Access control functionality is one of the most crucial parts of any database application. Access control privileges are generally statically defined in terms of rules. An example of such an approach is taught in a paper entitled “History-based Access Control for Mobile Code”, by Guy Edjlati, Anurag Acharya and Vipin Chaudhary, published as proceedings of the ACM Conference on Computer and Communications Security 1998: 28–48. The key idea behind history-based access control is to maintain a selective history to improve the differentiation between safe and potentially dangerous requests. An example is a policy that allows a user to connect to a remote site if and only if it has neither tried to open a local file that it has not created, nor tried to modify a file it has created, nor tried to create a sub-process.
Because these rules (or rights), exemplified by Edjlali et al are fixed, they are not reactive to the changing state of the database. Such functionality can be added using an event-based access control system. In an event-based access control system, contingent access policies are used. Key to an event-based access control system is the idea of multiple states. Events trigger state transitions. The events can be, for example, the arrival of an object, the completion of a process, or the passage of time (such as a deadline). In each state, users may have different access rights to the system: at one state time User A has read and write access, but at another state time may only have read access.
A particular problem arises when an access request does not have a recognisable authorisation (or permission). Such a request may lead to refusal from the viewpoint of a database administrator.
A known arrangement for dealing with a similar problem is taught in U.S. Pat. No. 6,061,684 (Glasser et al), issued on May 9, 2000. Glasser et al teaches that in the absence of a relevant access control list, a nearest (“proximate”) ancestor element is located, and the control list of that ancestor is inherited. Specifically Glasser et al uses the example of a file system hierarchy having folders whose access permissions can be set. Each folder can, but need not, have an Access Control List. A folder's access permissions can be inherited by its descendants in the hierarchy, however—in the example given—inheritance does not proceed beyond the nearest ancestor having an ACL. If no ancestor is present, then it is possible that the access request will be refused.
Another issue relates to the dynamic modification of access rights. In conventional access control systems having statically defined rules, dynamism is achieved by associating conditions with the access control policy (eg. Edjlali et al). These conditions are evaluated when the user makes an access request. For an events-based access control system, on the other hand, the access rights are changed on the occurrence of predefined events. By way of example, users are ascribed roles. Roles, in turn, are mapped to rights (or privileges) according to a series of rules that are contingent upon events. An example of an event not related to a user request is data being inserted or modified in a database.
The conditions associated with the policy are evaluated on the occurrence of events beyond user access requests. Therefore, when a user makes repeated data access requests, that request is tested against the policy in force at the particular instant of time. The policy may have changed in the period between subsequent requests.
A known arrangement of this type is taught in Technical Report No. 1998.05, entitled “Fine-Grained Event-Based Access Control”, by Kenneth K. Pang, published by Lotus Development Corporation, 55 Cambridge Parkway, Cambridge, Mass. 02142. Pang describes an arrangement suited to a process having the properties of user rights depending on time and the roles the users assume. The roles depend upon the requested object (eg. a document or file). Pang has only a limited set of events that can impact on a user's rights at any one time. Specifically, it is the role the user has assumed for the document (ie. object) it wishes to access, and a time function.