Occurence and value based security system for computer databases
First Claim
1. In a computer host system interfacing Input/Output requests between at least one system user identified by a unique user identification symbol that is accessing the host system from at least one terminal location having a unique terminal address, and the host system having at least one database having data records, including data fields, a method for providing occurrence level, value based security protection, limiting to selected users and terminal locations access to preselected, but variable Input/Output operations on selected data records and data fields of the databases, comprising the steps of:
- (a) establishing at said computer host system a data security access table having, for each data record and data field selected for security protection, a first entry identifying the data record and the data field and a second entry representing a data security profile associated therewith, said second entry defining the Input/Output operations permitted on the the data record and data field identified by said associated first entry;
(b) establishing at said computer host system a user security access table having, for each user selected to have Input/Output access to the database, a first entry identifying the user and a second entry representing a user security profile associated therewith, said second entry defining the Input/Output operations permitted on the database by the user identified by said associated first entry;
(c) establishing at said computer host system a terminal location security access table having, for each terminal location selected to have Input/Output operation access to the database, a first entry identifying the terminal location and a second entry representing a terminal location security profile associated therewith, said second entry defining the Input/Output operations permitted on the database from the terminal location identified by said associated first entry;
(d) parsing each Input/Output request from the host system to the database and extracting therefrom;
(1) the unique user identification symbol of the system user making the Input/Output request;
(2) the data record or data field that is the subject of the Input/Output request;
(3) the terminal location address from which the Input/Output request is being made; and
, (4) the requested Input/Output operation;
(e) building at said computer host system a request table having as its first entry the extracted unique user identification symbol, as its second entry the extracted subject data record and data field, as its third entry the extracted terminal location address, and as its fourth entry the extracted requested Input/Output operation;
(f) comparing said first request table entry for the unique user identification symbol with the first entry of the user security access table and setting at said computer host system a first security condition "flag" to an "allowed" condition if a match is found and otherwise to a "violation" condition;
(g) comparing said fourth request table entry for the requested Input/Output operation with said second entry of said user security access table whenever said first security condition "flag" is in said "allowed" condition and setting said first security condition "flag" to a "violation" condition if no match is found;
(h) comparing said second request table entry for the data record or data field entry that is the subject of the Input/Output request with the first data security access table entry and setting at said computer host system a second security condition "flag" to an "allowed" condition if a match is found and otherwise to a "violation" condition;
(i) comparing said fourth request table entry for the requested Input/Output operation with said second entry of said data security access table whenever said second security condition "flag" is in said "allowed" condition and setting said second security condition "flag" to a "violation" condition if no match is found;
(j) comparing said third request table entry for the terminal location address with the first terminal location security access table entry and setting at said computer host system a third security condition "flag" to an "allowed" condition if a match is found and to a "violation" condition otherwise;
(k) comparing said fourth request table entry for the requested Input/Output operation with said second entry of said terminal location security access table whenever said third security condition "flag" is in said "allowed" condition and setting said third security condition "flag" to a "violation" condition if no match is found;
(l) writing at said computer host system said request table entries to a security log database whenever said first, second or third security condition "flag" is in said "violation" condition and cancelling the execution of the parsed Input/Output request by the host system;
(m) returning the Input/Output request to the host system for processing whenever said first, second and third security condition "flag" is not in said "violation" condition.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for providing an occurrence level, value based security protection system including the steps of building a data security table; extracting from the request to the database information concerning the system user, his terminal location, the data he wishes to access, and the operation he wishes to perform on the data; comparing these extracted pieces of information against the permitted access rules found in the data security table; returning a violation status to the host system making the request if the compared information fails to match the permitted access rules found in the data security table and logging the violation; permitting the execution of the request if the extracted data is found to match the permitted access rules found in the data security table.
216 Citations
6 Claims
-
1. In a computer host system interfacing Input/Output requests between at least one system user identified by a unique user identification symbol that is accessing the host system from at least one terminal location having a unique terminal address, and the host system having at least one database having data records, including data fields, a method for providing occurrence level, value based security protection, limiting to selected users and terminal locations access to preselected, but variable Input/Output operations on selected data records and data fields of the databases, comprising the steps of:
-
(a) establishing at said computer host system a data security access table having, for each data record and data field selected for security protection, a first entry identifying the data record and the data field and a second entry representing a data security profile associated therewith, said second entry defining the Input/Output operations permitted on the the data record and data field identified by said associated first entry; (b) establishing at said computer host system a user security access table having, for each user selected to have Input/Output access to the database, a first entry identifying the user and a second entry representing a user security profile associated therewith, said second entry defining the Input/Output operations permitted on the database by the user identified by said associated first entry; (c) establishing at said computer host system a terminal location security access table having, for each terminal location selected to have Input/Output operation access to the database, a first entry identifying the terminal location and a second entry representing a terminal location security profile associated therewith, said second entry defining the Input/Output operations permitted on the database from the terminal location identified by said associated first entry; (d) parsing each Input/Output request from the host system to the database and extracting therefrom;
(1) the unique user identification symbol of the system user making the Input/Output request;
(2) the data record or data field that is the subject of the Input/Output request;
(3) the terminal location address from which the Input/Output request is being made; and
, (4) the requested Input/Output operation;(e) building at said computer host system a request table having as its first entry the extracted unique user identification symbol, as its second entry the extracted subject data record and data field, as its third entry the extracted terminal location address, and as its fourth entry the extracted requested Input/Output operation; (f) comparing said first request table entry for the unique user identification symbol with the first entry of the user security access table and setting at said computer host system a first security condition "flag" to an "allowed" condition if a match is found and otherwise to a "violation" condition; (g) comparing said fourth request table entry for the requested Input/Output operation with said second entry of said user security access table whenever said first security condition "flag" is in said "allowed" condition and setting said first security condition "flag" to a "violation" condition if no match is found; (h) comparing said second request table entry for the data record or data field entry that is the subject of the Input/Output request with the first data security access table entry and setting at said computer host system a second security condition "flag" to an "allowed" condition if a match is found and otherwise to a "violation" condition; (i) comparing said fourth request table entry for the requested Input/Output operation with said second entry of said data security access table whenever said second security condition "flag" is in said "allowed" condition and setting said second security condition "flag" to a "violation" condition if no match is found; (j) comparing said third request table entry for the terminal location address with the first terminal location security access table entry and setting at said computer host system a third security condition "flag" to an "allowed" condition if a match is found and to a "violation" condition otherwise; (k) comparing said fourth request table entry for the requested Input/Output operation with said second entry of said terminal location security access table whenever said third security condition "flag" is in said "allowed" condition and setting said third security condition "flag" to a "violation" condition if no match is found; (l) writing at said computer host system said request table entries to a security log database whenever said first, second or third security condition "flag" is in said "violation" condition and cancelling the execution of the parsed Input/Output request by the host system; (m) returning the Input/Output request to the host system for processing whenever said first, second and third security condition "flag" is not in said "violation" condition.
-
-
2. In a computer host system interfacing Input/Output requests between at least one system user identified by a unique user identification symbol that is accessing the host system from at least one terminal location having a unique terminal address, the host system further having at least one database having data records, including data fields, a method for providing occurrence level, value based security protection, limiting to selected users and terminal locations, access to preselected, but variable Input/Output operations on selected data records and data fields of the databases, the method comprising the steps of:
-
(a) establishing at said computer host system at system sign on by the system user, a data security access table for the system user having, for each data record and data field selected for security protection, a first entry identifying the data record and data field and a second entry associated with said first entry, defining the Input/Output operations permitted on the data record and data field identified by said associated first entry; (b) establishing at said computer host system at system sign on by the system user, a user security access profile table for the system user having, for each user selected to have authorized access for performing Input/Output operations on the database, a first entry identifying the unique user identification symbol of the selected user, and a second entry representing a user security profile associated with said first user security access profile table entry, said second entry defining the Input/Output operations permitted on the database by the user identified by said associated first entry; (c) establishing at said computer host system a terminal location security access table having, for each terminal location selected to have access for performing Input/Output operations on the database, a first entry identifying the terminal location and a second entry representing a terminal location security profile associated with said first terminal location security access table entry, said second entry defining the Input/Output operations permitted on the database for the terminal location identified by said associated first entry; (d) parsing each Input/Output operation request from the host system to the database and building at said computer host system an Input/Output operations request table having as its first entry the unique user identification symbol of the system user making the Input/Output operation request, as its second entry the data record and data field that is the object of the Input/Output operation request being parsed, as its third entry the terminal location address from which the Input/Output operation request is being made, and, as its fourth entry the entered Input/Output operation request being made; (e) comparing sequentially each of said data entry elements of said Input/Output operation request table with its said corresponding data entry element of said user security access table, said data security access table, and said terminal location security access table, respectively, for setting at said computer host system a corresponding "flag" to an "allowed" or "violation" condition in the event of a match or no match being found between corresponding data entry elements being compared respectively; (f) writing at said computer host system said Input/Output operation request table entries to a security violation log database whenever at least one of said "flags" corresponding to said Input/Output operation request table entries is in said "violation" condition and cancelling the execution of the parsed Input/Output operation request from the host system; and
,(g) returning the parsed Input/Output operation request to the host system for processing whenever all of said "flags" corresponding to said Input/Output operation request table entries are in said "allowed" condition. - View Dependent Claims (3, 4, 5, 6)
-
Specification