Computer relational database method and system having role based access control

US 10,430,430 B2
Filed: 03/11/2011
Issued: 10/01/2019
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to secured data, comprising:

operatively coupling a repository to one or more databases storing secure data;

employing the repository, intercepting a user query of one database of the one or more databases;

automatically determining from the user query, a user who generated the user query and a user role assigned to the user;

parsing the user query to identify which secure data is to be accessed by the user query;

looking up security information of the secure data to be accessed to determine access rules for the secure data to be accessed, wherein the security information is not stored within the one database;

dynamically adjusting the security information at runtime;

based on the user role and the security information, automatically building an expression tree to filter out secure data for which the user does not have access rights, wherein the expression tree comprises a plurality of expressions based on a scope of the secure data to be accessed and a task associated with the user role;

modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and

applying the modified query to the one database.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer method, system and apparatus control access to secured data in a plurality of databases. A repository is coupled to the databases and has a security runtime subsystem. The repository intercepts a user query of a subject database in the plurality. The security runtime subsystem determines from the intercepted query a user and corresponding user role. Based on user role, the security runtime subsystem automatically modifies the user query to filter out secure data for which the identified user is unauthorized to access but are part of the user query.

Citations

12 Claims

1. A method of controlling access to secured data, comprising:
- operatively coupling a repository to one or more databases storing secure data;
  
  employing the repository, intercepting a user query of one database of the one or more databases;
  
  automatically determining from the user query, a user who generated the user query and a user role assigned to the user;
  
  parsing the user query to identify which secure data is to be accessed by the user query;
  
  looking up security information of the secure data to be accessed to determine access rules for the secure data to be accessed, wherein the security information is not stored within the one database;
  
  dynamically adjusting the security information at runtime;
  
  based on the user role and the security information, automatically building an expression tree to filter out secure data for which the user does not have access rights, wherein the expression tree comprises a plurality of expressions based on a scope of the secure data to be accessed and a task associated with the user role;
  
  modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and
  
  applying the modified query to the one database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12)
- - 2. A method of claim 1 further comprising parsing the user query and identifying objects in the one database that are to be accessed as part of the user query.
  - 3. A method of claim 2 wherein the user query includes an indication of the user;
    - andthe repository is further configured to look up security information of the identified objects in a metamodel of the one database, and resolve any group memberships.
  - 4. A method of claim 2 further comprising storing in a metamodel of the one database, security information that qualifies which data objects are accessible by certain user roles, andthe repository being further configured to look up security information of the identified objects in the metamodel and determine which identified objects to filter out of the user query.
  - 5. A method of claim 4 further comprising:
    - using the repository to secure the security information.
  - 6. A method of claim 1 wherein the automatically determining and modifying include decoupling objects and row level security from the database.
  - 7. A method of claim 1 further comprising processing the modified query on the one database and returning results of the modified query to the user.
  - 8. A method of claim 1 wherein the one database is a relational database.
  - 9. A method as claimed in claim 1 wherein the one or more databases are unrelated to each other and non-centrally managed.
  - 12. A method of claim 8 wherein the modifying the user query includes inserting an SQL Where clause to filter out certain secure data/objects in the database that are part of the user query.

10. A non-transitory computer readable storage medium having a computer readable program embodied therein that when executed causes a computing system to perform a method of controlling access to secured data, wherein the method comprises:
- operatively coupling a repository to a plurality of databases storing secure data;
  
  employing the repository to intercept a user query of one database of the plurality of databases;
  
  automatically determining from the user query, a user who generated the user query and a user role assigned to the user;
  
  parsing the user query to identify which secure data is to be accessed by the user query and to identify objects in the one database that are to be accessed as part of the user query;
  
  looking up security information of the secure data to be accessed to determine access rules for the secure data to be accessed, wherein the security information is stored in a metamodel decoupled from the one database, the security information qualifying which objects of the one database are accessible by certain user roles,the repository being further configured to look up security information of the identified objects in the metamodel and determine which identified objects to filter out of the user query;
  
  using the repository to secure the security information;
  
  dynamically adjusting the security information at runtime;
  
  based on the user role and the security information, automatically building an expression tree to filter out secure data for which the user does not have access rights, wherein the expression tree comprises a plurality of expressions based on a scope of the secure data to be accessed and a task associated with the user role;
  
  modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and
  
  applying the modified query to the one database.
- View Dependent Claims (11)
- - 11. The non-transitory computer readable storage medium as claimed in claim 10, wherein the employing of the repository to intercept the user query of the one database of the plurality of databases further comprises employing the database to intercept the user query of the one database that is a relational database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Muller, Leslie, Wasser, Michael Morris, Maestro, Alberto Arias
Primary Examiner(s)
Trujillo, James
Assistant Examiner(s)
Mina, Fatima P

Application Number

US13/046,209
Publication Number

US 20110302180A1
Time in Patent Office

3,126 Days
Field of Search

707713, 707716, 707717, 707781, 707999003
US Class Current
CPC Class Codes

G06F 16/212   with details for data model...

G06F 16/24549   Run-time optimisation

G06F 16/24565   Triggers; Constraints

G06F 16/2471   Distributed queries

G06F 16/27   Replication, distribution o...

G06F 16/283   Multi-dimensional databases...

G06F 16/284   Relational databases

G06F 16/9535   Search customisation based ...

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

Computer relational database method and system having role based access control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Computer relational database method and system having role based access control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links