Method and system for managing security policies for databases in a distributed system

US 20060085837A1
Filed: 10/14/2004
Published: 04/20/2006
Est. Priority Date: 10/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method for managing security policies for databases in a distributed system, comprising:

creating a plurality of security policies, wherein each security policy is a label security policy;

storing the plurality of security policies in a directory;

propagating the plurality of security policies from the directory to each of a plurality of databases in the distributed system using Directory Integration Platform server; and

storing labels for one or more of the plurality of security policies in policy columns of one or more tables in each of the plurality of databases.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates managing security policies for databases in a distributed system. During operation, the system creates multiple label security policies. The system stores these security policies in a directory and automatically propagates them from the directory to each database within the distributed system. In doing so, the system allows for applying policies to individual tables and schema in any database in the distributed system. The system facilitates centralized administration of security policies and removes the need for replicating policies, since the policy information is available in the directory.

Citations

21 Claims

1. A method for managing security policies for databases in a distributed system, comprising:
- creating a plurality of security policies, wherein each security policy is a label security policy;
  
  storing the plurality of security policies in a directory;
  
  propagating the plurality of security policies from the directory to each of a plurality of databases in the distributed system using Directory Integration Platform server; and
  
  storing labels for one or more of the plurality of security policies in policy columns of one or more tables in each of the plurality of databases.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising managing access to a database by:
    - receiving a request to perform an operation on a specified table in the database;
      
      determining which policies in the plurality of security policies apply to the specified table based on a policy set of one or more policies associated with the specified table; and
      
      determining whether to perform the operation on a row of the specified table based on a set of labels associated with the row and the set of labels and privileges associated with a user, wherein the set of labels is obtained from the policy set.
  - 3. The method of claim 2, further comprising adding a policy column to the specified table for each policy in the policy set associated with the specified table.
  - 4. The method of claim 3, further comprising storing a label in the policy column for each row. The label is from the set of labels associated with the policy.
  - 5. The method of claim 3, wherein determining which policies apply further comprises determining whether a column is the policy column;
    - and enforcing access controls based on a label in the policy column.
  - 6. The method of claim 2, wherein the policy set associated with the specified table includes two or more policies.
  - 7. The method of claim 1, further comprising providing feedback from a database indicating that a policy is in use to update policy information within the directory when a security policy is applied to tables and schemas, thereby ensuring that security policies that are in-use will not be dropped from the directory.

8. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for managing security policies for databases in a distributed system, the method comprising:
- creating a plurality of security policies, wherein each security policy is a label security policy;
  
  storing the plurality of security policies in a directory;
  
  propagating the plurality of security policies from the directory to each of a plurality of databases in the distributed system using Directory Integration Platform server; and
  
  storing labels for one or more of the plurality of security policies in policy columns of one or more tables in each of the plurality of databases.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, the method further comprising managing access to a database of the plurality of databases by:
    - receiving a request to perform an operation on a specified table in the database;
      
      determining which policies in the plurality of security policies apply to the specified table based on a policy set of one or more policies associated with the specified table; and
      
      determining whether to perform the operation on a row of the specified table based on a set of labels associated with the row and the set of labels and privileges associated with a user, wherein the set of labels is obtained from the policy set.
  - 10. The computer-readable storage medium of claim 9, the method further comprising adding a policy column to the specified table for each policy in the policy set associated with the specified table.
  - 11. The computer-readable storage medium of claim 10, the method further comprising storing a label in the policy column for each row. The label is from the set of labels associated with the policy.
  - 12. The computer-readable storage medium of claim 10, wherein determining which policies apply further comprises determining whether a column is the policy column;
    - and enforcing access controls based on a label in the policy column.
  - 13. The computer-readable storage medium of claim 9, wherein the policy set associated with the specified table includes two or more policies.
  - 14. The computer-readable storage medium of claim 8, the method providing feedback from a database indicating that a policy is in use to update policy information within the directory when a security policy is applied to tables and schemas, thereby ensuring that security policies that are in-use will not be dropped from the directory.

15. An apparatus for managing security policies for databases in a distributed system, comprising:
- a creating mechanism configured to create a plurality of security policies, wherein each security policy is a label security policy;
  
  a storing mechanism configured to store the plurality of security policies in a directory;
  
  a propagating mechanism configured to propagate the plurality of security policies from the directory to to each of a plurality of databases in the distributed system using Directory Integration Platform server; and
  
  wherein the storing mechanism is further configured to store labels for one or more of the plurality of security policies in policy columns of a table in each of the plurality of databases.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, further comprising an access mechanism configured to manage access to a database by:
    - receiving a request to perform an operation on a specified table in the database;
      
      determining which policies in the plurality of security policies apply to the specified table based on a policy set of one or more policies associated with the specified table; and
      
      determining whether to perform the operation on a row of the specified table based on a set of labels associated with the row and the set of labels and privileges associated with a user, wherein the set of labels is obtained from the policy set.
  - 17. The apparatus of claim 16, further comprising an adding mechanism configured to add a policy column to the specified table for each policy in the policy set associated with the specified table.
  - 18. The apparatus of claim 17, wherein the storing mechanism is further configured to store a label in the policy column for each row. The label is from the set of labels associated with the policy.
  - 19. The apparatus of claim 17, wherein determining which policies apply further comprises determining whether a column is the policy column;
    - and enforcing access controls based on a label in the policy column.
  - 20. The apparatus of claim 16, wherein the policy set associated with the specified table includes two or more policies.
  - 21. The apparatus of claim 15, further comprising a feedback mechanism configured to provide feedback from a database indicating that a policy is in use to update policy information within the directory when a security policy is applied to tables and schemas, thereby ensuring that security policies that are in-use will not be dropped from the directory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Wong, Shiu Kau, Tata, Srividya, Pesati, Vikram Reddy

Granted Patent

US 7,657,925 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Method and system for managing security policies for databases in a distributed system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing security policies for databases in a distributed system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links