System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects

US 6,038,563 A
Filed: 03/25/1998
Issued: 03/14/2000
Est. Priority Date: 10/31/1997
Status: Expired due to Term

First Claim

Patent Images

1. An access control system for controlling access to managed objects in a distributed network, comprising:

an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;

at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database;

a database management system; and

an information transfer mechanism for sending the management information from the network to the database management system;

the database management system including;

a set of database tables for storing the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores in individual rows management information for corresponding managed objects;

at least one permissions table, including access permission objects, the access permission objects for collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the access permission objects corresponds to the managed object access rights specified by the access control database for at least one of the users;

means for intercepting a user access request to access management information in the database;

means for invoking an access control procedure when the user access request is a select statement to access management information for any of the managed objects;

the access control procedure for limiting access to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and

the database access engine for accessing the management information stored in the permitted rows in the set of database tables.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control database has access control objects that collectively store information that specifies access rights by users to specified sets of the managed objects. The specified access rights include access rights to obtain management information from the network. An access control server provides users access to the managed objects in accordance with the access rights specified by the access control database. An information transfer mechanism sends management information from the network to a database management system (DBMS) for storage in a set of database tables. Each database table stores management information for a corresponding class of managed objects. An access control procedure limits access to the management information stored in the database tables using at least one permissions table. A permissions table defines a subset of rows in the database tables that are accessible to at least one of the users. The set of database table rows that are accessible corresponds to the managed object access rights specified by the access control database. A user access request to access management information in the database is intercepted, and the access control procedure is invoked when the user access request is a select statement. The database access engine accesses information in the set of database tables using the permissions tables such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.

390 Citations

13 Claims

1. An access control system for controlling access to managed objects in a distributed network, comprising:
- an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
  
  at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database;
  
  a database management system; and
  
  an information transfer mechanism for sending the management information from the network to the database management system;
  
  the database management system including;
  
  a set of database tables for storing the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores in individual rows management information for corresponding managed objects;
  
  at least one permissions table, including access permission objects, the access permission objects for collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the access permission objects corresponds to the managed object access rights specified by the access control database for at least one of the users;
  
  means for intercepting a user access request to access management information in the database;
  
  means for invoking an access control procedure when the user access request is a select statement to access management information for any of the managed objects;
  
  the access control procedure for limiting access to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and
  
  the database access engine for accessing the management information stored in the permitted rows in the set of database tables.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1 wherein the access control procedure accesses the permitted rows stored in the set of database tables.
  - 3. The system of claim 1 wherein the access control procedure returns a list of permitted rows, and the select statement uses the returned list to access the permitted rows.
  - 4. The system of claim 1 wherein the means for invoking is a trigger.
  - 5. The system of claim 1 wherein the select statement causes a trigger to invoke the access control procedure and the access control procedure modifies at least one parameter of the select statement to access the permitted subset of rows.

6. A method of controlling access to managed objects in a distributed network, comprising the steps of:
- storing an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
  
  sending management information from the network to a database management system;
  
  in the database management system;
  
  storing in a first set of database tables the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores in individual rows the management information for corresponding managed objects;
  
  storing in at least one permissions table, including permission objects, the permission objects collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects corresponds to the managed object access rights specified by the access control database for at least one of the users;
  
  intercepting a user access request to access management information stored in the database tables;
  
  invoking an access control procedure when the user access request is a select statement to access any of the set of database tables;
  
  limiting access, in the access control procedure, to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and
  
  accessing management information stored in the permitted rows in the set of database tables.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The method of claim 6 wherein the access control procedure accesses the permitted rows stored in the set of database tables.
  - 8. The method of claim 6 wherein the access control procedure returns a list of permitted rows, and the select statement uses the returned list to access the permitted rows.
  - 9. The method of claim 6 wherein a trigger is used to invoke the access control procedure.
  - 10. The method of claim 6 wherein the select statement causes a trigger to invoke the access control procedure and the access control procedure modifies at least one parameter of the select statement to access the permitted subset of rows.
  - 11. The method of claim 10, further including the step of updating the at least one permissions table for a specified set of users and a specified subset of the managed objects.
  - 12. The method of claim 11, wherein the updating step is invoked when a new managed object is added to the network.
  - 13. The method of claim 11, wherein the updating step is invoked when the specified access rights are changed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Bapat, Subodh, Fisher, Bart Lee
Primary Examiner(s)
Black, Thomas G.
Assistant Examiner(s)
JUNG, DAVID YIUK

Application Number

US09/047,907
Time in Patent Office

720 Days
Field of Search

707/1-206, 705/26-39, 380/24, 713/200
US Class Current

1/1
CPC Class Codes

G06F 1/00   Details not covered by grou...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

H04L 41/024   using relational databases ...

H04L 41/28   Restricting access to netwo...

H04L 63/101   Access control lists [ACL]

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99936   Pattern matching access

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99939   Privileged access

Y10S 707/99942   Manipulating data structure...

Y10S 707/99953   Recoverability

System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

390 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

390 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links