DECLARATIVE MODEL SECURITY PATTERN

US 20110106853A1
Filed: 10/30/2009
Published: 05/05/2011
Est. Priority Date: 10/30/2009
Status: Abandoned Application

First Claim

Patent Images

1. At a computer system including one or more processors and system memory, a method comprising:

translating declarative language code into one or more statements, the declarative language code including;

a declared access control predicate; and

a declared data structure definition bound to the access control predicate, the access control predicate declared separately from the data structure definition; and

instantiating at least a portion of a database by executing the one or more statements, the database being hosted by a database management system, the at least a portion of a database including;

one or more tables; and

a view of the one or more tables, the database management system configured to enforce the access control predicate by dynamically calculating a value for the access control predicate and using the dynamically calculated value to define what operations may be performed on data from the one or more tables via the view.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention extends to methods, systems, and computer program products for a declarative model security pattern for use in a database. Declarative language code can include a declared access control predicate and a separately declared data structure definition bound to the access control predicate. A portion of the database is instantiated from the declarative language code. The instantiated portion of the database includes one or more tables and a view of the one or more tables. A database management system enforces the access control predicate by dynamically calculating a value for the access control predicate and using the dynamically calculated value to define what operations may be performed on data in the one or more tables via the view.

29 Citations

View as Search Results

20 Claims

1. At a computer system including one or more processors and system memory, a method comprising:
- translating declarative language code into one or more statements, the declarative language code including;
  
  a declared access control predicate; and
  
  a declared data structure definition bound to the access control predicate, the access control predicate declared separately from the data structure definition; and
  
  instantiating at least a portion of a database by executing the one or more statements, the database being hosted by a database management system, the at least a portion of a database including;
  
  one or more tables; and
  
  a view of the one or more tables, the database management system configured to enforce the access control predicate by dynamically calculating a value for the access control predicate and using the dynamically calculated value to define what operations may be performed on data from the one or more tables via the view.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as in claim 1, wherein the dynamically calculated value defines, at a row level, what operations may be performed on data from the one or more tables via the view.
  - 3. The method as in claim 1, wherein the dynamically calculated value is based on one or more claims associated with a session with the database management system.
  - 4. The method as in claim 3, wherein the database management system is configured to, in response to the session requesting access to the view, dynamically calculate the value for the access control predicate.
  - 5. The method as in claim 1, wherein the dynamically calculated value defines, at a row level, what operations may be performed on data from the one or more tables via the view;
    - andwherein the dynamically calculated value is based on one or more claims associated with a session with the database management system.
  - 6. The method as in claim 5, wherein the database management system is configured to, in response to the session requesting access to the view, dynamically calculate the value for the access control predicate.
  - 7. The method as in claim 1, wherein the declarative language code is written in the M language.

8. A computing system comprising:
- one or more processors;
  
  system memory; and
  
  one or more computer storage media having stored thereon computer-executable instructions for performing a method, the method including;
  
  dynamically calculating a value for an access control predicate; and
  
  using the dynamically calculated value to define what operations may be performed on data from one or more tables of a database via a view, the view and the one or more tables of the database having been instantiated by an execution of one or more statements translated from declarative language code, the declarative language code including;
  
  a declared access control predicate; and
  
  a declared data structure definition bound to the access control predicate, the access control predicate declared separately from the data structure definition.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system as in claim 8, wherein the dynamically calculated value defines, at a row level, what operations may be performed on data from the one or more tables via the view.
  - 10. The system as in claim 8, wherein the dynamically calculated value is based on one or more claims associated with a session with a database management system that hosts the database.
  - 11. The system as in claim 10, wherein the database management system is configured to, in response to the session requesting access to the view, dynamically calculate the value for the access control predicate.
  - 12. The system as in claim 8, wherein the dynamically calculated value defines, at a row level, what operations may be performed on data from the one or more tables via the view;
    - andwherein the dynamically calculated value is based on one or more claims associated with a session with a database management system that hosts the database.
  - 13. The system as in claim 12, wherein the database management system is configured to, in response to the session requesting access to the view, dynamically calculate the value for the access control predicate.

14. At a computer system including one or more processors and system memory, a method comprising:
- translating declarative language code into one or more SQL statements, the declarative language code including;
  
  a declared access control predicate;
  
  a first declared data structure definition bound to the access control predicate, the access control predicate declared separately from the first data structure definition; and
  
  a second declared data structure definition bound to the access control predicate, the access control predicate declared separately from the second data structure definition; and
  
  instantiating at least a portion of a database by executing the one or more SQL statements, the database being hosted by a database management system, the at least a portion of a database including;
  
  a plurality of tables;
  
  a first view of at least one of the tables; and
  
  a second view of at least one of the tables, the database management system configured to enforce the access control predicate by dynamically calculating a value for the access control predicate and using the dynamically calculated value to define what operations may be performed on data from at least one of the tables via the first view and to define what operations may be performed on data from at least one of the tables via the second view.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method as in claim 14, wherein the dynamically calculated value defines, at a row level, operations may be performed on data from at least one of the tables via the first and second views.
  - 16. The method as in claim 14, wherein the dynamically calculated value is based on one or more claims associated with a session with the database management system.
  - 17. The method as in claim 16, wherein the database management system is configured to, in response to the session requesting access to at least one of the first view or the second view, dynamically calculate the value for the access control predicate.
  - 18. The method as in claim 14, wherein the dynamically calculated value defines, at a row level, operations may be performed on data from at least one of the tables via the first and second views;
    - andwherein the dynamically calculated value is based on one or more claims associated with a session with the database management system.
  - 19. The method as in claim 18, wherein the database management system is configured to, in response to the session requesting access to at least one of the first view or the second view, dynamically calculate the value for the access control predicate.
  - 20. The method as in claim 14, wherein the declarative language code is written in the M language.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bloesch, Anthony C., Short, Keith W., Baker, James Patrick Seymour, Sakhnov, Igor

Application Number

US12/609,618
Publication Number

US 20110106853A1
Time in Patent Office

Days
Field of Search
US Class Current

707/781
CPC Class Codes

G06F 16/2428   Query predicate definition ...

G06F 16/2445   Data retrieval commands; Vi...

G06F 21/6218   to a system of files or obj...

DECLARATIVE MODEL SECURITY PATTERN

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DECLARATIVE MODEL SECURITY PATTERN

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links