System and method for RDBMS to protect records in accordance with non-RDBMS access control rules

US 20030191768A1
Filed: 04/04/2003
Published: 10/09/2003
Est. Priority Date: 06/21/2000
Status: Active Grant

First Claim

Patent Images

1. A data system including a server computer programmed to undertake method acts for responding to user queries for data from a database controlled by the server computer, the method acts undertaken by the server computer including:

receiving a query;

receiving an access control output from at least one algorithm from an information management system (IMS); and

in response to the query and the access control output, populating a view for presentation thereof to the user.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for an information management system (IMS) having an underlying relational database management system (RDBMS) that allows applications to access the RDBMS directly for improved performance without going through the IMS, while maintaining access control. An access control list (ACL) is generated, with tables in the RDBMS being bound using codes in the ACL. At run time or, more preferably, pre-run time, user-defined functions (UDF) evaluate access control attributes and generate an access authorization table, which is joined with the appropriate information table(s) in response to a query against a view on the table. The view is presented to the querying user. Thus, access control rules are encapsulated in the view that is presented to the user.

44 Citations

View as Search Results

37 Claims

1. A data system including a server computer programmed to undertake method acts for responding to user queries for data from a database controlled by the server computer, the method acts undertaken by the server computer including:
- receiving a query;
  
  receiving an access control output from at least one algorithm from an information management system (IMS); and
  
  in response to the query and the access control output, populating a view for presentation thereof to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the query is received from an application, the system includes a database management system (DBMS), and the application directly communicates with the DBMS.
  - 3. The system of claim 2, wherein the method acts further comprise:
    - defining at least one view on at least one table in the database;
      
      executing a query against the view using at least the access control output; and
      
      returning the results of the query against the view.
  - 4. The system of claim 3, wherein the access control output is represented by at least one Access Authorization table, and the view is defined as a join between the Access Authorization table and the information table.
  - 5. The system of claim 4, wherein the tables are joined using a join key, and the join key is at least one access control code.
  - 6. The system of claim 5, wherein multiple rows of the information table are bound using respective multiple access control codes.
  - 7. The system of claim 5, wherein all rows of the information table are bound using a single access control code.

8. A method for enforcing at least one information management system (IMS) access control rule in a data system including at least one application accessing at least one IMS associated with a database management system (DBMS), the application accessing the DBMS using at least one direct communication path bypassing the IMS, the method comprising:
- receiving a specification for IMS data schema;
  
  generating a DBMS view in response to the specification, the view encapsulating the IMS access control rule; and
  
  presenting the view to a user via the direct communication path.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further comprising:
    - defining at least one view on at least one table controlled by the DBMS;
      
      executing a query against the view using at least the access control rule; and
      
      returning the results of the query against the view.
  - 10. The method of claim 9, wherein the access control rule is represented by at least one Access Authorization table, and the view is defined as a join between the Access Authorization table and the information table.
  - 11. The method of claim 10, wherein the tables are joined using a join key, and the join key is at least one access control code.
  - 12. The method of claim 11, wherein multiple rows of the information table are bound using respective multiple access control codes.
  - 13. The method of claim 11, wherein all rows of the information table are bound using a single access control code.

14. A system, comprising:
- at least one information management system (IMS);
  
  at least one application communicating with the IMS; and
  
  at least one relational database management system (RDBMS) communicating with the IMS, the application communicating directly with the RDBMS via at least one direct communication path not including the IMS.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the system undertakes method acts to enforce at least one access control rule, the method acts comprising:
    - receiving a query for data from the application; and
      
      in response to the query presenting the view to a user via the direct communication path, the view encapsulating the access control rule.
  - 16. The system of claim 15, wherein the method acts further comprise:
    - defining at least one view on at least one table controlled by the DBMS;
      
      executing a query against the view using at least the access control rule; and
      
      returning the results of the query against the view.
  - 17. The system of claim 16, wherein the access control rule is represented by at least one Access Authorization table, and the view is defined as a join between the Access Authorization table and the information table.
  - 18. The system of claim 17, wherein the tables are joined using a join key, and the join key is at least one access control code, wherein multiple rows of the information table are bound using respective multiple access control codes.

19. A method for enforcing high level access control rules of an information management system (IMS) for an application directly communicating with a relational database management system (RDBMS) associated with the IMS, comprising:
- providing at least one Access Authorization table (AAT), the AAT containing data representing high level access control rules;
  
  providing at least one information table in the RDBMS; and
  
  in response to a query for data from the application, joining the AAT with at least one information table to return a result in accordance with at least one of the high level access control rules.
- View Dependent Claims (20, 21, 22)
- - 20. The method of claim 19, further comprising:
    - defining at least one view on at least one table controlled by the DBMS;
      
      executing a query against the view using at least the access control rule; and
      
      returning the results of the query against the view.
  - 21. The method of claim 20, wherein the tables are joined using a join key, and the join key is at least one access control code binding the information table to the access control rule.
  - 22. The method of claim 21, wherein multiple rows of the information table are bound using respective multiple access control codes.

23. A computer program product including computer usable code means programmed with logic for enforcing high level access control rules of an information management system (IMS) for an application directly communicating with a relational database management system (RDBMS) associated with the IMS, the program product comprising:
- computer readable code means for binding at least one RDBMS table using one or more access control list (ACL) codes representing the high level access control rules;
  
  computer readable code means for issuing a query from the application against an RDBMS view; and
  
  computer readable code means for returning the result of the query against the view.
- View Dependent Claims (24)
- - 24. The product of claim 23, wherein rows of at least one table are bound using respective ACL codes, the ACL code for at least a first row being different than the ACL code for at least a second row in the same table as the first row.

25. A data system including a server computer programmed to undertake method acts for responding to user queries for data from a database controlled by the server computer, the method acts undertaken by the server computer including:
- storing the database in a second system;
  
  maintaining access control specifications that restrict access to data;
  
  allowing a user to access data directly through the second system; and
  
  in response to the direct access by the user, causing the second system to enforce the access control specifications without intervention from the data system.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 26. The system of claim 25, wherein the user is an application.
  - 27. The system of claim 25, wherein the data system supports a data model that is different from a data model supported by the second system.
  - 28. The system of claim 25, wherein the data system supports a data model that is different from a data model supported by the second system, whereby the access control specifications are not directly enforceable by a native access control capability of the second system.
  - 29. The system of claim 25, wherein the second system is a database management system (DBMS).
  - 30. The system of claim 29, wherein the second system is a relational database management system (RDBMS).
  - 31. The system of claim 30, wherein the access control specifications are stored in at least a first table in the RDBMS.
  - 32. The system of claim 31, wherein the method acts include:
    - creating at least one RDBMS view by joining a data table with the first table, wherein the view can be used by the user for directly accessing data.
  - 33. The system of claim 32, wherein the view includes at least one UDF on the first table, the UDF implementing the data system'"'"'s access control model.
  - 34. The system of claim 32, wherein the view is created when the data table is created.
  - 35. The system of claim 31, wherein resolutions of the access control specifications are computed using the data system'"'"'s access control model, and are stored in an access authorization table (AAT) in the RDBMS.
  - 36. The system of claim 35, wherein at least one RDBMS view is created, the view is a join between a data table and the AAT, and the view is used by a user for direct access to data.
  - 37. The system of claim 36, wherein the view is created when the data table is created.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Choy, David Mun-Hien

Granted Patent

US 7,216,126 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/284   Relational databases

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

Y10S 707/954   Relational

Y10S 707/99939   Privileged access

System and method for RDBMS to protect records in accordance with non-RDBMS access control rules

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for RDBMS to protect records in accordance with non-RDBMS access control rules

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links