Dynamic auditing

US 20060248084A1
Filed: 08/29/2005
Published: 11/02/2006
Est. Priority Date: 12/30/2004
Status: Active Grant

First Claim

Patent Images

1. A database system comprising:

a plurality of database objects, each database object having a level of security;

an auditing system operable to monitor database operations that are attempted to be performed on the database objects, wherein the auditing system is operable to monitor the database operations based on;

a plurality of factors, each factor representing a characteristic of a user of the database system, a plurality of rules, each rule defining a limitation on operation of the database system by the user based on at least some of the plurality of factors and based on attributes of data to be operated on, including the level of security of the database object of the data to be operated on, and a plurality of realms, each realm defining a privilege of the user of the database system relative to a schema of the database system; and

wherein the rule triggers an audit event, alert, or notification upon success or failure of the rule.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure database appliance leverages database security in a consistent framework provides consistent, flexible, and adaptable security using mandatory access controls in addition to user and role based security for access control and accountability. A database system comprises a plurality of database objects, each database object having a level of security, a plurality of factors, each factor representing a characteristic of a user of the database system, at least one database session of the user in the database, the database session having a level of security, the user connected to the database with a network domain, each network domain having a level of security, wherein the database system is operable to grant or deny access to the data to a user based on the factors associated with the user, based on the level of security of the data, based on the level of security of the database session, and based on the level of security of the network domain.

Citations

27 Claims

1. A database system comprising:
- a plurality of database objects, each database object having a level of security;
  
  an auditing system operable to monitor database operations that are attempted to be performed on the database objects, wherein the auditing system is operable to monitor the database operations based on;
  
  a plurality of factors, each factor representing a characteristic of a user of the database system, a plurality of rules, each rule defining a limitation on operation of the database system by the user based on at least some of the plurality of factors and based on attributes of data to be operated on, including the level of security of the database object of the data to be operated on, and a plurality of realms, each realm defining a privilege of the user of the database system relative to a schema of the database system; and
  
  wherein the rule triggers an audit event, alert, or notification upon success or failure of the rule.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21)
- - 2. The system of claim 1, wherein each factor comprises a value of the factor and an indicator of a level of trust in the factor.
  - 3. The system of claim 2, wherein a rule is based on at least one of the value of the factor and the level of trust of the factor.
  - 4. The system of claim 1, wherein a factor has a type comprising:
    - a physical factor type indicating a physical, network, or database characteristic of the user;
      
      an implementation factor type indicating an implementation-based characteristic of the user;
      
      or an environmental factor type indicating a geographic or time-based characteristic of the user.
  - 5. The system of claim 1, wherein security is based on values and levels of trust of more than one factor.
  - 6. The system of claim 1, wherein a rule comprises a condition that is used to perform at least one of:
    - evaluate access within a realm authorization;
      
      set a secure application role;
      
      or set an authorization to perform a specific SQL command.
  - 7. The system of claim 6, wherein the condition of the rule comprises at least one of equal, not equal, greater than, greater than or equal, less than, less than or equal, in list, not in list, and between.
  - 8. The system of claim 1, wherein a rule is defined based on a configuration of security definitions.
  - 9. The system of claim 1, wherein a realm comprises a logical grouping of database schemas, and further comprises associations to at least subsets of the schemas, user accounts, and database roles.
  - 21. The computer program product of claim 11, wherein a rule is based on at least one of the value of the factor and the level of trust of the factor.

10. A method of operating a database system comprising:
- providing a plurality of database objects, each database object having a level of security;
  
  monitoring database operations that are attempted to be performed on the database objects, wherein the auditing system is operable to monitor the database operations based on;
  
  a plurality of factors, each factor representing a characteristic of a user of the database system, a plurality of rules, each rule defining a limitation on operation of the database system by the user based on at least some of the plurality of factors and based on attributes of data to be operated on, including the level of security of the database object of the data to be operated on, and a plurality of realms, each realm defining a privilege of the user of the database system relative to a schema of the database system; and
  
  triggering an audit event, alert, or notification upon success or failure of a rule.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 20, 22, 23, 24, 25, 26, 27)
- - 11. The method of claim 10, wherein each factor comprises a value of the factor and an indicator of a level of trust in the factor.
  - 12. The method of claim 11, wherein a rule is based on at least one of the value of the factor and the level of trust of the factor.
  - 13. The method of claim 10, wherein a factor has a type comprising:
    - a physical factor type indicating a physical, network, or database characteristic of the user;
      
      an implementation factor type indicating an implementation-based characteristic of the user;
      
      or an environmental factor type indicating a geographic or time-based characteristic of the user.
  - 14. The method of claim 10, wherein security is based on values and levels of trust of more than one factor.
  - 15. The method of claim 10, wherein a rule comprises a condition that is used to perform at least one of:
    - evaluate access within a realm authorization;
      
      set a secure application role;
      
      or set an authorization to perform a specific SQL command.
  - 16. The method of claim 15, wherein the condition of the rule comprises at least one of equal, not equal, greater than, greater than or equal, less than, less than or equal, in list, not in list, and between.
  - 17. The method of claim 10, wherein a rule is defined based on a configuration of security definitions.
  - 18. The method of claim 10, wherein a realm comprises a logical grouping of database schemas, and further comprises associations to at least subsets of the schemas, user accounts, and database roles.
  - 20. The computer program product of claim 10, wherein each factor comprises a value of the factor and an indicator of a level of trust in the factor.
  - 22. The computer program product of claim 10, wherein a factor has a type comprising:
    - a physical factor type indicating a physical, network, or database characteristic of the user;
      
      an implementation factor type indicating an implementation-based characteristic of the user;
      
      or an environmental factor type indicating a geographic or time-based characteristic of the user.
  - 23. The computer program product of claim 10, wherein security is based on values and levels of trust of more than one factor.
  - 24. The computer program product of claim 10, wherein a rule comprises a condition that is used to perform at least one of:
    - evaluate access within a realm authorization;
      
      set a secure application role;
      
      or set an authorization to perform a specific SQL command.
  - 25. The computer program product of claim 15, wherein the condition of the rule comprises at least one of equal, not equal, greater than, greater than or equal, less than, less than or equal, in list, not in list, and between.
  - 26. The computer program product of claim 10, wherein a rule is defined based on a configuration of security definitions.
  - 27. The computer program product of claim 10, wherein a realm comprises a logical grouping of database schemas, and further comprises associations to at least subsets of the schemas, user accounts, and database roles.

19. A computer program product for operating a database system comprising:
- a computer readable medium;
  
  computer program instructions, recorded on the computer readable medium, executable by a processor, for performing the steps of providing a plurality of database objects, each database object having a level of security;
  
  monitoring database operations that are attempted to be performed on the database objects, wherein the auditing system is operable to monitor the database operations based on;
  
  a plurality of factors, each factor representing a characteristic of a user of the database system, a plurality of rules, each rule defining a limitation on operation of the database system by the user based on at least some of the plurality of factors and based on attributes of data to be operated on, including the level of security of the database object of the data to be operated on, and a plurality of realms, each realm defining a privilege of the user of the database system relative to a schema of the database system; and
  
  triggering an audit event, alert, or notification upon success or failure of a rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Davis, Kenton, Austin, Edward, Sack, Patrick, Brinson, Jack

Granted Patent

US 7,814,075 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2113   Multi-level security, e.g. ...

Dynamic auditing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic auditing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links