The NTree: a two dimension partial order for protection groups
- 1 May 1988
- journal article
- Published by Association for Computing Machinery (ACM) in ACM Transactions on Computer Systems
- Vol. 6 (2) , 197-222
- https://doi.org/10.1145/42186.42187
Abstract
The benefits of providing access control with groups of users rather than with individuals as the unit of granularity are well known. These benefits are enhanced if the groups are organized in a subgroup partial order. A class of such partial orders, called ntrees, is defined by using a forest of rooted trees or inverted rooted trees as basic partial orders and combining these by refinement. Refinement explodes an existing group into a partially ordered ntree of new groups while maintaining the same relationship between each new group and the nonexploded groups that the exploded group had. Examples are discussed to show the practical significance of ntrees and the refinement operation. It is shown that ntrees can be represented by assigning a pair of integers called lr-values to each group so that g is a subgroup of h if and only if l[g] ≤ l[h] and r[g] ≤ r[h]. Refinement allows a complex ntree to be developed incrementally in a top-down manner and is useful for the initial definition of an ntree as well as for subsequent modifications. To make the latter use of refinement practical, a method is presented for assigning lr-values to the new groups introduced by refinement so lr-values assigned to nonexploded groups need not be changed. It is also shown how to guarantee that the lr-values of the exploded group will get assigned to one of the new groups.Keywords
This publication has 9 references indexed in Scilit:
- Interval graphs and interval ordersDiscrete Mathematics, 1985
- Formal Models for Computer SecurityACM Computing Surveys, 1981
- Data SecurityACM Computing Surveys, 1979
- A lattice model of secure information flowCommunications of the ACM, 1976
- Protection and the control of information sharing in multicsCommunications of the ACM, 1974
- The UNIX time-sharing systemCommunications of the ACM, 1974
- Transitive Orientation of Graphs and Identification of Permutation GraphsCanadian Journal of Mathematics, 1971
- On the Dimension of Partially Ordered SetsAmerican Journal of Mathematics, 1948
- Partially Ordered SetsAmerican Journal of Mathematics, 1941