hierarchical authorizations?

[Kevin Pauli <ke...@thepaulis.com>]

Hi, I'm evaluating accumulo for a project where we'll need to secure the
data based on hierarchical authorizations, using the CAPCO security
guidelines.

I have the authorizations U, C, S, and TS, and my data only has one of
these (not multiples).

I need to allow a user with a U to only see U data.  That's easy enough.
 But a user with C should be able to see both U and C.  A user with S
should be able to see U, C, and S, and a TS user should be able to see them
all.

Can I set these rules up globally, (like I can with Oracle Label Security)?
 Or do I need to explicitly grant U,C to the C user, U,C,S to the S user,
and U,C,S,TS to the TS user?

-- 
Regards,
Kevin Pauli

Re: hierarchical authorizations?

[Josh Elser <jo...@gmail.com>]

No, Accumulo doesn't have any implicit hierarchy to visibility labels. 
The application needs to expand hierarchy when appropriate.

In other words, if you had visibility labels "human" and "doctor", 
Accumulo makes no effort to understand that a medical doctor is a 
person. The application using Accumulo would need to understand that a 
user who is a medical doctor is also a person and should provide the 
authorizations "doctor" and "human" when querying Accumulo as that user.

On 12/27/12 2:03 PM, Kevin Pauli wrote:
>
>
> -- 
> Regards,
> Kevin Pauli