Automated derivation of global authorizations for database federations

Global authorizations in database federations can be derived from local authorizations exported by the databases composing the federation. Particularly, when several component databases participate in the federation and a high number of users and protection objects are involved, techniques are needed for defining and managing global access privileges. This paper describes an automated approach for the derivation of global authorizations according to the policy of decentralized minimum privilege, based on the analysis of authorizations exported by component databases. The approach rakes into account both the security requirements of the constituent databases, to preserve their local authorization autonomy, and cooperation requirements, to concurrently enable flexible data sharing between the constituent databases. A federation authorization model and abstraction criteria to derive global authorizations that are consistent with the exported local ones are presented. Different abstraction strategies can be applied for derivation, depending on the nature of the global objects to be protected and on the security requirements of the federated system.