RIPE Database docs

Security of Data Using Authorisation

Individual data objects must be protected with a mntner object. The mntner is referenced by the "mnt-by:" attribute in the object. This attribute is defined as multiple in all object types, so several mntner objects can be used to protect one object.

Only those mntner objects referenced by the "mnt-by:" attributes are authorised to modify or delete the object. Authorisation checks work in line with the logical "OR" - for the operation to be authorised, you must supply information required by at least one credential from one of the referenced mntner objects. As you can supply information required by any credential for the operation to be authorised, this means that an object's protection level is determined by the weakest authorisation method used in the mntner objects referenced by that object.

When the "mnt-by:" attribute is added to an object for the first time (as part of object creation or modification), the operation should pass authorisation checks for at least one of the mntner objects referenced by one of the "mnt-by:" attributes.

If the operation is a modification and the old object already has one or more "mnt-by:" attributes, then one of the mntner objects referenced in one of the "mnt-by:" attributes in the old object must authorise the change. If the old object does not have any "mnt-by:" attributes, then one of the mntner objects referenced in one of the "mnt-by:" attributes in the new object must authorise the change. All new objects must have at least one "mnt-by:". There are still some historic person and role objects that do not have any "mnt-by:" attributes.

Authorisation is also used in a hierarchical way. Much of the operational data in the RIPE Database is structured hierarchically. For example, the address space is allocated in large blocks, which can then be divided in a number of ways and then finally assigned to End Users. Authorisation in a hierarchy works from the top down to the bottom. So each child object needs to be authorised by the holder of the parent object. There are a range of additional attributes for this including "mnt-lower:", "mnt-routes:" and "mnt-domains:".