Attribute relevant access control policies

US 20040139043A1
Filed: 01/13/2003
Published: 07/15/2004
Est. Priority Date: 01/13/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method for executing database commands, comprising the computer-implemented steps of:

receiving a database command that references a set of attributes of a database object;

determining which attributes of the set of attributes are referenced in the database command; and

based on which of the attributes are referenced, determining whether to modify the database command prior to executing the database command.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for attribute relevant access control policies is provided. According to one embodiment, a determination is made as to whether to modify a query based on which attributes of a database object are referenced in the query. Further, if the query references one or more attributes of the database object that are restricted, the query may be modified based on attribute restriction metadata. According to another embodiment, users are restricted from accessing data from the restricted attributes by masking the data before returning it to the users. According to yet another embodiment, certain data from restricted attributes may be masked before returning it to users while other data from restricted attributes may be returned without modification.

178 Citations

20 Claims

1. A method for executing database commands, comprising the computer-implemented steps of:
- receiving a database command that references a set of attributes of a database object;
  
  determining which attributes of the set of attributes are referenced in the database command; and
  
  based on which of the attributes are referenced, determining whether to modify the database command prior to executing the database command.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 20)
- - 2. The method of claim 1, wherein the step of determining whether to modify the database command includes the step of determining whether the database command references a restricted attribute.
  - 3. The method of claim 2, wherein the step of determining whether to modify the database command includes the step of determining whether to modify the database command based on where within the database command the restricted attribute is referenced.
  - 4. The method of claim 2, wherein the step of determining whether to modify the database command further comprises the step of determining whether to modify the database command based on whether the restricted attribute is in a select list of the database command.
  - 5. The method of claim 2, wherein the step of determining whether to modify the database command further comprises the step of determining whether to modify the database command based on whether the restricted attribute is in a filter list of the database command.
  - 6. The method of claim 1 further comprising the step of in response to determining whether to modify the database command, modifying the database command.
  - 7. The method of claim 6, wherein the step of modifying the database command, further comprises the step of adding one or more predicates to the database command based on attribute restriction metadata.
  - 8. The method of claim 1, further comprising the step of receiving data that indicates which attributes of the set of attributes are restricted.
  - 9. The method of claim 8, wherein the step of receiving the data further includes the step of using an Application Program Interface (API) to receive the data.
  - 10. The method of claim 1, wherein the step of determining whether to modify the database command includes the step of comparing one or more restricted attributes to one or more referenced attributes to determine which of the one or more referenced attributes are restricted.
  - 11. The method of claim 1, wherein the database object is a table and the attributes of the database object are columns in the table.
  - 20. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in any one of claims 1-19.

12. A method for executing database commands, comprising the computer-implemented steps of:
- receiving a database command that references a set of attributes of a database object;
  
  determining which attributes in the set of attributes are restricted; and
  
  generating a result set;
  
  wherein the result set includes a set of rows;
  
  wherein each row in the set of rows includes values for each attribute of the set of attributes;
  
  wherein, for at least one row of the set of rows, values for restricted attributes in the set of attributes are not values from the database object.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12 wherein, for all rows of the set of rows, the values for the restricted attributes are masked.
  - 14. The method of claim 12 wherein, at least one row of the set of rows comprises an unmasked value for at least one of the restricted attributes.
  - 15. The method of claim 12 wherein the step of determining which attributes in the set of attributes are restricted, further comprises the step of determining which attributes in the set of attributes are restricted based on attribute restriction metadata.
  - 16. The method of claim 12, further comprising the step of receiving data that indicates which attributes of the set of attributes are restricted.
  - 17. The method of claim 16, wherein the step of receiving the data further includes the step of using an Application Program Interface (API) to receive the data.
  - 18. The method of claim 12, wherein the step of determining which attributes in the set of attributes are restricted further includes the step of comparing one or more restricted attributes to one or more referenced attributes to determine which of the one or more referenced attributes are restricted.
  - 19. The method of claim 12, wherein the database object is a table and the attributes of the database object are columns in the table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Keefe, Thomas, Hung Wong, Daniel Man, Lei, Chon Hei

Application Number

US10/341,797
Publication Number

US 20040139043A1
Time in Patent Office

Days
Field of Search
US Class Current

707/1
CPC Class Codes

G06F 21/6227 where protection concerns t...

Attribute relevant access control policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

178 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Attribute relevant access control policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

178 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links