Method for implementing fine-grained access control using access restrictions

US 20050246338A1
Filed: 04/30/2004
Published: 11/03/2005
Est. Priority Date: 04/30/2004
Status: Active Grant

First Claim

Patent Images

1. A data processing system-implemented method for directing a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, the data processing system-implemented method comprising:

receiving a user request to access one or more relational objects of the database;

identifying any access restrictions defined for the one or more relational objects;

determining whether any identified access restrictions are applicable to the user request;

determining whether any determined applicable access restrictions are to be enforced for the user request; and

allowing access to the one or more relational objects based on the determined enforceable access restrictions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a data processing system-implemented method, a data processing system and an article of manufacture for controlling access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects The data processing system-implemented method includes receiving a user request to access one or more relational objects of the database, identifying any access restrictions defined for the one or more relational objects, determining whether any identified access restrictions are applicable to the user request, determining whether any determined applicable access restrictions are to be enforced for the user request, and allowing access to the one or more relational objects based on the determined enforceable access restrictions.

Citations

20 Claims

1. A data processing system-implemented method for directing a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, the data processing system-implemented method comprising:
- receiving a user request to access one or more relational objects of the database;
  
  identifying any access restrictions defined for the one or more relational objects;
  
  determining whether any identified access restrictions are applicable to the user request;
  
  determining whether any determined applicable access restrictions are to be enforced for the user request; and
  
  allowing access to the one or more relational objects based on the determined enforceable access restrictions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The data processing system-implemented method as claimed in claim 1, wherein the elements of the relational objects comprise rows and columns thereof, the data processing system-implemented method further comprising:
    - storing access restrictions for restricting user access to the database, wherein each access restriction identifies;
      
      a row or column in a relational object to which the access restriction applies, a type of access which is restricted, and information concerning one or more users to which the access restriction applies.
  - 3. The data processing system-implemented method as claimed in claim 1, wherein the determining whether any determined applicable access restrictions are to be enforced for the user request includes the step of determining whether an exception to an applicable access restriction has been defined for a user attempting the access.
  - 4. The data processing system-implemented as claimed in claim 3, wherein the user request identifies a type of access being attempted and is associated with information about a user attempting the access.
  - 5. The data processing system-implemented method as claimed in claim 4, wherein the determining whether any identified access restrictions are applicable to the user request includes the step of comparing the identified access restrictions with information about the user request concerning the type of access being attempted and the user attempting the access.
  - 6. The data processing system-implemented method as claimed in claim 5, wherein an exception to an access restriction identifies a defined access restriction to which the exception applies, and information about a user to which the exception applies.
  - 7. The data processing system-implemented method as claimed in claim 6, wherein the information about the user attempting the access is a user identifier or a user group identifier associated with the user.
  - 8. The data processing system-implemented method as claimed in claim 6, further comprising, after the determining whether any determined applicable access restrictions are to be enforced for the user request:
    - when an access restriction to be enforced is a column restriction for restricting access to a column in a relational object, adding the access restriction to a column list;
      
      when an access restriction to be enforced is a row restriction for restricting access to a row in a relational object, adding the access restriction to a predicate list; and
      
      constructing a definition for a view-like entity based on the column list and predicate list for allowing access to one or more relational objects based on the determined enforceable access restrictions.
  - 9. The data processing system-implemented method as claimed in claim 8, wherein the access restrictions and exceptions thereto are data entities defined in a database catalog associated with the database.

10. An article of manufacture for directing a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, the article comprising:
- a program usable medium embodying one or more executable data processing system instructions, the executable data processing system instructions comprising;
  
  executable data processing system instructions for receiving a user request to access one or more relational objects of the database;
  
  executable data processing system instructions for identifying any access restrictions defined for the one or more relational objects;
  
  executable data processing system instructions for determining whether any identified access restrictions are applicable to the user request;
  
  executable data processing system instructions for determining whether any determined applicable access restrictions are to be enforced for the user request; and
  
  , executable data processing system instructions for allowing access to the one or more relational objects based on the determined enforceable access restrictions.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The article as claimed in claim 10, wherein the elements of the relational objects comprise rows and columns thereof, the computer program product further comprises:
    - executable data processing system instructions for storing access restrictions for restricting user access to the database, wherein each access restriction identifies a row or column in a relational object to which the access restriction applies, a type of access which is restricted, and information concerning one or more users to which the access restriction applies.
  - 12. The article as claimed in claim 10, wherein the executable data processing system instructions for determining whether any determined applicable access restrictions are to be enforced for the user request includes executable data processing system instructions for determining whether an exception to an applicable access restriction has been defined for a user attempting the access.
  - 13. The article as claimed in claim 12, wherein the user request identifies a type of access being attempted and is associated with information about a user attempting the access.
  - 14. The article as claimed in claim 13, wherein the executable data processing system instructions for determining whether any identified access restrictions are applicable to the user request comprises executable data processing system instructions for comparing the identified access restrictions with information about the user request concerning the type of access being attempted and the user attempting the access.
  - 15. The article as claimed in claim 14, wherein an exception to an access restriction identifies a defined access restriction to which the exception applies, and information about a user to which the exception applies.
  - 16. The article as claimed in claim 15, further comprising:
    - executable data processing system instructions adding the access restriction to a column list responsive to an enforceable access restriction which is a column restriction for restricting access to a column in a relational object executable data processing system instructions restricting access to a row in a relational object for adding the access restriction to a predicate list responsive to an enforceable access restriction which is a row restriction; and
      
      executable data processing system instructions constructing a definition for a view-like entity based on the column list and predicate list for allowing access to one or more relational objects based on the determined enforceable access restrictions.

17. A data processing system for controlling access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, the data processing system comprising:
- a module for receiving a user request to access a relational object;
  
  a database catalog defining access restrictions for restricting user access to the database, wherein each access restriction identifies a row or column in a relational object to which the access restriction applies, a type of access which is restricted, and information concerning one or more users to which the access restriction applies;
  
  a restriction evaluation module including a component for identifying any access restrictions defined for the one or more relational objects, a component for determining whether any identified access restrictions are applicable to the user request, and a component for determining whether any determined applicable access restrictions are to be enforced for the user request; and
  
  a module for allowing access to the one or more relational objects based on the determined enforceable access restrictions.
- View Dependent Claims (18, 19, 20)
- - 18. The data processing system as claimed in claim 17, wherein said component for determining whether any determined applicable access restrictions are to be enforced for the user request includes a component for determining whether an exception to an applicable access restriction has been defined for a user attempting the access.
  - 19. The data processing system as claimed in claim 18, wherein the user request identifies a type of access being attempted and is associated with information about a user attempting the access, wherein said component for determining whether any identified access restrictions are applicable to the user request includes a component for comparing the identified access restrictions with information about the user request concerning the type of access being attempted and the user attempting the access, and wherein an exception to an access restriction identifies a defined access restriction to which the exception applies, and information about a user to which the exception applies.
  - 20. The data processing system as claimed in claim 19, said restriction evaluation module comprising:
    - a module responsive to an enforceable access restriction which is a column restriction for restricting access to a column in a relational object for adding the access restriction to a column list;
      
      a module responsive to an enforceable access restriction which is a row restriction for restricting access to a row in a relational object for adding the access restriction to a predicate list; and
      
      a module for constructing a definition for a view-like entity based on the column list and predicate list for allowing access to one or more relational objects based on the determined enforceable access restrictions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bird, Paul Miller

Granted Patent

US 7,958,150 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/24534   Query rewriting; Transforma...

G06F 16/24539   using cached or materialise...

G06F 16/90335   Query processing

G06F 21/6227   where protection concerns t...

Method for implementing fine-grained access control using access restrictions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for implementing fine-grained access control using access restrictions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links