You are hereDiscretionary Access Control

Discretionary Access Control


Discretionary Access Control (DAC) is a means of restricting access to objects based upon the identity of users and/or groups to which they belong. The controls are discretionary in the sense that a user with a certain access privilege is capable of passing that privilege to any other user. Operations on Trusted RUBIX databases, catalogs, schemas, tables, indexes, views, table columns and view columns are controlled by DAC policy.

 

The discretionary access controls of Trusted RUBIX are characterized in terms of subjects, named objects, and the operations which subjects can perform upon named objects. Subjects hold certain access privileges with respect to the named objects maintained by Trusted RUBIX. Privileges for a named object are propagated either by a user holding the WITH GRANT OPTION on a privilege (initially only the object’s creator) or by a database administrator. The exception to this is the NULL privilege which overrides all other privileges and denies all access by the subject to the object. Because the NULL privilege removes all access to an object it has no corresponding WITH GRANT OPTION. To give the NULL privilege to someone the GRANTNULL privilege is required. The GRANTNULL privilege does have an associated WITH GRANT OPTION associated with it.

 

Discretionary security is enforced in Trusted RUBIX by allowing users to specify which users and groups are authorized to perform specific operations on particular objects. Different access privileges control different operations. To modify privileges on an object, the user’s session sensitivity label must equal the object’s sensitivity label.

 

Each Trusted RUBIX table has an access control list (ACL) that specifies the distribution of DELETE, SELECT(I), INSERT(I), UPDATE(I), REFERENCES(I), CRVIEW(I), REFVIEW(I), NULL(I), and GRANTNULL(I) privileges. Each Trusted RUBIX view has an ACL that specifies the distribution of DELETE, SELECT(I), INSERT(I), UPDATE(I), CRVIEW(I), NULL(I), and GRANTNULL(I) privileges. The PRIVILEGE(I) form of these privileges permits the subject PRIVILEGE access to column "I" of a table or view.

 

Each Trusted RUBIX database, catalog, and schema has an ACL that specifies the distribution of READ, WRITE, EXEC, NULL, and GRANTNULL privileges. In addition, the database object has the ADMIN privilege which allows dropping the database.

 

When calculating a user's effective privileges to the object, the NULL privilege negates all other privileges. The NULL privilege overrides all other privileges and explicitly denies all access by the subject to the object. For instance, if a user has the SELECT and NULL privileges on the columns of a table, the NULL privilege takes precedence and the user will not be able to select from the table. If the NULL privilege were revoked, the user would then have the ability to select from the table. Giving the GRANTNULL privilege on an object gives a user the ability to deny others access to that object.