http://dl.acm.org/citation.cfm?id=320482
A multiuser database system must selectively permit users to share data, while retaining the ability to restrict data access. there must be a mechanism to provide protection and security, permitting information to be accessed only by properly authorized users.
Further, when tables and restricted views of tables are created and destroyed dynamically, the granting, authenticating, and revocation of authorization to use them must also be dynamic, …
a directed graph of granted privileges originating from the table creator
at some later time a user A may revoke some or all of the privileges which he previously granted to another user B.
the action usually revokes the entire subgraph of the grants originated from A’s grant to B. it may be, however, that B will still process the revoked privileges by means of a grant from another user C, and therefore some of all of B’s grants should not revoked… an algorithm for detecting exactly which of B’s grants should be revoked is presented.