You are hereAttribute Based Access Control/SPM / Associating Policy with DBMS Objects

Associating Policy with DBMS Objects

Trusted RUBIX ABAC policies are stored as text-based XML files. They may be created and edited with any XML editor, on any platform by any user.


Once the XML policy files have been finished, they would generally be submitted to a Security Administrator for review. The Security Administrator would review the policy files for correctness and then add them to the Trusted RUBIX Policy Repository using a Trusted Administrative command. Policy that is in the Policy Repository but has not been applied to a Trusted RUBIX object will not have any effect upon the database.


Once an XML policy file has been added to the Policy Repository, it may then be applied to Trusted RUBIX objects. Policies are applied to named Trusted RUBIX objects by the Security Administrator using a Trusted Administrative command. Once applied, policies will immediately begin controlling access to associated objects. Policy may be applied and removed in real time allowing dynamic policy behavior.


Each policy has an attribute indicating the scope of the policy. A policy scope may either be Node or SubTree. If a policy has a scope of Node, then it will only control the object to which it has been applied. If the policy has a scope of SubTree, then it will control all objects in its sub-tree that do not have directly applied policy. An object is controlled by the SubTree scoped policy that has been applied to its closet ancestor.


The following diagram illustrates applying policy with scopes of both Node and SubTree. The color of each object node corresponds to the policy that controls it. For example, the 'Schema 3' object is yellow which indicates it is controlled by 'Policy 3' which is also yellow.