System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects
First Claim
1. An access control system for controlling access to managed objects in a distributed network, comprising:
- an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database;
a database management system; and
an information transfer mechanism for sending the management information from the network to the database management system;
the database management system including;
a set of database tables for storing the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores in individual rows management information for corresponding managed objects;
at least one permissions table, including access permission objects, the access permission objects for collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the access permission objects corresponds to the managed object access rights specified by the access control database for at least one of the users;
means for intercepting a user access request to access management information in the database;
means for invoking an access control procedure when the user access request is a select statement to access management information for any of the managed objects;
the access control procedure for limiting access to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and
the database access engine for accessing the management information stored in the permitted rows in the set of database tables.
2 Assignments
0 Petitions
Accused Products
Abstract
An access control database has access control objects that collectively store information that specifies access rights by users to specified sets of the managed objects. The specified access rights include access rights to obtain management information from the network. An access control server provides users access to the managed objects in accordance with the access rights specified by the access control database. An information transfer mechanism sends management information from the network to a database management system (DBMS) for storage in a set of database tables. Each database table stores management information for a corresponding class of managed objects. An access control procedure limits access to the management information stored in the database tables using at least one permissions table. A permissions table defines a subset of rows in the database tables that are accessible to at least one of the users. The set of database table rows that are accessible corresponds to the managed object access rights specified by the access control database. A user access request to access management information in the database is intercepted, and the access control procedure is invoked when the user access request is a select statement. The database access engine accesses information in the set of database tables using the permissions tables such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.
390 Citations
13 Claims
-
1. An access control system for controlling access to managed objects in a distributed network, comprising:
-
an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network; at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database; a database management system; and an information transfer mechanism for sending the management information from the network to the database management system; the database management system including; a set of database tables for storing the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores in individual rows management information for corresponding managed objects; at least one permissions table, including access permission objects, the access permission objects for collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the access permission objects corresponds to the managed object access rights specified by the access control database for at least one of the users; means for intercepting a user access request to access management information in the database; means for invoking an access control procedure when the user access request is a select statement to access management information for any of the managed objects; the access control procedure for limiting access to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and the database access engine for accessing the management information stored in the permitted rows in the set of database tables. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of controlling access to managed objects in a distributed network, comprising the steps of:
-
storing an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network; sending management information from the network to a database management system; in the database management system; storing in a first set of database tables the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores in individual rows the management information for corresponding managed objects; storing in at least one permissions table, including permission objects, the permission objects collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects corresponds to the managed object access rights specified by the access control database for at least one of the users; intercepting a user access request to access management information stored in the database tables; invoking an access control procedure when the user access request is a select statement to access any of the set of database tables; limiting access, in the access control procedure, to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and accessing management information stored in the permitted rows in the set of database tables. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
Specification