EFFICIENT ACCESS CONTROL ENFORCEMENT IN A CONTENT MANAGEMENT ENVIRONMENT
First Claim
1. A system providing access control enforcement for a CM system;
- said system comprising;
a CM application requesting a first query be executed against a CM system an access control enforcement component incorporating access control rules for any of;
user, user-group, or object type, into a rewritten query through a semantics-based rewrite of said first query;
a resultant dataset resulting from the execution of said first query against said underlying relational database; and
a query rewrite engine generating a filter for said resultant dataset, thus limiting access to items in said resultant dataset remaining after said filter is applied.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a system and method for optimizing CM through application-level optimization by exploiting the specific semantics of access control. Access control is enforced by rewriting user or application queries to include additional predicates. Portions of a complex CM query that are identified as those that will return an empty set of result objects are replaced by an empty or null expression. Furthermore, statistics specific to access control are collected and intelligently used in formulating the rewritten query and in controlling the order of evaluation of access control predicates. Optionally, rewriting can generate a result filter in addition to a rewritten query. This filter is applied to the results produced by executing the rewritten query, thus allowing the access control enforcement burden to be shared between the query and the filter. When combined, the aforementioned techniques serve to reduce the runtime overhead of access control enforcement in CM systems.
40 Citations
28 Claims
-
1. A system providing access control enforcement for a CM system;
- said system comprising;
a CM application requesting a first query be executed against a CM system an access control enforcement component incorporating access control rules for any of;
user, user-group, or object type, into a rewritten query through a semantics-based rewrite of said first query;
a resultant dataset resulting from the execution of said first query against said underlying relational database; and
a query rewrite engine generating a filter for said resultant dataset, thus limiting access to items in said resultant dataset remaining after said filter is applied. - View Dependent Claims (2, 3, 4, 5, 6, 7)
- said system comprising;
-
8. A method of enforcing access control rules in a CM system;
- said method comprising;
a CM application or CM application user requesting a first query be issued against said CM system;
rewriting said first query incorporating access control rules as additional predicates representing a set access control rules applicable a user, user-group, or object-type, wherein said additional predicates are based on static analyses;
evaluating in an optimal order and issuing against a database underlying said CM system, predicates in said rewritten query; and
filtering, in accordance with said access control rules, resultant dataset obtained by executing said rewritten query against said underlying database, thus limiting access to items in said resultant dataset remaining after said filtering step. - View Dependent Claims (9, 10, 11, 12, 13, 14)
- said method comprising;
-
15. A computer-based method of enforcing access control rules in a CM system;
- said method comprising;
A CM application or CM application user requesting a first query be issued against said CM system;
rewriting said first query incorporating access control rules as additional predicates representing a set access control rules applicable a user, user-group, or object-type wherein said additional predicates are based on static analyses;
evaluating in an optimal order and issuing against a database underlying said CM system, predicates in said rewritten query; and
filtering, in accordance with said access control rules, resultant dataset obtained by executing said rewritten query against said underlying database. - View Dependent Claims (16, 17, 18, 19, 20, 21)
- said method comprising;
-
22. An article of manufacture comprising a computer usable medium having computer readable program code embodied therein which implements method of enforcing access control rules in a CM system;
- said medium comprising modules implementing;
a CM application or CM application user requesting a first query be issued against said CM system;
rewriting said first query incorporating access control rules as additional predicates representing a set access control rules applicable a user, user-group, or object-type, wherein said additional predicates are based on static analyses;
evaluating in an optimal order and issuing against a database underlying said CM system, predicates in said rewritten query; and
filtering, in accordance with said access control rules, resultant dataset obtained by executing said rewritten query against said underlying database, thus limiting access to items in said resultant dataset remaining after said filtering step. - View Dependent Claims (23, 24, 25, 26, 27, 28)
- said medium comprising modules implementing;
Specification