Column masking of tables

US 20050144176A1
Filed: 01/23/2004
Published: 06/30/2005
Est. Priority Date: 12/24/2003
Status: Active Grant

First Claim

Patent Images

1. A machine-implemented method for managing access to data, the method comprising the steps of:

detecting that a database command is issued;

wherein said database command requires access to at least one column in a table;

rewriting said database command by creating a modified database command, based on the database command;

wherein the modified database command specifies whether to mask a value of at least one column by returning a mask of the value instead of the value; and

executing said modified database command.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Returning rows having column values masked is disclosed. In response to receiving a database command, a modified database command is created that specifies whether to mask a value by returning a mask of the value instead of the value. In an embodiment, the condition expression is included in a policy function that is referenced by a policy. In an embodiment, the policy determines how the condition expressions are used. The condition expression may be used to determine which column values to mask. The condition expression may also be used to filter which rows are returned.

100 Citations

View as Search Results

20 Claims

1. A machine-implemented method for managing access to data, the method comprising the steps of:
- detecting that a database command is issued;
  
  wherein said database command requires access to at least one column in a table;
  
  rewriting said database command by creating a modified database command, based on the database command;
  
  wherein the modified database command specifies whether to mask a value of at least one column by returning a mask of the value instead of the value; and
  
  executing said modified database command.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein said database command requests at least two values located in at least two columns;
    - wherein each of the two values are located in a different one of the at least two columns; and
      
      wherein the step of executing the modified database command includes at least returning at least one of the at least two values, and returning a masked value instead of at least a second of the at least two values.
  - 3. The method of claim 1, wherein the modified database command includes at least a condition expression returned by a policy function.
  - 4. The method of claim 1, wherein the masked value is returned for rows that are retrieved for the database command issued, do not satisfy the condition, and to which access privileges are granted.
  - 5. The method of claim 1, further comprising:
    - storing metadata that associates a list of one or more columns with a policy used for controlling access to the one or more columns;
      
      wherein the step of rewriting is performed if a match is found between the at least one column to which the database command requires access and the list of one or more columns.
  - 6. The method of claim 1, further comprising:
    - storing metadata that associates a list of one or more columns with a policy used for controlling access to the one or more columns;
      
      wherein the step of creating is not performed if a match is not found between the list of one or more columns and the at least one column to which the database command requires access.
  - 7. The method of claim 1, further comprising:
    - creating a policy function that returns a condition expression;
      
      wherein the step of creating the modified database command includes incorporating the condition expression and the database command into the modified database command.
  - 8. The method of claim 7, further comprising:
    - creating a policy referencing the policy function and specifying trigger columns that trigger implementing the policy.
  - 9. The method of claim 1, further comprising registering a policy function with a database server, wherein the policy function returns a condition expression and the modified database command is based on the condition expression.
  - 12. The machine readable medium of claim 1, wherein said database command requests at least two values located in at least two columns;
    - wherein each of the two values are located in a different one of the at least two columns; and
      
      wherein the step of executing the modified database command includes at least returning at least one of the at least two values, and returning a masked value instead of at least a second of the at least two values.
  - 13. The machine-readable medium of claim 1, wherein the modified database command includes at least a condition expression returned by a policy function.
  - 14. The machine-readable medium of claim 1, wherein the masked value is returned for rows that are retrieved for the database command issued, do not satisfy the condition, and to which access privileges are granted.
  - 15. The machine-readable medium of claim 1, wherein the method further comprises:
    - storing metadata that associates a list of one or more columns with a policy used for controlling access to the one or more columns;
      
      wherein the step of rewriting is performed if a match is found between the at least one column to which the database command requires access and the list of one or more columns.
  - 16. The machine-readable medium of claim 1, wherein the method further comprises:
    - storing metadata that associates a list of one or more columns with a policy used for controlling access to the one or more columns;
      
      wherein the step of creating is not performed if a match is not found between the list of one or more columns and the at least one column to which the database command requires access.
  - 17. The machine-readable medium of claim 1, wherein the method further comprises:
    - creating a policy function that returns a condition expression;
      
      wherein the step of creating the modified database command includes incorporating the condition expression and the database command into the modified database command.
  - 18. The machine-readable medium of claim 7, wherein the method further comprises:
    - creating a policy referencing the policy function and specifying trigger columns that trigger implementing the policy.
  - 19. The machine-readable medium of claim 1, wherein the method further comprises registering a policy function with a database server, wherein the policy function returns a condition expression and the modified database command is based on the condition expression.

10. A machine-implemented method for managing access to data, the method comprising the steps of:
- detecting that a database command is issued;
  
  detecting that said database command requires access to at least one column in a table;
  
  in response to detecting that the database command requires access to the at least one column, creating a modified database command by selectively adding zero or more predicates that are satisfied by rows in said table to which said user is permitted access.

11. A machine-readable medium carrying one or more sequences of instructions, which when executed by one or more processors, causes the one or more processors to perform a method comprising the steps of:
- detecting that a database command is issued;
  
  wherein said database command requires access to at least one column in a table;
  
  rewriting said database command by creating a modified database command, based on the database command;
  
  wherein the modified database command specifies whether to mask a value of at least one column by returning a mask of the value instead of the value; and
  
  executing said modified database command.

20. A machine-readable medium carrying one or more sequences of instructions, which when executed by one or more processors, causes the one or more processors to perform a method comprising the steps of:
- detecting that a database command is issued;
  
  detecting that said database command requires access to at least one column in a table;
  
  in response to detecting that the database command requires access to the at least one column, creating a modified database command by selectively adding zero or more predicates that are satisfied by rows in said table to which said user is permitted access.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Edwards, Kristy Browder, Lei, Chon Hei, Wong, Daniel Manhung, Keefe, Thomas

Granted Patent

US 7,310,647 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/2452   Query translation

G06F 16/24553   of query operations

G06F 21/6227   where protection concerns t...

Y10S 707/99942   Manipulating data structure...

Column masking of tables

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

100 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Column masking of tables

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links