Role-based security, object oriented databases and separation of duty

Abstract

In this paper we combined concepts of role-based protection and object oriented (O-O) databases to specify and enforce separation of duty as required for commercial database integrity [5, 23, 24]. Roles essentially partition database information into access contexts. Methods (from the O-O world) associated with a database object, also partition the object interface to provide windowed access to object information. By specifying that all database information is held in database objects and authorizing methods to roles, we achieve object interface distribution across roles. For processing in the commercial world we can design objects and distribute their associated methods to different roles. By authorizing different users to the different roles, we can enforce both the order of execution on the objects and separation of duty constraints on method execution.