Systems and methods that optimize row level database security
First Claim
1. A system that facilitates database security, comprising:
- an input component that receives a query; and
a query management component that utilizes rules of predicate to augment the query with at least row-level security expressions, the augmented query is utilized to search data and return rows of data that at least satisfy an aggregate of the row-level security expressions.
3 Assignments
0 Petitions
Accused Products
Abstract
The systems and methods of the present invention facilitate database row-level security by utilizing SQL extensions to create and associate named security expressions with a query initiator(s). Such expressions include Boolean expressions, which must be satisfied by a row of data in order for that data to be made accessible to the query initiator. In general, a query is augmented with security expressions, which are aggregated and utilized during querying rows of data. The systems and methods variously place security expressions within a query in order to optimize query performance while mitigating information leaks. This is achieved by tagging security expressions as special and utilizing rules of predicate to pull or push non-security expressions above or below security expressions, depending on the likelihood of a non-security being safe, as determined via a static and/or dynamic analysis.
-
Citations
28 Claims
-
1. A system that facilitates database security, comprising:
-
an input component that receives a query; and
a query management component that utilizes rules of predicate to augment the query with at least row-level security expressions, the augmented query is utilized to search data and return rows of data that at least satisfy an aggregate of the row-level security expressions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for employing row-level database security, comprising:
-
obtaining one or more row-level security expressions for a query, based on the source of the query; and
inserting the one or more row-level security expression into the query so that the security expressions are utilized to evaluate a row of data prior to executing the unsafe non-security expression. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A data packet transmitted between two or more computer components that facilitates row-level database security, comprising:
a query with one or more SQL created security expressions located therein based on a rules of predicate that is utilized to evaluate a row of data in order to provide access to the row of data when the security expressions are satisfied.
-
27. A computer readable medium storing computer executable components to facilitate row-level database security, comprising:
-
a component that grafts security expressions for a user into a statement;
a component that adds the statement to a query initiated by the user;
a component that optimizes the placement of the statement within the query; and
a component that queries rows of data based on the statement and returns rows of data that satisfy the statement.
-
-
28. A database security system, comprising:
-
means for augmenting queries with row level security expressions;
means for positioning the row level security expressions within the query to improve performance or mitigate data leaks;
means for evaluating rows of data with the row level security expressions; and
means for providing access to rows of data that satisfy the row level security expressions to users.
-
Specification