Computer relational database method and system having role based access control
First Claim
Patent Images
1. A method of controlling access to secured data, comprising:
- operatively coupling a repository to one or more databases storing secure data;
employing the repository, intercepting a user query of one database of the one or more databases;
automatically determining from the user query, a user who generated the user query and a user role assigned to the user;
parsing the user query to identify which secure data is to be accessed by the user query;
looking up security information of the secure data to be accessed to determine access rules for the secure data to be accessed, wherein the security information is not stored within the one database;
dynamically adjusting the security information at runtime;
based on the user role and the security information, automatically building an expression tree to filter out secure data for which the user does not have access rights, wherein the expression tree comprises a plurality of expressions based on a scope of the secure data to be accessed and a task associated with the user role;
modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and
applying the modified query to the one database.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer method, system and apparatus control access to secured data in a plurality of databases. A repository is coupled to the databases and has a security runtime subsystem. The repository intercepts a user query of a subject database in the plurality. The security runtime subsystem determines from the intercepted query a user and corresponding user role. Based on user role, the security runtime subsystem automatically modifies the user query to filter out secure data for which the identified user is unauthorized to access but are part of the user query.
-
Citations
12 Claims
-
1. A method of controlling access to secured data, comprising:
-
operatively coupling a repository to one or more databases storing secure data; employing the repository, intercepting a user query of one database of the one or more databases; automatically determining from the user query, a user who generated the user query and a user role assigned to the user; parsing the user query to identify which secure data is to be accessed by the user query; looking up security information of the secure data to be accessed to determine access rules for the secure data to be accessed, wherein the security information is not stored within the one database; dynamically adjusting the security information at runtime; based on the user role and the security information, automatically building an expression tree to filter out secure data for which the user does not have access rights, wherein the expression tree comprises a plurality of expressions based on a scope of the secure data to be accessed and a task associated with the user role; modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and applying the modified query to the one database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12)
-
-
10. A non-transitory computer readable storage medium having a computer readable program embodied therein that when executed causes a computing system to perform a method of controlling access to secured data, wherein the method comprises:
-
operatively coupling a repository to a plurality of databases storing secure data; employing the repository to intercept a user query of one database of the plurality of databases; automatically determining from the user query, a user who generated the user query and a user role assigned to the user; parsing the user query to identify which secure data is to be accessed by the user query and to identify objects in the one database that are to be accessed as part of the user query; looking up security information of the secure data to be accessed to determine access rules for the secure data to be accessed, wherein the security information is stored in a metamodel decoupled from the one database, the security information qualifying which objects of the one database are accessible by certain user roles, the repository being further configured to look up security information of the identified objects in the metamodel and determine which identified objects to filter out of the user query; using the repository to secure the security information; dynamically adjusting the security information at runtime; based on the user role and the security information, automatically building an expression tree to filter out secure data for which the user does not have access rights, wherein the expression tree comprises a plurality of expressions based on a scope of the secure data to be accessed and a task associated with the user role; modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and applying the modified query to the one database. - View Dependent Claims (11)
-
Specification