Semantic Data Control

View Management
View Updatability
Views in Distributed System

Authorization and Protection

Authorization and data protection are two very important aspects of database security, and they are closely related to
each other. Protection is required to prevent unauthorized disclosure, alteration or destruction of data. Data
protection is generally provided by fi le systems in both centralized and distributed operating systems. A well-
known method for data protection is data encryption. Data encryption is suitable for both storing the information on
the disk as well as data exchange through the network. In data encryption method, the data is encoded into
ciphertext, and it can be decoded into original data as required by using an algorithm. The algorithms used for
encoding and decoding data are called key. There are various standard data encryption techniques such as symmetric
key encryption and asymmetric key encryption. A complete presentation of protection schemes is available in
[Fernandez et al., 1981].
The granting of rights or privileges that enable users to have legitimate access to a system or a system’s objects is
called authorization. Authorization ensures that only the authorized users are accessing the data. An authorization
control must have the ability to identify authorized users and thereby to restrict unauthorized accessing of data.
Authorization control was being provided by operating systems for a long time, and recently by distributed operating
systems as a service of the fi le system. Generally, a centralized approach is used for authorization control. In this
approach, the centralized control creates database objects and provides permission to other users to access these
objects. Database objects are identified by their external names. Another aspect of authorization is that different
users can have different privileges on the same database objects in a database environment.
In a relational DBMS, the DBA uniformly controls authorizations using high-level constructs. A DBA is usually
responsible for allowing users to have access to database objects by creating individual user accounts. In a
distributed DBMS, a decentralized authorization control approach is more suitable than a centralized authorization
control approach. Authorization control in distributed DBMSs is more complicated because database objects and
users may be distributed among different sites.

Centralized Authorization Control

In authorization control, three main entities are involved: users, database objects and
operations that can be performed on database objects. Therefore, an authorization can be
defined as a triple(user, operation, object), which indicates that the specified user has the right
to perform an operation of the specified type on the specified object. Authorization control
checks whether a given triple can be permitted to process or not. A user is introduced into the
system by the pair (username,password). The username is used to identify each user uniquely
in the system, and the password is used to authenticate the user. Both of these information are
required to login into the database environment, thereby preventing unauthorized users from
entering into the database system.
A database is a collection of database objects. In relational data model, a database object can
be defined by its type, which is expressed as (view, relation, tuple, attribute), as well as by its
content using selection predicates. A right or privilege represents a relationship between a user
and a database object for a particular set of operations. In SQL, an operation is defined by a
high-level statement such as INSERT, DELETE, UPDATE, ALTER, SELECT, GRANT, REFERENCES or
ALL and privileges are defined using GRANT and REVOKE statements. The keyword public is
used to mean all users in the system. In centralized authorization control, the DBA has all
privileges on all database objects, and he/she is allowed to grant (or take away) permissions to
(from) other users.
In decentralized authorization control, the creator of a database object is the owner of that
object. The owner has the right to grant permission to other users to perform certain
operations on the database object. In this case, the authorization control is distributed among
the owners of database objects. If the owner grants the GRANT permission on a database
object to some other user,then that specified user can subsequently grant permissions to other
users on this specified database. object. The revoking process must be recursive, and to
perform revoking the system must maintain a hierarchy of grants per database object where
the owner of the database object is the root.
Distributed Authorization Control
Semantic Integrity Constraints
Global System Catalog

Contents of Global System Catalog

Catalog Management in Distributed System