Database Security Lecture4
Database Security Lecture4
Lecture 4
Discretionary Access Control
(DAC)
• The typical method of enforcing discretionary
access control in a database system is based
on the granting and revoking of privileges.
• An example:
• Suppose that A1 grants SELECT to A2 on the EMPLOYEE relation
with horizontal propagation equal to 1 and vertical propagation
equal to 2.
• A2 can then grant SELECT to at most one account because the
horizontal propagation limitation is set to 1.
• Additionally, A2 cannot grant the privilege to another account
except with vertical propagation set to 0 (no GRANT OPTION) or
1; this is because A2 must reduce the vertical propagation by at
least 1 when passing the privilege to others.
• In addition, the horizontal propagation must be less than or equal
to the originally granted horizontal propagation.
• For example, if account A grants a privilege to account B with the
horizontal propagation set to an integer number j > 0, this means
that B can grant the privilege to other accounts only with a
horizontal propagation less than or equal to j.