WWW.DISSERS.RU


...
    !

Pages:     | 1 |   ...   | 33 | 34 || 36 | 37 |   ...   | 54 |

6. Bultheel A., K.U.Leuven H. Martnez-Sulbarany, Recent developments in the theory of the fractional Fourier and linear canonical transforms, Bulletin of the Belgian mathematical Society- Simon Stevin, , .. I ., 1113, . . . 101, .. 95, e-mail: gstoilov@optics.bas.bg Fourth International Conference I.TECH 2006 Software Engineering ACCESS RIGHTS INHERITANCE IN INFORMATION SYSTEMS CONTROLLED BY METADATA Mariya Chichagova, Ludmila Lyadova Abstract: All information systems have to be protected. As the number of information objects and the number of users increase the task of information systems protection becomes more difficult. One of the most difficult problems is access rights assignment. This paper describes the graph model of access rights inheritance. This model takes into account relations and dependences between different objects and between different users. The model can be realized in the information systems controlled by the metadata, describing information objects and connections between them, such as the systems based on CASE-technology METAS.

Keywords: access control mechanisms, graph model, metadata, CASE-technology.

ACM Classification Keywords: D.2 Software engineering: D.2.0 General - Protection mechanisms.

Introduction As information systems grow larger and more complex, and as the number of their users increase, there are growing needs for methods that can simplify and even partly automate the process of access rights assignment.

The main problem of traditional access control mechanisms is that they dont take into account the relations between information objects.

The technology METAS [Lyadova, 2003], [Ryzhkov, 2002] allows to create dynamically adjusted information systems. Means of adaptation are based on use of the metadata describing information objects and connections between them from the various points of view. Functioning of information system is carried out through interpretation metadata by MDK METAS The metadata can form a basis for realization of mechanisms of the rights equivalence, in particular, the mechanism of the access rights inheritance that allows to lower labour input of assignment of the rights the manager of system. At the same time there are problems at definition of the rights of access on the objects accessible on several relations from parental objects to which various rights are appointed.

The model proposed in this paper take such relations in consideration and the rules for it are formulated.

To define the inheritance mechanism we shall formally describe model of distribution of the access rights. As basic elements of the model are used access graph and rules of its transformation.

Graph Model An information system consists of objects and subjects. Access control describes whether specific subject can access specific object.

Let O is a set of objects and S is a set of subjects. G = (V, E) is a finite directed labelled graph, where V = O S is a set of nodes and E is a set of arcs.

Software Engineering Notation v v means that there is an arc (v, v) E in graph G. A node s S V is called subject-node and a i j i j i node o O V is called object-node.

i If v v and both of these nodes are subject-nodes (or both of them are object-nodes) node v is called parent of i j i node v and node v is called child of node v.

j j i Subject-nodes which have not got any children are called users all other subject-nodes are called groups.

Object-nodes which have not got any children are called leaves all other subject-nodes are called roots.

Arcs between objects present the relations between them. The arcs direction depends on type of relationship between objects:

- 1 : 0..1 arc from 0..1 to 1;

- 1 : M arc from 1 to M;

- 0 : 1..M arc from 0 to 1..M;

- M : M bidirectional arc.

For example, for part of the database scheme which is shown on fig. 1 the subgraph on fig. 2 is fitted.

OOO(class) (school) (diagnosis) school * class diagnosis * O* * pupil (pupil) Figure 1. Database Scheme Fragment Figure 2. Object-nodes Subgraph Each of the subjects must be connected by the arc to each of the objects. An arc between subject-node and object-node is called access arc.

An access arcs label determines the assigned access right of this subject to the object. Assigned access right is determined by the information systems administrator and it can deny or allow access to information objects.

Access rights that take into account relations between subjects and objects are called actual access rights.

Subject-nodes In this section relations between subjects are considered and the rules that can take them into account are formulated. Access rights that allow for relations only between subjects are called actual subjects access rights.

Fourth International Conference I.TECH 2006 Let parent(s) = {s S | (s, s) E} is a set of parents for subject-node s S.

i j j i i Let access arcs have following labels:

- right(s, o) {0, 1, 2, 3} is an assigned access right of subject s S to object o O, where 0 means i j i j that right is not assigned, 1 access is denied, 2 subject has a partial access and 3 access is allowed. Partial access means that access is allowed only if certain conditions are fulfilled. These conditions are determined by administrator.

- a_right(s, o) {1, 2, 3} is an actual subjects access right of subject s S to object o O, where i j i j means that access is denied, 2 subject has a partial access and 3 access is allowed.

The subjects access rights can depend on its parents rights. The process of determination the actual subjects rights is called subjects rights inheritance.

Let s S. The inheritance should be done according to the following two rules.

i Rule 1. If subject has an assigned right right(s, o) 0 to object o O, the actual subjects right is determined as i j j right(s, o), i.e.

i j a _ right(si,o ) = right(si,o ) (1) j j The main idea of this rule is that explicit assignment is more significant than inheritance.

Rule 2. If an access right to object o O isnt assigned, i.e. right(s, o) = 0, the actual subjects right is j i j determined as maximum of its parents actual rights :

a _ right(si,o ) = max (a _ right(sk,o )) (2) j j skparent(si ) If an access right to object o O isnt assigned and the subject hasnt got any parents its actual right is j determined as 1. It means that access is denied.

Note that by definition the maximum value for a_right is 3 (that means that access is allowed).

For finding actual subjects rights the above two rules are recursively applied.

Object-nodes In this section relations between objects are considered and the rules that can take them into account are formulated. Access rights that allow for relations only between subjects are called actual objects access rights.

Note that the same object can be connected with different objects and rights can depend on the object from which the access is done.

As access rights depend on access context let define context(s, o) as a current access context, i.e. list of objecti j nodes (path from one of the roots to current object-node).

Parent from context is an object-node from the access context which is the parent for node o O. Let j c_parent(o) is a parent for object-node o O from context.

j j Let access arcs also have following labels:

- o_right(s, o) {1, 2, 3} is an actual objects access right of subject s S to object o O, where i j i j means that access is denied, 2 subject has a partial access and 3 access is allowed.

Let arcs between object-nodes have the following labels:

- inherit(o, o) {true, false} shows the possibility of inheritance. Let inherit(, o) = false that means k j j that inheritance from empty object is forbidden.

The process of determination the actual objects rights is called objects rights inheritance.

Let s S. The inheritance should be done according to the following three rules.

i Software Engineering Rule 3. If subject has an assigned right right(s, o) 0 to object o O, the actual objects right is determined as i j j right(s, o), i.e.

i j o _ right(si,o ) = right(si,o ) (3) j j This rule is the same as the rule 1 for subjects rights inheritance.

Rule 4. If an access right to object o O isnt assigned, i.e. right(s, o) = 0, and inherit(o, o) = false where j i j k j o = c_parent(o) the actual objects right is determined as prohibition of access, i.e.

k j o _ right(si,o ) = 1 (4) j This rule means that if the inheritance is forbidden in current context and there are no assigned rights the access is denied.

Rule 5. If an access right to object oO isnt assigned, i.e. right(s, o)=0, and inherit(o, o)=true where j i j k j o =c_parent(o) the actual objects right is determined as follows:

k j o _ right(si,o ) = o _ rigth(si,c _ parent(o )) (5) j j In order to determine actual access rights in rules 3, 4, 5 we should use a_right instead right.

Conclusion Using of access rights inheritance allows to simplify the access rights assignment by automatic taking into account relations between object and subject. This method also permits to avoid some kind of mistakes which can be made by information systems administrator.

In addition to the means described in the given article means of the control of correctness of obvious assignment of the access rights for objects and their attributes are offered also [Mikov, 2003].

The architecture of the CASE-system METAS, the models of the metadata used in this system, and principles of its functioning are described in several articles [Lyadova, 2003], [Ryzhkov, 2002].

The system METAS is developed on the.NET platform. The technology ADO.NET, providing independence from DBCS, is used for access to the objects in database.

Bibliography [Lyadova, 2003] L.N. Lyadova, S.A. Ryzhkov. CASE-technology METAS. In: Scientific Articles Collection Mathematics of Program Systems. Perm University, Russia, 2003, pp. 4-18.

[Mikov, 2003] A.I. Mikov, M.V. Chichagova. The Control over Rights Assignment. In: Scientific Articles Collection Mathematics of Program Systems. Perm University, Russia, 2003, pp. 207-212.

[Ryzhkov, 2002] S.A. Ryzhkov. The Concept of the Metadata in the Development of Information Systems. In: Scientific Articles Collection Mathematics of Program Systems. Perm University, Russia, 2002, pp. 25-35.

Authors' Information Mariya Chichagova Perm State University, Assistant of the Department of Computer Science; PSU, 15, Bukirev St., Perm, 614990, Russia; e-mail: chichagova@dom.raid.ru Ludmila Lyadova - Institute of Computing, Deputy Director; 19/2-38, Podlesnaya St., Perm, 614097, Russia;

e-mail: lnlyadova@mail.ru Fourth International Conference I.TECH 2006 THE APPLICATION OF GRAPH MODEL FOR AUTOMATION OF THE USER INTERFACE CONSTRUCTION Elena Kudelko Abstract: The ability of automatic graphic user interface construction is described. It is based on the building of user interface as reflection of the data domain logical definition. The submitted approach to development of the information system user interface enables dynamic adaptation of the system during their operation. This approach is used for creation of information systems based on CASE-system METAS.

Keywords: User interface, metadata, CASE-technology, dynamically adapted information systems, graph model.

ACM Classification Keywords: D.2 Software Engineering: D.2.2 Design Tools and Techniques Computeraided software engineering (CASE); G.2 Discrete Mathematics: G.2.2 Graph Theory Graph algorithms.

Introduction The aim of the working out of application user interface is the reflection of the inner structure of information system objects on the level of user understanding about data domain that means the determination of screen objects which let user co-operate with the information system (IS). User interface must include the set of screen forms with the help of which information input and editing can be possible, as well as the navigation system which let data domain objects be catalogued for speeding-up access to them. In this work the approach for automation of the logical description data domain reflection on user interface level, based on the use of graph model, is described. The working out of the models of user interface is made in the context of the creation of CASEtechnology METAS based on the metadata, which are multilevel and describe IS from different points. User interface management, described in this work, is based on the metadata of presentation level, which are built on the base of logical level. Both levels can be represented as graphs.

The basic concepts of the logical level are entities, attributes, relation between entities and also instances of these concepts. Entity is a type of data domain objects which is characterized by the set of its attributes and relations with entities. For example, entity can be Person characterized by the qualities Surname, Name, Birthday, which are attributes of this entity. A person must have an address that means that entity Person must be connected with entity Address. Metadata of the presentation level describe user interface elements:

screen forms, controls of different type, navigation system of application. The idea of automatic creation of forms is based on the building of presentation level graph as a reflection of the logical level graph.

Screen Forms Let us describe the graph of the logical model G, on the base of which we will build the graph of the presentation l model G. The nodes of the logical model graph are corresponded to entities of data domain; there are relations pr between entities, which are directed arcs in the graph of logical model:

Gl = (Vl,E ), where Vl = {e1,e2,..., en }, E = {r1,r2,..., rm }, n,m N l l ri = (e,ek ), where i = 1..m ; j,k = 1..n j Incoming into the node e arcs mean relations of 1:̻ type, in which entity e is on ̻ side that means it is child entity. Outgoing arcs present relations of 1:̻ type, in which entity e is on 1 side that means it is parent entity. Relations of :̻ type are represented by two-forked arcs of graph G.

Pages:     | 1 |   ...   | 33 | 34 || 36 | 37 |   ...   | 54 |



2011 www.dissers.ru -

, .
, , , , 1-2 .