System and method for providing database access control in a secure distributed network

US 6,085,191 A
Filed: 03/25/1998
Issued: 07/04/2000
Est. Priority Date: 10/31/1997
Status: Expired due to Term

First Claim

Patent Images

1. An access control system for controlling access to managed objects in a distributed network, comprising:

an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;

at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database;

a database management system; and

an information transfer mechanism for sending management information associated with the managed objects from the network to the database management system;

the database management system including;

database tables for storing in a set of database tables the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores management information for corresponding managed objects in individual rows;

a set of views for limiting access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the users;

view access control means for specifying which views in the set of views are useable by specified ones of the users; and

a database access engine for accessing information in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control database has access control objects that collectively store information that specifies access rights by users to specified sets of the managed objects. The specified access rights include access rights to obtain management information from the network. An access control server provides users access to the managed objects in accordance with the access rights specified by the access control database. An information transfer mechanism sends management information from the network to a database management system (DBMS) for storage in a set of database tables. Each database table stores management information for a corresponding class of managed objects. A set of views limits access to the management information stored in the database tables. Each view defines a subset of rows in the database tables that are accessible when using this view. The set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one the users. A view access control means specifies which views in the set of views are useable by specified ones of the users. The database access engine accesses information in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.

308 Citations

27 Claims

1. An access control system for controlling access to managed objects in a distributed network, comprising:
- an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
  
  at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database;
  
  a database management system; and
  
  an information transfer mechanism for sending management information associated with the managed objects from the network to the database management system;
  
  the database management system including;
  
  database tables for storing in a set of database tables the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores management information for corresponding managed objects in individual rows;
  
  a set of views for limiting access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the users;
  
  view access control means for specifying which views in the set of views are useable by specified ones of the users; and
  
  a database access engine for accessing information in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further including means for generating the set of views for a specified set of users and a specified subset of the managed objects.
  - 3. The system of claim 1, further including means for generating the set of views for a specified set of users and a specified set of database tables wherein a subset of views of the set of views corresponds to a user-table pairing that associates a particular user of the specified set of users with at least one table of the specified set of database tables.
  - 4. The system of claim 2 wherein the means for generating the set of views generates at least one view by creating an explicit reference to each row that a particular user of the specified set of users is permitted to access.
  - 5. The system of claim 2 wherein the means for generating the set of views generates at least one view by mapping the user access rights stored in the access control data base to an implicit reference to at least one row that a particular user is permitted to access.
  - 6. The system of claim 1 wherein the access control database provides means for grouping users into groups, a group being capable of having a plurality of users, the access control database specifying access rights by groups, andthe database management system further includes:
    - a set of group views for limiting access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the groups,wherein the view access control means specifies which views in the set of views are usable by specified ones of the groups, andthe database access engine for accessing information in the set of database tables using the set of group views such that a particular user belonging to a particular group is allowed access only to management information in the set of database tables that the particular group would be allowed to access by the access control database.
  - 7. The system of claim 1, further including means for updating the set of views for a specified set of users and a specified subset of the managed objects.
  - 8. The system of claim 7 wherein the means for updating is invoked when a new managed object is added.
  - 9. The system of claim 7 wherein the means for updating is invoked when the specified access rights are changed.

10. A method of controlling access to managed objects in a distributed network, comprising:
- storing an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
  
  at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database;
  
  a database management system; and
  
  sending management information associated with the managed objects from the network to the database management system;
  
  in the database management system;
  
  storing in a set of database tables the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores in individual rows management information for corresponding managed objects;
  
  storing a set of views for limiting access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the users;
  
  specifying which views in the set of views are useable by specified ones of the users; and
  
  accessing information in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising generating the set of views for a specified set of users and a specified set of database tables wherein at least a subset of views of the set of views corresponds to a user-table pairing that associates a particular user of the specified set of users with at least one table of the specified set of database tables.
  - 12. The method of claim 10, further comprising generating the set of views for a specified set of users and a specified subset of the managed objects.
  - 13. The method of claim 12, wherein the generating the set of views generates at least one view by creating an explicit reference to each row that a particular user of the specified set of users is permitted to access.
  - 14. The method of claim 12 wherein the generating the set of views generates at least one view by mapping the user access rights stored in the access control data base to an implicit reference to at least one row that a particular user is permitted to access.
  - 15. The method of claim 10 further comprising the of:
    - grouping users into groups;
      
      specifying access rights of the groups; and
      
      limiting access, using a set of views, to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the groups,specifying which views in the set of views are usable by specified ones of the groups, andaccessing information in the set of database tables using the set of views such that a particular user in a particular group is allowed access only to management information in the set of database tables that the particular group would be allowed by the access control database to access.
  - 16. The method of claim 10, further including updating the set of views for a specified set of users and a specified subset of the managed objects.
  - 17. The method of claim 16 wherein the updating is invoked when a new managed object is added.
  - 18. The method of claim 16 wherein the updating is invoked when the specified access rights are changed.

19. A computer program product for use in conjunction with a computer system, the computer program product for controlling access to managed objects in a distributed network, comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
- an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
  
  at least one access control server that provides users access to the managed objects in accordance with the access rights specified by the access control database;
  
  a database management system; and
  
  an information transfer module that sends management information from the network to the database management system;
  
  the database management system including;
  
  a set of database tables that store the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores management information for corresponding managed objects in individual rows;
  
  a set of views that limit access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one the users;
  
  instructions that specify which views in the set of views are useable by specified ones of the users; and
  
  wherein information is accessed in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The computer program product of claim 19, wherein the computer readable program mechanism further comprises:
    - instructions that generate the set of views for a specified set of users and a specified set of database tables wherein at least a subset of views of the set of views corresponds to a user-table pairing that associates a particular user of the specified set of users with at least one table of the specified set of database tables.
  - 21. The computer program product of claim 19, wherein the computer readable program mechanism further comprises instructions that generate the set of views for a specified set of users and a specified subset of the managed objects.
  - 22. The computer program product of claim 21, wherein the wherein the instructions that generate the set of views generates at least one view by creating an explicit reference to each row that a particular user of the specified set of users is permitted to access.
  - 23. The computer program product of claim 21, wherein the computer readable program mechanism further comprises instructions that generate at least one view by mapping the user access rights stored in the access control data base to an implicit reference to at least one row that a particular user is permitted to access.
  - 24. The computer program product of claim 19, wherein the computer readable program mechanism further comprises:
    - instructions that group users into groups, wherein the access control database specifies access rights of the groups; and
      
      instructions that limit access, using a set of views, to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the groups, andinstructions that specify which views in the set of views are usable by specified ones of the groups,wherein the set of views accesses information in the set of database tables such that a particular user in a particular group is allowed access only to management information in the set of database tables that the particular group would be allowed by the access control database to access.
  - 25. The computer program product of claim 19, wherein the computer readable program mechanism further comprises:
    - instructions that update the set of views for a specified set of users and a specified subset of the managed objects.
  - 26. The computer program product of claim 25, wherein the instructions that update the set of views are invoked when a new managed object is added.
  - 27. The computer program product of claim 25, wherein the instructions that update the set of views are invoked when the specified access rights are changed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Bapat, Subodh, Fisher, Bart Lee
Primary Examiner(s)
Breene, John E.
Assistant Examiner(s)
ROBINSON, GRETA LEE

Application Number

US09/047,906
Time in Patent Office

832 Days
Field of Search

707/10, 707/9, 707/1, 707/201
US Class Current

707/737
CPC Class Codes

G06F 1/00   Details not covered by grou...

G06F 21/6227   where protection concerns t...

H04L 41/024   using relational databases ...

H04L 41/28   Restricting access to netwo...

H04L 63/101   Access control lists [ACL]

Y10S 707/955   Object-oriented

Y10S 707/959   Network

Y10S 707/966   Distributed

Y10S 707/99931   Database or file accessing

Y10S 707/99939   Privileged access

System and method for providing database access control in a secure distributed network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

308 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing database access control in a secure distributed network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

308 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links