You are hereMultilevel Security / MLS Access Control Rules

MLS Access Control Rules


All operations of the Trusted RUBIX DBMS have been integrated with the MLS Security policy, including all SQL operations. All DBMS objects (database, catalog, schema, view, table, index, row) are assigned an MLS label. The rules governing the general behavior of the MLS Security policy are:

  • Newly created objects are assigned the label of the creating subject.
  • A subject may read an object if the subject's label dominates the object's label.
  • A subject may update an object if the subject's label is equal to the object's label.
  • A subject may create a child object within a parent object (e.g., a row within a table or a table within a schema) if the subject's label dominates the parent object. The child will be assigned the label of the creating subject.

The following table enumerates the MLS access control rules for each SQL operation.

SQL Statement

MLS Access Control Rules

MLS Outcome

ALTER TABLE
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session  = table
Session  = table referenced by a foreign key
Table sensitivity label is unchanged.
CONNECT
Session >= database
The session sensitivity label for the connecting user is assigned from the label of the operating system connection (e.g., socket label)
CREATE CATALOG
Session >= database
New object labeled with the session sensitivity label.
CREATE DATABASE
Any Sensitivity label
New object labeled with the session sensitivity label.
CREATE INDEX
Session >= database
Session  >= parent catalog
Session  >= parent schema
Session = table
New object labeled with the session sensitivity label.
CREATE SCHEMA
Session >= database
Session >= parent catalog
New object labeled with the session sensitivity label.
CREATE TABLE
Session >= database
Session  >= parent catalog
Session  >= schema 
Session  = table referenced by a foreign key
New object labeled with the session sensitivity label.
CREATE VIEW
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session  >= table
Session  >= view
New object labeled with the session sensitivity label.
DELETE
Session >= database
Session  >= parent catalog
Session  >= parent schema
Session >= table, [view]
Session = row
Delete rows at session sensitivity label.
DROP CATALOG
Session >= database
Session = catalog
Session = any schema, table, or view inside of the catalog
Session = any view that references a table and/or view inside of the catalog
The catalog and all containing objects (if cascade option specified) are dropped.
DROP DATABASE
Session = database
All objects in the database are destroyed.
DROP INDEX
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session = index
Drop the specified index.
DROP SCHEMA
Session >= database
Session  >= parent catalog
Session = schema
Session = any table or view inside of the schema
Session = any view that references a table and/or view inside of the schema
The schema and all containing objects (if cascade option specified) are dropped.
DROP TABLE
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session = table
Session = any view referencing the table
The table, all indices, and all rows are dropped. All referencing views are dropped (if cascade option specified).
DROP VIEW
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session = view
Session = any view referencing the view
The view is dropped. All referencing views are dropped (if cascade option specified).
GRANT
Session >= parent object(s)
Session = object
Privileges valid for all sensitivity labels that may access object.
INSERT
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session >= table, [view]
New object labeled with the session sensitivity label.
REVOKE
Session >= parent object(s)
Session = object
Privileges revoked are applicable for all sensitivity labels that may access object.
SELECT
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session >= table, [view];
Session >= row
Rows dominated by session sensitivity label are returned.
SET CATALOG
Session >= database
Session >= catalog
Specified catalog name used as default catalog name for all future SQL operations.
SET SCHEMA
Session >= database
Session >= parent catalog
Session >= schema
Specified schema name used as default schema name for all future SQL operations.
UPDATE
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session >= table, [view];
Session = row
Rows at the session sensitivity label are updated.
sub-query*
 
Session >= database
Session  >= parent catalog
Session  >= parent schema 
Session >= table, [view];
Session >= row
 
Rows dominated by session sensitivity label are returned for the sub-query.
 
* A sub-query is an implied operation on any delete, update, or select operation that includes a where clause and any insert operation that has a select clause.