CONTROLLING ACCESS TO A DATABASE USING DATABASE INTERNAL AND EXTERNAL AUTHORIZATION INFORMATION
First Claim
1. A computer-implemented method of controlling access to data stored in a computer readable storage medium of a database system that includes a computing system, wherein said computer-implemented method comprises:
- obtaining, by said computing system, external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system;
obtaining, by said computing system, authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account;
obtaining, by said computing system and based on said authorization data, an integrated access privilege set that includes both;
(a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; and
determining, by said computing system and based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques for using both database internal and database external authorization information to control access to a database are disclosed. Corporate accounts which are generally used in many corporate environments (e.g., operating system accounts) can be defined as “external” database accounts with database external authorization information that define database external access privileges for a database. The database external access-privileges are used in conjunction with a set of complementary database “internal” access privileges defined for database internal accounts. An integrated access-privilege set is generated and used as a single source to authorize access to a database regardless of whether database internal or external accounts are used to access the database. As a result, databases can be integrated with various non-database entities (e.g., corporate computing systems).
79 Citations
20 Claims
-
1. A computer-implemented method of controlling access to data stored in a computer readable storage medium of a database system that includes a computing system, wherein said computer-implemented method comprises:
-
obtaining, by said computing system, external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system; obtaining, by said computing system, authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account; obtaining, by said computing system and based on said authorization data, an integrated access privilege set that includes both;
(a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; anddetermining, by said computing system and based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer system operable to access data stored in a computer readable storage medium of a database system, wherein said computing system is further operable to:
-
obtaining external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system; obtaining authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account; obtaining, based on said authorization data, an integrated access privilege set that includes both;
(a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; anddetermining, based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database.
-
-
7. A computer readable storage medium storing at least executable computer code embodied in a tangible form for controlling access to data stored in a database system that includes a computing system, wherein said computer readable storage medium includes:
-
executable computer program code operable to obtain external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system; executable computer program code operable to obtain authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account; executable computer program code operable to obtain based on said authorization data, an integrated access privilege set that includes both;
(a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; andexecutable computer program code operable to determine based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database. - View Dependent Claims (8, 9)
-
-
10. A database system that includes a computing system operable to control access to a database, wherein said database system is configured and/or operable for:
-
receiving a request, from a remote database client component, to access said database, wherein said authentication information is for at least one database external account defined for an external system external to said database; sending authentication information associated with said request to an external authenticator for authentication; determining whether said external authenticator has authenticated said authentication information; obtaining, from said database, integrated authorization data that has been stored on said database for said authentication information when said external authenticator has authenticated said authentication information, wherein said integrated authorization data includes one or more first authorization identifiers for at least one database internal account and one or more second authorization identifiers for said at least one database external account defined for an external system that is external to said database, and wherein said first one or more authorization identifiers are different than said second one or more identifiers; searching, based on said integrated authorization data, an integrated access-privilege set associated with said integrated authorization data, wherein said integrated access-privilege set has also been stored on said database and includes first authorization information for at least one database internal account and second authorization information for said at least one database external account, wherein said first and second authorization information define different access-privileges for accessing said database; determining, based on said searching of said integrated access-privilege set, whether access to said database should be granted as said database internal account which has been defined for said database, or whether access to said database should be granted based on database external authorization information of said external account defined for said external system, wherein said external authorization information effectively defines at least one database external account for said database corresponding to said external account defined for said external system, thereby allowing said external account to be effectively used to access said database based on said external authorization information defined by said external system; authorizing access to said database based on access privilege information defined for a database internal account when said determines that access to said database should be granted as a database internal account defined for said database; and authorizing access to said database based on said external authorization information defined for said database external account when said determines that access to said database should be granted based on database external authorization information. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer readable medium including at least executable computer program code embodied in a tangible form for controlling access to a database, comprising:
-
executable computer program code for receiving a request, from a database client component, to access said database, wherein said authentication information is for at least one database external account defined for an external system external to said database; executable computer program code for sending authentication information associated with said request to an external authenticator for authentication; executable computer program code for determining whether said external authenticator has authenticated said authentication information; executable computer program code for obtaining from said database integrated authorization data that has been stored on said database for said authentication information when said external authenticator has authenticated said authentication information, wherein said integrated authorization data includes one or more first authorization identifiers for said at least one database internal account and one or more second authorization identifiers for said at least one database external account, and wherein said first one or more authorization identifiers are different than said second one or more identifiers; executable computer program code for searching, based on said integrated authorization data, an integrated access-privilege set associated with said integrated authorization data, wherein said integrated access-privilege set has also been stored on said database and includes first authorization information for said at least one database internal account and second authorization information for said at least one database external account, wherein said first and second authorization information define different access-privileges for accessing said database; executable computer program code for determining, based on said searching of said integrated access-privilege set, whether access to said database should be granted as said database internal account which has been defined for said database, or whether access to said database should be granted based on database external authorization information of said external account defined for said external system, wherein said external authorization information effectively defines at least one database external account for said database corresponding to said external account defined for said external system, thereby allowing said external account to be effectively used to access said database based on said external authorization information defined by said external system; executable computer program code for authorizing access to said database based on access privilege information defined for a database internal account when said determines that access to said database should be granted as a database internal account which has been defined for said database; and executable computer program code for authorizing access to said database based on said external authorization information defined for said database external account when said determines that access to said database should be granted based on database external authorization information. - View Dependent Claims (17, 18, 19, 20)
-
Specification