System and method for providing database access control in a secure distributed network
First Claim
1. An access control system for controlling access to managed objects in a distributed network, comprising:
- an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database;
a database management system; and
an information transfer mechanism for sending management information associated with the managed objects from the network to the database management system;
the database management system including;
database tables for storing in a set of database tables the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores management information for corresponding managed objects in individual rows;
a set of views for limiting access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the users;
view access control means for specifying which views in the set of views are useable by specified ones of the users; and
a database access engine for accessing information in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.
2 Assignments
0 Petitions
Accused Products
Abstract
An access control database has access control objects that collectively store information that specifies access rights by users to specified sets of the managed objects. The specified access rights include access rights to obtain management information from the network. An access control server provides users access to the managed objects in accordance with the access rights specified by the access control database. An information transfer mechanism sends management information from the network to a database management system (DBMS) for storage in a set of database tables. Each database table stores management information for a corresponding class of managed objects. A set of views limits access to the management information stored in the database tables. Each view defines a subset of rows in the database tables that are accessible when using this view. The set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one the users. A view access control means specifies which views in the set of views are useable by specified ones of the users. The database access engine accesses information in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.
308 Citations
27 Claims
-
1. An access control system for controlling access to managed objects in a distributed network, comprising:
-
an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network; at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database; a database management system; and an information transfer mechanism for sending management information associated with the managed objects from the network to the database management system; the database management system including; database tables for storing in a set of database tables the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores management information for corresponding managed objects in individual rows; a set of views for limiting access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the users; view access control means for specifying which views in the set of views are useable by specified ones of the users; and a database access engine for accessing information in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of controlling access to managed objects in a distributed network, comprising:
-
storing an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network; at least one access control server for providing users access to the managed objects in accordance with the access rights specified by the access control database; a database management system; and sending management information associated with the managed objects from the network to the database management system; in the database management system; storing in a set of database tables the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores in individual rows management information for corresponding managed objects; storing a set of views for limiting access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one of the users; specifying which views in the set of views are useable by specified ones of the users; and accessing information in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A computer program product for use in conjunction with a computer system, the computer program product for controlling access to managed objects in a distributed network, comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
-
an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network; at least one access control server that provides users access to the managed objects in accordance with the access rights specified by the access control database; a database management system; and an information transfer module that sends management information from the network to the database management system; the database management system including; a set of database tables that store the management information sent by the information transfer mechanism, wherein each table in the set of database tables stores management information for corresponding managed objects in individual rows; a set of views that limit access to the management information stored in the set of database tables, each view in the set defining a subset of rows in at least one of the database tables which are accessible when using this view, wherein the set of database table rows that are accessible when using each view in the set corresponds to the managed object access rights specified by the access control database for at least one the users; instructions that specify which views in the set of views are useable by specified ones of the users; and wherein information is accessed in the set of database tables using the set of views such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
-
Specification