METHOD AND APPARATUS TO SUPPORT PRIVILEGES AT MULTIPLE LEVELS OF AUTHENTICATION USING A CONSTRAINING ACL

US 20090144804A1
Filed: 11/29/2007
Published: 06/04/2009
Est. Priority Date: 11/29/2007
Status: Active Grant

First Claim

Patent Images

1. A method for using an ACL (access control list) to determine user privileges in a database, the method comprising:

authenticating a user at an authentication level, wherein the authentication level is associated with a role;

associating the role with the user, thereby enabling the database to use the role to determine the user'"'"'s privileges based on the authentication level;

receiving a request from the user to perform an operation on data;

identifying an ACL associated with the data, wherein the ACL specifies the user'"'"'s privileges, and wherein the ACL inherits from a constraining ACL which specifies the role'"'"'s privileges;

using the ACL to determine whether the user is permitted to perform the operation;

using the constraining ACL to determine whether the role is permitted to perform the operation; and

performing the operation on the data in response to determining that both the user and the role are permitted to perform the operation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege.

Citations

20 Claims

1. A method for using an ACL (access control list) to determine user privileges in a database, the method comprising:
- authenticating a user at an authentication level, wherein the authentication level is associated with a role;
  
  associating the role with the user, thereby enabling the database to use the role to determine the user'"'"'s privileges based on the authentication level;
  
  receiving a request from the user to perform an operation on data;
  
  identifying an ACL associated with the data, wherein the ACL specifies the user'"'"'s privileges, and wherein the ACL inherits from a constraining ACL which specifies the role'"'"'s privileges;
  
  using the ACL to determine whether the user is permitted to perform the operation;
  
  using the constraining ACL to determine whether the role is permitted to perform the operation; and
  
  performing the operation on the data in response to determining that both the user and the role are permitted to perform the operation.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising reporting an error in response to determining that the user is not permitted to perform the operation on the data.
  - 3. The method of claim 1, further comprising reporting an error in response to determining that the role is not permitted to perform the operation on the data.
  - 4. The method of claim 1, wherein all ACLs except for the constraining ACL inherit from the constraining ACL.

5. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for using an ACL (access control list) to determine user privileges in a database, the method comprising:
- authenticating a user at an authentication level, wherein the authentication level is associated with a role;
  
  associating the role with the user, thereby enabling the database to use the role to determine the user'"'"'s privileges based on the authentication level;
  
  receiving a request from the user to perform an operation on data;
  
  identifying an ACL (access control list) associated with the data, wherein the ACL specifies the user'"'"'s privileges, and wherein the ACL inherits from a constraining ACL which specifies the role'"'"'s privileges;
  
  using the ACL to determine whether the user is permitted to perform the operation;
  
  using the constraining ACL to determine whether the role is permitted to perform the operation; and
  
  performing the operation on the data in response to determining that both the user and the role are permitted to perform the operation.
- View Dependent Claims (6, 7, 8)
- - 6. The computer-readable storage medium of claim 5, the method further comprising reporting an error in response to determining that the user is not permitted to perform the operation on the data.
  - 7. The computer-readable storage medium of claim 5, the method further comprising reporting an error in response to determining that the role is not permitted to perform the operation on the data.
  - 8. The computer-readable storage medium of claim 5, wherein all ACLs except for the constraining ACL inherit from the constraining ACL.

9. A method for updating an ACL (access control list) in a database, wherein the database includes a constraining ACL which specifies privileges based on a user'"'"'s authentication level, the method comprising:
- receiving an update for an ACL which specifies a user'"'"'s privileges;
  
  in response to determining that the update does not specify that the ACL inherits from the constraining ACL, modifying the update so that the modified update specifies that the ACL inherits from the constraining ACL; and
  
  updating the ACL using the modified update, thereby ensuring that the database uses both the ACL and the constraining ACL to determine privileges.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein the update is encoded in XML (extensible markup language).
  - 11. The method of claim 9, wherein the constraining ACL represents a global security policy which is to be applied to all applications that interact with the database.
  - 12. The method of claim 11, wherein ensuring that the database uses both the ACL and the constraining ACL to determine privileges causes the global security policy to be applied to all applications that interact with the database.

13. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for updating an ACL (access control list) in a database, wherein the database includes a constraining ACL which specifies privileges based on a user'"'"'s authentication level, the method comprising:
- receiving an update for an ACL which specifies a user'"'"'s privileges;
  
  in response to determining that the update does not specify that the ACL inherits from the constraining ACL, modifying the update so that the modified update specifies that the ACL inherits from the constraining ACL; and
  
  updating the ACL using the modified update, thereby ensuring that the database uses both the ACL and the constraining ACL to determine privileges.
- View Dependent Claims (14, 15, 16)
- - 14. The computer-readable storage medium of claim 13, wherein the update is encoded in XML (extensible markup language).
  - 15. The computer-readable storage medium of claim 13, wherein the constraining ACL represents a global security policy which is to be applied to all applications that interact with the database.
  - 16. The computer-readable storage medium of claim 15, wherein ensuring that the database uses both the ACL and the constraining ACL to determine privileges causes the global security policy to be applied to all applications that interact with the database.

17. A method for creating an ACL (access control list) in a database, wherein the database includes a constraining ACL which specifies privileges based on a user'"'"'s authentication level, the method comprising:
- receiving an ACL description which specifies a user'"'"'s privileges;
  
  in response to determining that the ACL description does not specify that the ACL inherits from the constraining ACL, modifying the ACL description so that the modified ACL description specifies that the ACL inherits from the constraining ACL; and
  
  creating the ACL using the modified ACL description, thereby ensuring that the database uses both the ACL and the constraining ACL to determine privileges.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein the ACL description is encoded in XML (extensible markup language).
  - 19. The method of claim 17, wherein the constraining ACL represents a global security policy that is to be applied to all applications that interact with the database.
  - 20. The method of claim 19, wherein ensuring that the database uses both the ACL and the constraining ACL to determine privileges enables the database to apply the global security policy to all applications that interact with the database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Idicula, Sam, Agarwal, Nipun, Pesati, Vikram, Keefe, Thomas, Ahmed, Tanvir, Rafiq, Mohammed Irfan

Granted Patent

US 9,471,801 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

METHOD AND APPARATUS TO SUPPORT PRIVILEGES AT MULTIPLE LEVELS OF AUTHENTICATION USING A CONSTRAINING ACL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS TO SUPPORT PRIVILEGES AT MULTIPLE LEVELS OF AUTHENTICATION USING A CONSTRAINING ACL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links