership).
The role hierarchy (RH) Roles are organized in a RH where each role may have a set of more specific sub-roles and exactly one super-role (except for the root). The hierarchy represents is-a relationships between the sub-roles and the superrole.
• If an authorization object is deleted all corresponding authorization rules have to be removed from the authorization base. • An ownership authorization does not imply the ability to change authorization rules, i.e. to delegate authorizations to other authorization subjects.
Rule 1: An authorization for a role r implies authorizations of the same type (positive or negative) for all of the sub-roles of r.
The ISS stores the security relevant information in security meta classes in the IRO-DB home database. Therefore, the security system can be administered and protected with its own security mechanisms. For this reason administrative roles have to exist and the security system has to guarantee that at least one role having at least one user associated with it is able to edit the authorization base. The administration of security in IRO-DB consists of the following tasks:
Person
Employee
Worker
• adding, removing, and modifying users,
Designer
Planner
Figure 2: Example for a role hierarchy.
• associating users to roles, • adding, removing, and modifying roles in the role hierarchy, and
In the example above an authorization (Employee, t, o) implies the authorizations ({Worker, Designer, Planner}, t, o).
• adding, removing, and modifying authorization rules in the authorization base.
4.2 Implications at the AT domain
The administration of security in IRO-DB can be anything, from centralized (only one role has access to the security meta classes) to decentralized (access to the security meta classes is spread over several roles), depending on which policy is preferred. But it has to be thoroughly considered which of the roles receive rights to access the security meta classes since they are the key to the administration of the IRO-DB security system.
The authorization type hierarchy (ATH) There are different implications for positive respectively negative authorization types since, for instance, a permission to read (R) an AO requires the permission to read the definition (RD) of that AO, whereas the prohibition to read ( ¬ R ) an AO should not result in the prohibition to read the definition ( ¬ R D ) of that AO.
4 Implication rules
Rule 2: The permission O (ownership) implies the permissions R,W,C,D,WD,CD,DD and the permissions to execute any of the set of methods of a class. Each of the latter permissions additionally implies the permission RD.
The concept of implied authorization is used to reduce the number of explicit authorizations in an authorization base. The idea is not new (for example, see [2]) and it means that an authorization of a certain type defined for a role on a certain database object implies other authorizations. In IRO-DB an explicitly
5
O
federation (set) dbs (set)
R
W
C
D
W D CD
DD
s e t< m e th o d >
db (set) class (set, set)
RD
attribute
instance (set)
Figure 3: Implications for positive authorization types.
attribute-value
Figure 5: The granularity hierarchy at authorization object domain.
Rule 3: The prohibition ¬O implies the prohibition ¬RD (and vice-versa) which again implies the prohibitions of all other authorization types and the prohibition to execute any of the set of methods of a class.
A federation consist of a set of database systems joining the federation including the home database system of IRO-DB. Each database system consists of a set of databases, each database of a set of classes. A class consists of a set of attributes and a set of instances and each instance contains a set of attribute values.
O RD
R W C
D WD CD
DD
Rule 5: An authorization on a particular AO of a certain level of the GH implies authorizations of the same type (positive or negative) on each of the AOs on the lower levels of the GH.
set
Figure 4: Implications for negative authorization types.
An authorization on a database, for instance, implies the same authorizations for all classes of that database and furthermore, for all attributes and attribute values of all instances of these classes.
Rule 4: An authorization to execute a method m of a class c temporarily implies authorizations to access all classes referenced and to execute all methods called within the scope of m for the time of executing m.
The class hierarchy (CH) IRO-DB follows the object database standard of ODMG (compare [1]) which allows for a CH with multiple inheritance. Hence, a class may have a set of more specific sub-classes and a set of more general super-classes associated with the is-a relationship.
4.3 Implications at the AO domain The granularity hierarchy (GH)
Rule 6: An authorization on a class c implies authorizations of the same type (positive or negative) on all of the sub-classes of c.
As mentioned above, the ISS allows authorizations on four levels of the GH, namely, federation, database system, database, and class. Additionally, the GH consists of the items instance, attribute, and attribute value as illustrated in Figure 5. The dotted arrows symbolize that these implications can not be overridden at the lower levels like instance, attribute, or attribute value since these levels are no authorization objects in IRO-DB. Thus, an authorization on a class always implies an authorization of the same type on all the attributes and all the instances with their attribute values of that class. Methods are regarded as authorization types rather than authorization objects in IRO-DB.
We choose this full inheritance paradigm for simplicity and clearness of the concept of implied authorization although it may be argued that sub-classes are more specific and authorizations therefore should not be fully propagated to them. In our opinion the full inheritance paradigm corresponds to the object-oriented paradigm in the most proper way. The class composition hierarchy (CCH) A class is composed of a set of attributes which may themselves be classes. The CCH is a hierarchy that captures the is-part-of relationship between classes where the root is a composite class, and all other classes
6
derived classes at the interoperable layer. The scope of a derived class dc ∈ DC is defined as the set of import classes { ic , ... , ic } ⊆ IC from which dc is either
of the hierarchy are component classes. The idea is that an AS should have access to an instance of a composite class as a whole including all instances of the component classes which are part of the composite class. On the other hand, the AS should not have direct access to the component classes which might have instances that are not part of the composite class.
1
n
directly or indirectly derived. Furthermore, we define RoleAB ⊆ R × T × DC as the set of authorizations for interoperable roles on derived classes and UserAB ⊆ U × T × IC as the set of authorizations for any of the local users on imported classes. Rule 9: For u ∈ U , r ∈ R , t ∈ T , and dc ∈ DC , a user u is only allowed to have a role r if for any authorization ( r , t , dc ) ∈ RoleAB a set of authorization rules {(u, t , Scope( dc ))} ⊆ UserAB exists.
Rule 7: A positive authorization on a composite class c implies authorizations on those instances of the component classes that are part of c. Instances of a composite class contain references to instances of the component classes which may be dereferenced without checking (indirect access of the component classes). However, an authorization on a composite class c does not imply authorizations on the component classes of c.
That means that a user if willing to play a role that is authorized to access a derived class dc has to be authorized for any of the imported classes from which dc is derived.
Rule 8: A negative authorization on a component class c’ implies a negative authorization of the same type on the composite class which c’ is part of.
4.5 Conflict resolution schema
If an AS is explicitly prohibited to access one of the components of a composite class c the AS has to be denied to access c in order to prevent indirect access of instances of the component classes.
The ISS uses a simple schema to resolve conflicts resulting from competing authorizations due to the concepts of ownership, negative, and implied authorizations. The schema consists of three policies:
Note that relationships among classes (relatedclass) are treated in the same way as stated for the class composition hierarchy in this sub-section.
• Ownership takes the highest priority.
4.4 Implications at the federation domain One major task of the ISS is the integration of authorizations defined for component databases at a local level. Local authorization systems may be structured heterogeneously and may support different security mechanisms and policies. At this stage of the project we consider only CDBSs that are not role-based and support discretionary access controls. This is legitimate since IRO-DB aims at integrating existing, relational, and object-oriented database systems which mostly do not support roles.
• Negative authorizations override authorizations (for security reasons).
positive
• Explicit authorizations override authorizations (intent of the grantor).
implicit
request
negative positive ownership ownership deny
allow
explicit negative
explicit positive
implicit negative
implicit positive
deny
allow
deny
allow
deny
Figure 6: The ISS conflict resolution schema
Conclusions In this paper we described the security subsystem developed for the federated database system IRO-DB. We addressed authorization problems which are common to FDBSs as well as those which are specific for the IRO-DB security system (ISS). The ISS is a federated, administrative, discretionary access control (FADAC) system which is based on a closed world assumption and combines the ownership paradigm and
The class derivation hierarchy (CDH) The ISS has to ensure that authorizations for a local user correspond to the authorizations for the interoperable roles the user is allowed to play, i.e. no user should be able to achieve more privileges when playing an interoperable role. Let U be the set of all local users, R the set of roles at the interoperable layer, T the set of authorization types, IC the set of imported classes and DC the set of
7
Oriented Databases. IEEE Trans. on Knowl. & Data Eng., Vol. 6, No. 2, 1994.
the administration paradigm. This combination helps to overcome the disadvantages of both paradigms. The IRO-DB security system supports positive as well as negative authorizations, includes implication rules for implied authorizations, and a procedure for conflict resolution. Apart from the usual authorization types we support also method authorizations as we assume heterogeneous CDBSs (relational as well as object-oriented). The ISS is role-based and supports authorizations on classes, databases, database systems and the federation. Predicates are realized with the concept of derived classes which determine their instances by executing OQL queries. The IRO-DB system as well as its authorization and access control subsystem is currently under implementation. Future work will concentrate on providing dynamic implication rules for the concept of implied authorization. This will be a significant improvement of interoperability since CDBSs will independently specify the precise effects of authorization implications.
Fernandez, E.B., Gudes, E. and Song, H., A Model for Evaluation and Administration of Security in Object-
[9]
Jonscher, D. and Dittrich, K.R., An Approach for Building Secure Database Federations. Proc. 20th Int. Conf. on Very Large Databases (VLDB), Santiago, Chile, 1994.
[15] Sheth, A.P. and Larson, J.A., Federated Database Systems for Managing Distributed, Heterogeneous, and Autonomous Databases. ACM Computing Surveys, Vol.22, No.3, 1990.
Bertino, E., Origgi, F., Samarati, P., A New Authorization Model for Object-Oriented Databases. Database Security VIII, pp. 199-222. J. Biskup, M. Morgenstern, C. E. Landwehr (Eds), North-Holland, 1994.
[5]
Jonscher, D. and Dittrich, K.R., Access Control for Database Federations. DBTA Workshop on Interoperablity of Database Systems and Database Applications, Fribourg, 1993.
[14] Rusinkiewicz, M., Sheth, A.P. and Karabatis, G., Specifying Interdatabase Dependencies in a Multidatabase Environment. IEEE Computer, 1991.
Bertino, E., Kim, W., Rabitti, F. and Woelk, D., A Model of Authorization for Next-Generation Database Systems. ACM ToDS, Vol. 16, No. 1, 1991.
Eßmayr, W., Kastner, F., Pernul, G., Preishuber, S., and Tjoa, A M. (1995) Access Controls for Federated Database Environments. Proc. Joint IFIP TC 6 and TC 11 Working Conf. on Communications and Multimedia Security, Graz, Austria, Sept. 1995.
[8]
[13] Pernul, G., Database Security. In: Advances in Computers, Vol.38, pp. 1-72. (M. C. Yovits, ed.). Academic Press, 1994.
Atwood, T., Duhl, J., Ferran, G., Loomis, M., and Wade, D., The Object Database Standard: ODMG-93, Release 1.1. Morgan Kaufmann Publishers, San Francisco, California, 1993.
[4]
G. Gardarin, S. Gannouni, B. Finance, P. Fankhauser, W. Klas, D. Pastre, R. Legoff, A. Ramfos. IRO-DB: A Distributed System Federating Object and Relational Databases. In O. Bukhres and A.K. Elmargarmid, ed., Object-Oriented Multidatabase Systems, Prentice Hall, Sept. 1994.
[12] Pernul, G., Canonical Security Modeling for Federated Databases. Proc. of IFIP TC2/WG 2.6 Conf. on Semantics of Interoperable Database Systems (DS'5), Lorne, Australia, Nov. 1992.
References
[3]
[7]
[11] Nyanchama, M., Osborn, S., Access Rights Administration in Role-Based Security Systems. Proc. IFIP WG 11.3 Database Security, 1994. In: Database Security VIII, Status and Prospects (J. Biskup, M. Morgenstern, C. E. Landwehr, Eds). North Holland (Elsevier), 1994.
We further acknowledge the comments of E. B. Fernandez given on an earlier version of this paper.
[2]
Fernandez, E.B., Wu, J., and Fernandez, M.H., User Group Structures in Object-Oriented Database Authorization. Proc. IFIP WG 11.3 Database Security, 1994. In: Database Security VIII, Status and Prospects (J. Biskup, M. Morgenstern, C. E. Landwehr, Eds). North Holland (Elsevier), 1994.
[10] Morgenstern, M., Lunt, T.F., Thuraisingham, B. and Spooner, D.L., Security Issues in Federated DBSs: Panel Contributions. Proc. of the Working Conference of the IFIP WG 11.3 on Database Security, 1992.
Acknowledgments: The authors would like to thank all partners of IRO-DB ESPRIT-III, a joint project of GMD-IPSI (Germany), Ibermática (Spain), Intrasoft (Greece), EDS, EURIWARE, PRISM, O2 Technology (France), GOPAS (Germany), and FAW Linz (Austria), for many interesting discussions on technical meetings.
[1]
[6]
[16] Wang, C.Y. and Spooner, D.L., Access Control in a Heterogenous Distributed Database Management System. Proc. Sixth Symp. on Reliability in Distributed Software and Database Systems, IEEE Computer Society Press, 1987.
8
