METHOD AND APPARATUS TO SUPPORT PRIVILEGES AT MULTIPLE LEVELS OF AUTHENTICATION USING A CONSTRAINING ACL
First Claim
1. A method for using an ACL (access control list) to determine user privileges in a database, the method comprising:
- authenticating a user at an authentication level, wherein the authentication level is associated with a role;
associating the role with the user, thereby enabling the database to use the role to determine the user'"'"'s privileges based on the authentication level;
receiving a request from the user to perform an operation on data;
identifying an ACL associated with the data, wherein the ACL specifies the user'"'"'s privileges, and wherein the ACL inherits from a constraining ACL which specifies the role'"'"'s privileges;
using the ACL to determine whether the user is permitted to perform the operation;
using the constraining ACL to determine whether the role is permitted to perform the operation; and
performing the operation on the data in response to determining that both the user and the role are permitted to perform the operation.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege.
-
Citations
20 Claims
-
1. A method for using an ACL (access control list) to determine user privileges in a database, the method comprising:
-
authenticating a user at an authentication level, wherein the authentication level is associated with a role; associating the role with the user, thereby enabling the database to use the role to determine the user'"'"'s privileges based on the authentication level; receiving a request from the user to perform an operation on data; identifying an ACL associated with the data, wherein the ACL specifies the user'"'"'s privileges, and wherein the ACL inherits from a constraining ACL which specifies the role'"'"'s privileges; using the ACL to determine whether the user is permitted to perform the operation; using the constraining ACL to determine whether the role is permitted to perform the operation; and performing the operation on the data in response to determining that both the user and the role are permitted to perform the operation. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for using an ACL (access control list) to determine user privileges in a database, the method comprising:
-
authenticating a user at an authentication level, wherein the authentication level is associated with a role; associating the role with the user, thereby enabling the database to use the role to determine the user'"'"'s privileges based on the authentication level; receiving a request from the user to perform an operation on data; identifying an ACL (access control list) associated with the data, wherein the ACL specifies the user'"'"'s privileges, and wherein the ACL inherits from a constraining ACL which specifies the role'"'"'s privileges; using the ACL to determine whether the user is permitted to perform the operation; using the constraining ACL to determine whether the role is permitted to perform the operation; and performing the operation on the data in response to determining that both the user and the role are permitted to perform the operation. - View Dependent Claims (6, 7, 8)
-
-
9. A method for updating an ACL (access control list) in a database, wherein the database includes a constraining ACL which specifies privileges based on a user'"'"'s authentication level, the method comprising:
-
receiving an update for an ACL which specifies a user'"'"'s privileges; in response to determining that the update does not specify that the ACL inherits from the constraining ACL, modifying the update so that the modified update specifies that the ACL inherits from the constraining ACL; and updating the ACL using the modified update, thereby ensuring that the database uses both the ACL and the constraining ACL to determine privileges. - View Dependent Claims (10, 11, 12)
-
-
13. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for updating an ACL (access control list) in a database, wherein the database includes a constraining ACL which specifies privileges based on a user'"'"'s authentication level, the method comprising:
-
receiving an update for an ACL which specifies a user'"'"'s privileges; in response to determining that the update does not specify that the ACL inherits from the constraining ACL, modifying the update so that the modified update specifies that the ACL inherits from the constraining ACL; and updating the ACL using the modified update, thereby ensuring that the database uses both the ACL and the constraining ACL to determine privileges. - View Dependent Claims (14, 15, 16)
-
-
17. A method for creating an ACL (access control list) in a database, wherein the database includes a constraining ACL which specifies privileges based on a user'"'"'s authentication level, the method comprising:
-
receiving an ACL description which specifies a user'"'"'s privileges; in response to determining that the ACL description does not specify that the ACL inherits from the constraining ACL, modifying the ACL description so that the modified ACL description specifies that the ACL inherits from the constraining ACL; and creating the ACL using the modified ACL description, thereby ensuring that the database uses both the ACL and the constraining ACL to determine privileges. - View Dependent Claims (18, 19, 20)
-
Specification