Identifying unused privileges in a database system
First Claim
1. A method comprising:
- identifying a set of privileges that are available to a plurality of requesting entities, wherein the set of privileges includes two or more of select, insert, delete, or update;
monitoring a set of database accesses initiated by the plurality of requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges, wherein the first subset comprises privileges that have been used by the plurality of requesting entities;
wherein monitoring comprises;
determining, by a database authorization engine, based on a query, whether a requesting entity is authorized to utilize a privilege with respect to an object;
in response to determining, by the database authorization engine, that the requesting entity is authorized to utilize the privilege with respect to the object;
executing an execution plan for the query, wherein executing involves a database access in the subset of the set of database accesses, andcreating a particular record about the database access, wherein the particular record identifies the requesting entity, the privilege, the object, and zero or more roles;
performing a comparison of the set of privileges and the first subset;
based on the comparison of the set of privileges and the first subset, identifying a second subset, of the set of privileges, that has not been used by any of the plurality of requesting entities;
wherein the method is performed by one or more computing devices.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques for identifying unused privileges are provided. Database accesses are monitored to generate privilege usage data. Privilege usage data for each database access may indicate a user, a utilized privilege, an object that is the target of the privilege, and a role to which the privilege is granted. The privilege usage data is compared to database authorization data that indicates all (or a subset) of granted privileges. A result of the comparison is unused privilege data that indicates what granted privileges were not utilized. A role graph may be generated that indicates one or more privileges that were utilized and one or more privileges that were not utilized along with role paths providing the privileges.
22 Citations
22 Claims
-
1. A method comprising:
-
identifying a set of privileges that are available to a plurality of requesting entities, wherein the set of privileges includes two or more of select, insert, delete, or update; monitoring a set of database accesses initiated by the plurality of requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges, wherein the first subset comprises privileges that have been used by the plurality of requesting entities; wherein monitoring comprises; determining, by a database authorization engine, based on a query, whether a requesting entity is authorized to utilize a privilege with respect to an object; in response to determining, by the database authorization engine, that the requesting entity is authorized to utilize the privilege with respect to the object; executing an execution plan for the query, wherein executing involves a database access in the subset of the set of database accesses, and creating a particular record about the database access, wherein the particular record identifies the requesting entity, the privilege, the object, and zero or more roles; performing a comparison of the set of privileges and the first subset; based on the comparison of the set of privileges and the first subset, identifying a second subset, of the set of privileges, that has not been used by any of the plurality of requesting entities; wherein the method is performed by one or more computing devices. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
determining that a first privilege with respect to a first database object was not utilized by a first requesting entity, wherein the first privilege includes one of select, insert, delete, or update; determining a first grant path from the first requesting entity to the first privilege through one or more roles; causing data about the first grant path to be displayed; causing a role graph to be displayed, wherein the role graph includes; a first node that represents a particular requesting entity, one or more second nodes, each representing a role assigned directly or indirectly to the particular requesting entity; one or more third nodes, each representing a privilege that is granted to the particular requesting entity either directly or indirectly through one or second more roles; wherein the method is performed by one or more computing devices. - View Dependent Claims (9, 10, 11)
-
-
12. One or more non-transitory storage media storing instructions which, when executed by one or more processors, cause:
-
identifying a set of privileges that are available to a plurality of requesting entities, wherein the set of privileges includes two or more of select, insert, delete, or update; monitoring a set of database accesses initiated by the plurality of requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges, wherein the first subset comprises privileges that have been used by the plurality of requesting entities; wherein monitoring comprises; determining, by a database authorization engine, based on a query, whether a requesting entity is authorized to utilize a privilege with respect to an object; in response to determining, by the database authorization engine, that the requesting entity is authorized to utilize the privilege with respect to the object; executing an execution plan for the query, wherein executing involves a database access in the subset of the set of database accesses, and creating a particular record about the database access, wherein the particular record identifies the requesting entity, the privilege, the object, and zero or more roles; performing a comparison of the set of privileges and the first subset; based on the comparison of the set of privileges and the first subset, identifying a second subset, of the set of privileges, that has not been used by any of the one or more requesting entities. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. One or more storage media storing instructions which, when executed by one or more processors, cause:
-
determining that a first privilege with respect to a first database object was not utilized by a first requesting entity, wherein the first privilege includes one of select, insert, delete, or update; determining a first grant path from the first requesting entity to the first privilege through one or more roles; causing data about the first grant path to be displayed; causing a role graph to be displayed, wherein the role graph includes; a first node that represents a particular requesting entity, one or more second nodes, each representing a role assigned directly or indirectly to the particular requesting entity; one or more third nodes, each representing a privilege that is granted to the particular requesting entity either directly or indirectly through one or second more roles. - View Dependent Claims (20, 21, 22)
-
Specification