Abstract
Security administration is harder in databases that have multiple layers of derived data, such as federations, warehouses, or systems with many views. Meta-data (e.g., security requirements) expressed at each layer must be visible and understood at the other layer. We describe several use cases in which layers negotiate to reconcile their business requirements. The sources must grant enough privileges for the derived layer to support the applications; the derived layer must enforce enough restrictions so that the sources’ concerns are met; and the relationship between the privileges at source and derived layer must be visible and auditable.
The guiding principle is that a security policy should primarily govern information; controls over source tables and views from which the information can be obtained are intended to implement such policies. We require a kind of global consistency of policy, based on what information owners assert about tables and views. Deviations are primarily a local affair, and must occur within safe bounds. Our theory examines view definitions, and includes query rewrite rules, differing granularities, and permissions granted on views. Finally, we identify open problems for researchers and tool vendors.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35508-5_22
Chapter PDF
Similar content being viewed by others
References
Castano, S., De Capitani di Vimercati, S. and Fugini, M.G. (1997). Automated derivation of global authorizations for database federations, Journal of Computer Security, 5 (4), pp. 271–301.
De Capitani di Vimercati, S. and Samarati, P. (1997). Authorization specification and enforcement in federated database systems,“ Journal of Computer Security, 5 (2), pp. 155–188.
Jajodia, S. and Meadows, C. (1995). Inference problems in multilevel secure database management systems. Information Security: An Integrated Collection of Essays (eds. M. Abrams et al.), IEEE Computer Society Press, pp. 570–584.
Oszu, T. and Valduriez, P. (1998). Principles of Distributed Database Systems. Prentice Hall.
Rosenthal, A. and Sciore, E. (1998). Propagating integrity information among interrelated databases. Proceedings of IFIP 11.6 Workshop on Data Integrity and Control. http://www.cs.bc.edurSciore/papers/IFIP98.doc.
Rosenthal, A. and Sciore, E. (1999). First-class views: A key to user-centered computing, ACM SIGMOD Record. http://www.cs.bc.edu/gciore/papers/fcviews.doc
Rosenthal, A., Sciore, E. and Gengo, G., (n.d.). Demonstration of Multi-Layer Metadata Management (html, gzipped) and Warehouse Metadata Tools: Something More Is Needed, http://www.cs.bc.edu/gciore/papers/demo.zip and http://www.cs.bc.edu/gciore/papers/mdtools.doc.
Srivastava, J., et al. (1996). Answering queries with aggregation using views. VLDB, pp. 318–329.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Rosenthal, A., Sciore, E., Doshi, V. (2000). Security Administration for Federations, Warehouses, and Other Derived Data. In: Atluri, V., Hale, J. (eds) Research Advances in Database and Information Systems Security. IFIP — The International Federation for Information Processing, vol 43. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35508-5_14
Download citation
DOI: https://doi.org/10.1007/978-0-387-35508-5_14
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6411-6
Online ISBN: 978-0-387-35508-5
eBook Packages: Springer Book Archive