Designing Application Authorizations

Leszek A. Maciaszek
Macquarie University, Australia

[email protected]

Mieczyslaw L. Owoc
University of Economics, Poland

[email protected]

 

Abstract

Information systems must be protected from unauthorized access. Authorization has been studied extensively as the main form of preserving the security of databases. Every database management system provides a sophisticated set of options aimed at protecting the database from unauthorized access. An important practical problem is how to take advantage of the database security options to ensure that a user is permitted to access the database through the application program but may not be allowed to access the database directly via database query tools. A related issue is how to extend the user privileges on the client part of the application so that only authorized GUI controls are available to the user.

In this paper we propose a model for the design of necessary authorization settings into both the client and the server parts of a database application. The settings are stored in an Authorization Database (ADB) to which the program connects to customize itself for the current user. The customization is based on an application role granted to the user. An application role is activated for a connection (user session). After the database server authenticates the user, the user login to the application role can be transparently obtained by the application from the ADB.

Keywords: authorization design, database applications, security, client/server systems