IDENTIFYING UNUSED PRIVILEGES IN A DATABASE SYSTEM

US 20150370824A1
Filed: 06/24/2014
Published: 12/24/2015
Est. Priority Date: 06/24/2014
Status: Active Application

First Claim

Patent Images

1. A method comprising:

identifying a set of privileges that are available to one or more requesting entities;

monitoring a set of database accesses initiated by the one or more requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges;

based on the set of privileges and the first subset, identifying a second subset, of the set of privileges, that have not been used by any of the one or more requesting entities;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for identifying unused privileges are provided. Database accesses are monitored to generate privilege usage data. Privilege usage data for each database access may indicate a user, a utilized privilege, an object that is the target of the privilege, and a role to which the privilege is granted. The privilege usage data is compared to database authorization data that indicates all (or a subset) of granted privileges. A result of the comparison is unused privilege data that indicates what granted privileges were not utilized. A role graph may be generated that indicates one or more privileges that were utilized and one or more privileges that were not utilized along with role paths providing the privileges.

29 Citations

View as Search Results

24 Claims

1. A method comprising:
- identifying a set of privileges that are available to one or more requesting entities;
  
  monitoring a set of database accesses initiated by the one or more requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges;
  
  based on the set of privileges and the first subset, identifying a second subset, of the set of privileges, that have not been used by any of the one or more requesting entities;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - storing a record for each of multiple database accesses in the subset of the set of database accesses;
      
      wherein the record identifies a requesting entity, a privilege, an object that was the subject of the corresponding database access, and a role to which the privilege is granted.
  - 3. The method of claim 1, further comprising:
    - for each privilege in the second subset;
      
      identifying a particular requesting entity that is associated with said each privilege, andidentifying one or more roles to which the particular requesting entity is assigned and through which the particular requesting entity is granted said each privilege.
  - 4. The method of claim 1, wherein monitoring comprises:
    - determining, by a database authorization engine, based on a query, whether a requesting entity is authorized to utilize a privilege with respect to an object;
      
      in response to determining, by the database authorization engine, that the requesting entity is authorized to utilize the privilege with respect to the object;
      
      executing an execution plan for the query, wherein executing involves a database access in the subset of the set of database accesses, andcreating a record about the database access, wherein the record identifies the requesting entity, the privilege, the object, and zero or more roles.
  - 5. The method of claim 1, wherein:
    - monitoring comprises storing privilege usage data that indicates the first subset of the set of privileges;
      
      wherein storing the privilege usage data comprises storing at least a portion of the privilege usage data in a cursor that includes an execution plan.
  - 6. The method of claim 5, wherein storing the privilege usage data comprises:
    - storing a first portion of the privilege usage data in a first cursor, andstoring a second portion of the privilege usage data in a second cursor that is different than the first cursor.
  - 7. The method of claim 1, further comprising:
    - receiving input that indicates what information to monitor;
      
      wherein the input identifies one or more of a set of requesting entities, a set of privileges, a set of objects, or a set of roles;
      
      wherein monitoring comprises monitoring based on the input.
  - 8. The method of claim 1, wherein monitoring comprises:
    - determining that a first database access in the set of database accesses is initiated by a particular requesting entity and involves a first privilege;
      
      creating a first record that includes information about the first database access;
      
      determining that a second database access in the set of database accesses is initiated by the particular requesting entity and involves the first privilege;
      
      based on the first record, determining not to create a second record for the second database access.

9. A method comprising:
- determining that a first privilege with respect to a first database object was not utilized by a first requesting entity;
  
  determining a first grant path from the first requesting entity to the first privilege through a set of one or more of roles;
  
  causing data about the first grant path to be displayed;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein the set of one or more roles is a plurality of roles that includes a first role to which the first requesting entity is assigned and a second role that is different than the first role and to which is granted the first privilege with respect to the first database object.
  - 11. The method of claim 9, further comprising:
    - causing a role graph to be displayed, wherein the role graph includes;
      
      a first node that represents a particular requesting entity,one or more second nodes, each representing a role assigned directly or indirectly to the particular requesting entity;
      
      a plurality of third nodes, each representing a privilege that is granted to the particular requesting entity either directly or indirectly through one or more roles.
  - 12. The method of claim 11, wherein the role graph also includes one or more fourth nodes, each representing a requesting entity that is different than the particular requesting entity.

13. One or more storage media storing instructions which, when executed by one or more processors, cause:
- identifying a set of privileges that are available to one or more requesting entities;
  
  monitoring a set of database accesses initiated by the one or more requesting entities, wherein the set of database accesses include a subset that involve a first subset of the set of privileges;
  
  based on the set of privileges and the first subset, identifying a second subset, of the set of privileges, that have not been used by any of the one or more requesting entities.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The one or more storage media of claim 13, wherein the instructions, when executed by the one or more processors, further cause:
    - storing a record for each of multiple database accesses in the subset of the set of database accesses;
      
      wherein the record identifies a requesting entity, a privilege, an object that was the subject of the corresponding database access, and a role to which the privilege is granted.
  - 15. The one or more storage media of claim 13, wherein the instructions, when executed by the one or more processors, further cause:
    - for each privilege in the second subset;
      
      identifying a particular requesting entity that is associated with said each privilege, andidentifying one or more roles to which the particular requesting entity is assigned and through which the particular requesting entity is granted said each privilege.
  - 16. The one or more storage media of claim 13, wherein monitoring comprises:
    - determining, by a database authorization engine, based on a query, whether a requesting entity is authorized to utilize a privilege with respect to an object;
      
      in response to determining, by the database authorization engine, that the requesting entity is authorized to utilize the privilege with respect to the object;
      
      executing an execution plan for the query, wherein executing involves a database access in the subset of the set of database accesses, andcreating a record about the database access, wherein the record identifies the requesting entity, the privilege, the object, and zero or more roles.
  - 17. The one or more storage media of claim 13, wherein:
    - monitoring comprises storing privilege usage data that indicates the first subset of the set of privileges;
      
      wherein storing the privilege usage data comprises storing at least a portion of the privilege usage data in a cursor that includes an execution plan.
  - 18. The one or more storage media of claim 17, wherein storing the privilege usage data comprises:
    - storing a first portion of the privilege usage data in a first cursor, andstoring a second portion of the privilege usage data in a second cursor that is different than the first cursor.
  - 19. The one or more storage media of claim 13, wherein the instructions, when executed by the one or more processors, further cause:
    - receiving input that indicates what information to monitor;
      
      wherein the input identifies one or more of a set of requesting entities, a set of privileges, a set of objects, or a set of roles;
      
      wherein monitoring comprises monitoring based on the input.
  - 20. The one or more storage media of claim 13, wherein monitoring comprises:
    - determining that a first database access in the set of database accesses is initiated by a particular requesting entity and involves a first privilege;
      
      creating a first record that includes information about the first database access;
      
      determining that a second database access in the set of database accesses is initiated by the particular requesting entity and involves the first privilege;
      
      based on the first record, determining not to create a second record for the second database access.

21. One or more storage media storing instructions which, when executed by one or more processors, cause:
- determining that a first privilege with respect to a first database object was not utilized by a first requesting entity;
  
  determining a first grant path from the first requesting entity to the first privilege through a set of one or more of roles;
  
  causing data about the first grant path to be displayed.
- View Dependent Claims (22, 23, 24)
- - 22. The one or more storage media of claim 21, wherein the set of one or more roles is a plurality of roles that includes a first role to which the first requesting entity is assigned and a second role that is different than the first role and to which is granted the first privilege with respect to the first database object.
  - 23. The one or more storage media of claim 21, wherein the instructions, when executed by the one or more processors, further cause:
    - causing a role graph to be displayed, wherein the role graph includes;
      
      a first node that represents a particular requesting entity,one or more second nodes, each representing a role assigned directly or indirectly to the particular requesting entity;
      
      a plurality of third nodes, each representing a privilege that is granted to the particular requesting entity either directly or indirectly through one or more roles.
  - 24. The one or more storage media of claim 23, wherein the role graph also includes one or more fourth nodes, each representing a requesting entity that is different than the particular requesting entity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Chui, Chi Ching, Pesati, Vikram R.

Granted Patent

US 10,268,705 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/21 Design, administration or m...

IDENTIFYING UNUSED PRIVILEGES IN A DATABASE SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

29 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING UNUSED PRIVILEGES IN A DATABASE SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links