V. Kirichenko

Implementation of security mechanisms of a software system assumes that a certain user needs to access a certain subset of a file or a database table, leaving other data inaccessible to him. The problem is stated as follows: «User №1» was granted the right to access solely «record №3» therefore attempt to access «record 2» by the user is rejected. «User №2» is granted the right to access «Record 3» as well as «Record 2» therefore attempt to access both records by the user is not rejected. To solve the problem we use discretionary access control mechanism (DAC) which allows granting and revoking access rights from users dynamically. Method proposed in this paper is based on role based access control model (RBAC) and DAC. Each user is assigned a role and a domain. Role is used to group users by their occupation while domain groups users by the subsets of the data domain they need to work with. Each «role-domain» pair is associated with certain subsets of data. Here, data subset is a list of identifier values of the table managed by the access control mechanism. In other words we enumerate the primary key values of the table which are accessible by the particular «role-domain» pair. Data subsets can have types, where type is an object of discretionary access control. Data selection from the table is done by the means of a view, while the user access to the table itself is closed. The above described approach fully solves the stated problem of access control.