SECURE DATA ACCESS USING SQL QUERY REWRITES
First Claim
1. A method for secure data access in a data processing system, the method comprising:
- providing a relational database having a first table and a second table, wherein a sensitive attribute serves as subset of a primary key for the first and second tables;
generating a first security view, the first security view granting a user access to the sensitive attribute values of the first table in a masked format, wherein the masked format value is generated from an unmasked format value using a reversible function;
generating a second security view, the second security view granting the user access to the sensitive attribute values of the second table in a masked format, wherein the masked format value is generated from an unmasked format using a reversible function; and
performing a join operation between the first view and the second view by optimizing a first query statement corresponding to the join operation.
1 Assignment
0 Petitions
Accused Products
Abstract
A mechanism is provided for secure data access in a data processing system. A database having two tables is provided. A subset of the tables'"'"' primary key attributes is considered sensitive. A first user is authorized to access the primary key'"'"'s sensitive attribute in an unmasked format, while a second user is authorized to access same data in a masked format. Two security views are generated granting the second user access to the primary key'"'"'s sensitive attribute values of both tables in the masked format. The masked format value is generated from an unmasked format value using a reversible function. A join operation between the two security views is performed by optimizing a query statement corresponding to the join operation.
75 Citations
20 Claims
-
1. A method for secure data access in a data processing system, the method comprising:
-
providing a relational database having a first table and a second table, wherein a sensitive attribute serves as subset of a primary key for the first and second tables; generating a first security view, the first security view granting a user access to the sensitive attribute values of the first table in a masked format, wherein the masked format value is generated from an unmasked format value using a reversible function; generating a second security view, the second security view granting the user access to the sensitive attribute values of the second table in a masked format, wherein the masked format value is generated from an unmasked format using a reversible function; and performing a join operation between the first view and the second view by optimizing a first query statement corresponding to the join operation. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product for secure data access in a data processing system, the computer program product comprising one or more computer-readable tangible storage devices and a plurality of program instructions stored on one or more computer-readable tangible storage devices, the plurality of program instructions comprising:
-
program instructions to provide a relational database having a first table and a second table, wherein a sensitive attribute serves as subset of a primary key for the first and second tables; program instructions to generate a first security view, wherein the first security view grants a user access to the sensitive attribute values of the first table in a masked format and wherein the masked format value is generated from an unmasked format value using a reversible function; program instructions to generate a second security view, wherein the second security view grants the user access to the sensitive attribute values of the second table in a masked format and wherein the masked format value is generated from an unmasked format using a reversible function; and program instructions to perform a join operation between the first view and the second view by optimizing a first query statement corresponding to the join operation. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer system for secure data access in a data processing system, the computer system comprising one or more processors, one or more computer-readable tangible storage devices, and a plurality of program instructions stored on one or more storage devices for execution by one or more processors, the plurality of program instructions comprising:
-
program instructions to provide a relational database having a first table and a second table, wherein a sensitive attribute serves as subset of a primary key for the first and second tables; program instructions to generate a first security view, wherein the first security view grants a user access to the sensitive attribute values of the first table in a masked format and wherein the masked format value is generated from an unmasked format value using a reversible function; program instructions to generate a second security view, wherein the second security view grants the user access to the sensitive attribute values of the second table in a masked format and wherein the masked format value is generated from an unmasked format using a reversible function; and program instructions to perform a join operation between the first view and the second view by optimizing a query statement corresponding to the join operation. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification