DECLARATIVE MODEL SECURITY PATTERN
First Claim
1. At a computer system including one or more processors and system memory, a method comprising:
- translating declarative language code into one or more statements, the declarative language code including;
a declared access control predicate; and
a declared data structure definition bound to the access control predicate, the access control predicate declared separately from the data structure definition; and
instantiating at least a portion of a database by executing the one or more statements, the database being hosted by a database management system, the at least a portion of a database including;
one or more tables; and
a view of the one or more tables, the database management system configured to enforce the access control predicate by dynamically calculating a value for the access control predicate and using the dynamically calculated value to define what operations may be performed on data from the one or more tables via the view.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention extends to methods, systems, and computer program products for a declarative model security pattern for use in a database. Declarative language code can include a declared access control predicate and a separately declared data structure definition bound to the access control predicate. A portion of the database is instantiated from the declarative language code. The instantiated portion of the database includes one or more tables and a view of the one or more tables. A database management system enforces the access control predicate by dynamically calculating a value for the access control predicate and using the dynamically calculated value to define what operations may be performed on data in the one or more tables via the view.
29 Citations
20 Claims
-
1. At a computer system including one or more processors and system memory, a method comprising:
-
translating declarative language code into one or more statements, the declarative language code including; a declared access control predicate; and a declared data structure definition bound to the access control predicate, the access control predicate declared separately from the data structure definition; and instantiating at least a portion of a database by executing the one or more statements, the database being hosted by a database management system, the at least a portion of a database including; one or more tables; and a view of the one or more tables, the database management system configured to enforce the access control predicate by dynamically calculating a value for the access control predicate and using the dynamically calculated value to define what operations may be performed on data from the one or more tables via the view. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computing system comprising:
-
one or more processors; system memory; and one or more computer storage media having stored thereon computer-executable instructions for performing a method, the method including; dynamically calculating a value for an access control predicate; and using the dynamically calculated value to define what operations may be performed on data from one or more tables of a database via a view, the view and the one or more tables of the database having been instantiated by an execution of one or more statements translated from declarative language code, the declarative language code including; a declared access control predicate; and a declared data structure definition bound to the access control predicate, the access control predicate declared separately from the data structure definition. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. At a computer system including one or more processors and system memory, a method comprising:
-
translating declarative language code into one or more SQL statements, the declarative language code including; a declared access control predicate; a first declared data structure definition bound to the access control predicate, the access control predicate declared separately from the first data structure definition; and a second declared data structure definition bound to the access control predicate, the access control predicate declared separately from the second data structure definition; and instantiating at least a portion of a database by executing the one or more SQL statements, the database being hosted by a database management system, the at least a portion of a database including; a plurality of tables; a first view of at least one of the tables; and a second view of at least one of the tables, the database management system configured to enforce the access control predicate by dynamically calculating a value for the access control predicate and using the dynamically calculated value to define what operations may be performed on data from at least one of the tables via the first view and to define what operations may be performed on data from at least one of the tables via the second view. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification