Publication Date


Advisor(s) - Committee Chair

John Crenshaw, Art Shindhelm, Darleen Pigford


Access granted to WKU students, faculty and staff only.

After an extensive unsuccessful search for the author, this thesis is considered an orphan work, which may be protected by copyright. The inclusion of this orphan work on TopScholar does not guarantee that that orphan work may be used for any purpose and any use of the orphan work may subject the user to a claim of copyright infringement. The reproduction of this work is made by WKU without any purpose of direct or indirect commercial advantage and is made for purposes of preservation and research.

See also WKU Archives - Authorization for Use of Thesis, Special Project & Dissertation

Degree Program

Department of Computer Science

Degree Type

Master of Science


Information security is the protection of information against unauthorized disclosure, alteration or destruction. In order to enforce such protection we must have an effective authorization model. Authorization is the specification of rules about who has what type of access to what information. Access rules can be stored in the form of a relation, and it is known as access matrix. The process of ensuring that information and other protected objects are accessed only in an authorized way is called access control.

The researcher in this study considers the Basic Access Control Model to show how the drawbacks can be overcome by using an extended access control model. Basic Access Control Model is represented by the tuple (S, O, T, P), which specifies that subject S has access type T to those occurrences of object O for which predicate P is true. The predicate P is a set of rules which the access control model checks while validating the request.

The Basic Control Model does not provide complete security to the DBMS in question due to the following drawbacks:

  1. A potential criminal can attack the database in many ways. Consider a programmer in the organization trying to access that part of the database which he/she is not supposed to access. He/she will try to find a flaw in the application program and keep trying to get unlawful access to the database. If there is nothing to track down his/her unlawful access, the organization’s security is violated. If the criminal is traced during the first attempt, the chances of violation are minimized.
  2. In the basic model the request is either completely satisfied or denied. Such a request would be fine if it is for a specific field occurrence. But when the request is for a record occurrence and if some of the fields in that record are authorized and some are not, the basic model would not allow even the authorized field to be passed to the end users.

The researcher in this study proposes a Modified Access Control Model to overcome the above drawbacks and provide complete security to the DBMS. The model that is proposed can be represented by the tuple (S, O, T, P, Ap, Ps), which specifies that the subject S has access T to those Occurrences of O for which predicate P is true. Also, whenever there is an access to the protected data, an auxiliary procedure Ap tells what immediate action should be taken, and the predicate Ps tells whether the request can be partially satisfied or not. The modified model, thus, prevents and also detects any unauthorized access, restoring the security of the DBMS.

The access control model will be implemented using a financial banking system on the VAX RDB/VMS. A typical financial banking system database is designed and the typical transactions are implemented, which make use of the access control model before each and every transaction is executed.

  1. Identity of subject S is authenticated.
  2. The subject enters a request. The S, O and T are identified from the request. If the access matrix in the DBMS contains a rule with the same S, O, T) the protection data is retrieved to evaluate the access rule(s) predicate P; otherwise the request is denied. Now the data in the database is checked with P of the access matrix to decide if the request can be granted.
  3. As soon as any request comes to the DBMS, auxiliary procedure Ap invokes a suitable action – such as writing a special security log in case of serious violation.
  4. If the request is for a record occurrence and if some of the fields in that record are authorized and some are not, then the modified model allows the authorized fields to be passed to the user. This partial satisfaction of the user request is decided by the predicate Ps.

The access control model guarantees (by demonstration) to provide complete security to the database, and it will prevent and detect any type of unauthorized access to the data in the database.


Computer Sciences | Databases and Information Systems | Information Security | Physical Sciences and Mathematics