The present invention relates generally to computer software, and more particularly, to a system and method for implementing a quorum based access control mechanism for modifying a database component.
In today""s computer network environment, it is common that significant amounts of data are customarily stored and used by various users of a database. Naturally, data management has become an essential task for many data intensive industries. A smooth business operation relies both on the efficiency and security of the database. With the advancement of computer technologies, the size and complexity of a typical database is increasing continuously.
Different users of the database normally have different levels of access rights. From the perspective of data management, a database administrator (DBA) is powerful in that he usually has a full access to the entire database and all data stored therein. He can freely read, write and modify any data stored in the database. In a normal situation, the DBA is endowed with the highest level of trust because of his important responsibilities. Other users may be given different access rights depending on their needs. Some have read access rights only, while others have write access rights. Under certain circumstances, it is desirable to store data in a database in a secure way such that even a privileged user like the DBA should not be able to modify records of the database without being detected or without obtaining consents from some other database managers such as an independent auditor. The role of an independent auditor is to trace any user""s , including the DBA""s , actions relating to the database, thereby enhancing the integrity and the security of the database.
From the inception of the concept of computer databases, the access control issue of a database focuses on access rights of a single user. The scope of access belonging to a particular user depends exclusively on the access rights granted to him by a superior authority, who may very likely be the DBA. For example, in a normal case, a user who has a write access right to a database attribute can modify that attribute freely. However, those who have only an access right to read the same attribute can not xe2x80x9ctouchxe2x80x9d the attribute.
With the database security problem becoming an increasingly complex and sensitive issue for operation on a daily basis, there is a growing need to support quorum based modifications in a database. There are situations when not a single user can be trusted to take actions alone in the database, and such situations warrant the need of a quorum based access control mechanism. In these situations, a minimum of two authorized users must together initiate a change to the database, and the number of the users required can be changed by a superior user of the database depending on the need of a particular case.
For instance, a network audit configuration is stored in a Novell proprietary Network Directory Service (the xe2x80x9cNDSxe2x80x9d) in the form of Audit Policy objects. The access control to these objects is managed by the NDS. In a typical scenario, there are at least two high-level trusted users involved, e.g., a DBA (or a system administrator of the same capacity) and a xe2x80x9ctop level auditor.xe2x80x9d Unfortunately, neither of them trusts, or should trust, the other. Hence, any one of them is denied access to modify the network audit configuration (e.g., the audit policies) single-handedly. The check-and-balance relationship between the DBA and the auditor helps to enhance the database security, but nevertheless hinders some of the database operations. There are situations when any of them needs an access to the audit policy objects. For instance, some changes in the organization""s security policies may need to be modified. However, it is not desirable that any one of them should be able to modify the audit policy objects or even modify an Access Control List (which enables him to modify the objects) without the knowledge of the other. A clear consent of both the DBA and the auditor is required for the modification to occur.
What is needed is an efficient method for implementing a quorum based access control mechanism for modifying a database.
A method and system is provided for implementing a quorum based access control mechanism for modifying at least one value of a database component (xe2x80x9cDatabase Attributexe2x80x9d). In a typical example, the database is managed by a network directory service. Upon a request of an initiator who has a special right, the network directory service establishes one or more quorum attributes for defining the quorum based access control mechanism.
Once the quorum attributes are established, the quorum attributes provide one or more authorized users who have rights to participate in a quorum for accepting or rejecting a modification request. According to one example, various quorum attributes clearly define the access control mechanism. For instance, a Modified Attribute Value is for temporarily storing a proposed value for modifying the Database Attribute. A List of Owners indicates a list of authorized users who have rights to consider the Modified Attribute Value. A Quorum Size attribute defines a minimum number of authorized users to form a quorum to accept the Modified Attribute Value. A time period is also provided by the quorum attribute to require the modification request to be considered within a predetermined time frame. A Mandatory Authorizers attribute provides a list of authorized users whose participation in the quorum are mandatory for modifying the Database Attribute with the Modified Attribute Value. The Mandatory Authorizers is a sub group of the List of Owners. Moreover, an Authorization Status Table records identities and actions taken by the authorized users in the List of Owners.
When a modifier initiates a modification request, he proposes a value to modify the Database Attribute. The modification request is granted and the Database Attribute is changed to the proposed value if a quorum, as defined by the quorum attributes, is reached and all of the Mandatory Authorizers have accepted the proposed value within the predetermined time frame.