Techniques for efficient access control in a database system

US 10,318,752 B2
Filed: 05/26/2006
Issued: 06/11/2019
Est. Priority Date: 05/26/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising computer-implemented steps of:

storing a plurality of ACLs in a first table, said plurality of ACLs being associated with multiple tables, wherein a database managed by a database server includes said first table and said multiple table;

wherein a subset of said plurality of ACLs are associated with said multiple tables;

a database server replicating said subset of said plurality of ACLs by at least storing versions of said subset of said plurality of ACLs in a second table different than said first table, said second table not storing versions of other ACLs of said plurality of ACLs that are not in said subset of said plurality of ACLs, wherein said database includes said second table;

wherein a second index indexes said second table, said second index having an index key based on principals associated with said subset of said plurality of ACLs;

a database server receiving a request to execute a query for one or more principals;

wherein said query requires an operation to a base table that belongs to said multiple tables, said operation requiring a privilege to perform, wherein each row of rows in said base table is associated with an ACL of said subset of said plurality of ACLs;

a database server rewriting said query to generate a first rewritten query to access said second table and that includes a predicate based on a set of one or more ACLs that grant one or more principles said privilege, wherein said predicate causes execution of said first rewritten query to;

generate said set of one or more ACLs by at least performing an index evaluation on said second index;

perform an index evaluation based on the predicate to determine which one or more rows in said base table are associated with said set of one or more ACLs, without accessing said one or more rows in the base table to identify said one or more rows, said index evaluation based on the predicate accessing a first index on said base table using said set of one or more ACLs, wherein said first index is ordered by key values of a key of said first index, wherein each key value of said key values identifies an ACL of said plurality of ACLs; and

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access control rewrites generate rewritten queries that may be executed more efficiently using index evaluation to determine which rows satisfy one or more access control conditions.

63 Citations

16 Claims

1. A method, comprising computer-implemented steps of:
- storing a plurality of ACLs in a first table, said plurality of ACLs being associated with multiple tables, wherein a database managed by a database server includes said first table and said multiple table;
  
  wherein a subset of said plurality of ACLs are associated with said multiple tables;
  
  a database server replicating said subset of said plurality of ACLs by at least storing versions of said subset of said plurality of ACLs in a second table different than said first table, said second table not storing versions of other ACLs of said plurality of ACLs that are not in said subset of said plurality of ACLs, wherein said database includes said second table;
  
  wherein a second index indexes said second table, said second index having an index key based on principals associated with said subset of said plurality of ACLs;
  
  a database server receiving a request to execute a query for one or more principals;
  
  wherein said query requires an operation to a base table that belongs to said multiple tables, said operation requiring a privilege to perform, wherein each row of rows in said base table is associated with an ACL of said subset of said plurality of ACLs;
  
  a database server rewriting said query to generate a first rewritten query to access said second table and that includes a predicate based on a set of one or more ACLs that grant one or more principles said privilege, wherein said predicate causes execution of said first rewritten query to;
  
  generate said set of one or more ACLs by at least performing an index evaluation on said second index;
  
  perform an index evaluation based on the predicate to determine which one or more rows in said base table are associated with said set of one or more ACLs, without accessing said one or more rows in the base table to identify said one or more rows, said index evaluation based on the predicate accessing a first index on said base table using said set of one or more ACLs, wherein said first index is ordered by key values of a key of said first index, wherein each key value of said key values identifies an ACL of said plurality of ACLs; and
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the method further includes:
    - rewriting said query to generate a second rewritten query, wherein said rewriting causes, when said second rewritten query is executed, a functional evaluation of certain rows from said base table to determine which of said certain rows satisfy one or more access control criteria for said privilege;
      
      causing a comparison between a cost for executing said first rewritten query and a cost for executing said second rewritten query; and
      
      determining whether to execute the first rewritten query based on said comparison.
  - 3. The method of claim 2, wherein said cost for executing said first rewritten query is based on a selectivity of said one or more access control criteria, wherein said selectivity is estimated by determining a proportion of said plurality of ACLs associated with said one or more principals.
  - 4. The method of claim 2, wherein:
    - said functional evaluation includes an execution of an access control function that returns a result indicating whether said access control criteria is satisfied; and
      
      the method further includes invoking a user-registered function that returns information for costs associated with executing said access control function.
  - 5. The method of claim 1, wherein said first table is a database table.
  - 6. The method of claim 5, wherein said plurality of ACLs are stored as data that conforms to XML.
  - 7. The method of claim 6, wherein the method further includes a database server computing queries that reference data in said plurality of ACLs using at least one expression confirming to at least one of XPath or XQuery.
  - 8. The method of claim 1, wherein said base table includes a hidden column that stores an identifier that identifies an ACL associated with a row in said base table.

9. One or more non-transitory storage media storing sequences of instructions which, when executed by one or more computing devices, cause:
- storing a plurality of ACLs in a first table, said plurality of ACLs being associated with multiple tables, wherein a database managed by a database server includes said first table and said multiple tables;
  
  wherein a subset of said plurality of ACLs are associated with said multiple tables;
  
  a database server replicating said subset of said plurality of ACLs by at least storing versions of said subset of said plurality of ACLs in a second table different than said first table, said second table not storing versions of other ACLs of said plurality of ACLs that are not in said subset of said plurality of ACLs, wherein said database includes said second table;
  
  wherein a second index indexes said second table, said second index having an index key based on principals associated with said subset of said plurality of ACLs;
  
  a database server receiving a request to execute a query for one or more principals;
  
  wherein said query requires an operation to a base table that belongs to said multiple tables, said operation requiring a privilege to perform, wherein each row of rows in said base table is associated with an ACL of said subset of said plurality of ACLs;
  
  a database server rewriting said query to generate a first rewritten query to access said second table and that includes a predicate based on a set of one or more ACLs that grant one or more principles said privilege, wherein said predicate causes execution of said first rewritten query to;
  
  generate said set of one or more ACLs by at least performing an index evaluation on said second index; and
  
  perform an index evaluation based on the predicate to determine which one or more rows in said base table are associated with said set of one or more ACLs, without accessing said one or more rows in the base table to identify said one or more rows, said index evaluation based on the predicate accessing a first index on said base table using said set of one or more ACLs, wherein said first index is ordered by key values of a key of said first index, wherein each key value of said key values identifies an ACL of said plurality of ACLs.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The one or more non-transitory storage media of claim 9, wherein said sequences of instructions include instructions that, when executed by said one or more computing devices, cause:
    - rewriting said query to generate a second rewritten query, wherein said rewriting causes, when said second rewritten query is executed, a functional evaluation of certain rows from said base table to determine which of said certain rows satisfy one or more access control criteria for said privilege;
      
      causing a comparison between a cost for executing said first rewritten query and a cost for executing said second rewritten query; and
      
      determining whether to execute the first rewritten query based on said comparison.
  - 11. The one or more non-transitory storage media of claim 10, wherein said cost for executing said first rewritten query is based on a selectivity of said one or more access control criteria, wherein said selectivity is estimated by determining a proportion of said plurality of ACLs associated with said one or more principals.
  - 12. The one or more non-transitory storage media of claim 10, wherein:
    - said functional evaluation includes an execution of an access control function that returns a result indicating whether said access control criteria is satisfied; and
      
      said sequences of instructions include instructions, that when executed by said one or more computing devices, cause invoking a user-registered function that returns information for costs associated with executing said access control function.
  - 13. The one or more non-transitory storage media of claim 9, wherein said first table is a database table.
  - 14. The one or more non-transitory storage media of claim 13, wherein said plurality of ACLs are stored as data that conforms to XML.
  - 15. The one or more non-transitory storage media of claim 14, wherein said sequences of instructions include instructions that, when executed by said one or more computing devices, cause a database server computing queries that reference data in said plurality of ACLs using at least one expression confirming to at least one of XPath or XQuery.
  - 16. The one or more non-transitory storage media of claim 9, wherein said base table includes a hidden column that stores an identifier that identifies an ACL associated with a row in said base table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Murthy, Ravi
Primary Examiner(s)
Thomas, Ashish
Assistant Examiner(s)
Ohba, Mellissa M.

Application Number

US11/442,002
Publication Number

US 20070276835A1
Time in Patent Office

4,764 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/6227 where protection concerns t...

Techniques for efficient access control in a database system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for efficient access control in a database system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links