System and method for restricting database access to managed object information using a permissions table that specifies access rights to the managed objects

US 6,236,996 B1
Filed: 12/16/1999
Issued: 05/22/2001
Est. Priority Date: 10/31/1997
Status: Expired due to Term

First Claim

Patent Images

1. A computer program product for controlling access to managed objects in a distributed network, the computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:

instructions that store an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;

instructions for retrieving management information from the managed objects, in response to user access requests, the retrieving instructions including instructions for granting and denying access requests in accordance with the access rights information stored in the access control database;

instructions that send management information from the network to a database management system;

the management information sent to the database system replicating information stored in the managed objects in the network;

instructions that, in the database management system;

store in a set of database tables the management information sent by the send instructions, wherein each table in the set of database tables stores in individual rows the management information for corresponding managed objects;

store in at least one permissions table, including permission objects, the permission objects collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users;

intercept a user access request to access management information stored in the database tables;

invoke an access control procedure when the user access request is a select statement to access any of the set of database tables;

limit access, in the access control procedure, to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and

access management information stored in the permitted rows in the set of database tables.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access control database has access control objects that collectively store information that specifies access rights by users to specified sets of the managed objects. The specified access rights include access rights to obtain management information from the network. An access control server provides users access to the managed objects in accordance with the access rights specified by the access control database. An information transfer mechanism sends management information from the network to a database management system (DBMS) for storage in a set of database tables. Each database table stores management information for a corresponding class of managed objects. An access control procedure limits access to the management information stored in the database tables using at least one permissions table. A permissions table defines a subset of rows in the database tables that are accessible to at least one of the users. The set of database table rows that are accessible corresponds to the managed object access rights specified by the access control database. A user access request to access management information in the database is intercepted, and the access control procedure is invoked when the user access request is a select statement. The database access engine accesses information in the set of database tables using the permissions tables such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.

Citations

38 Claims

1. A computer program product for controlling access to managed objects in a distributed network, the computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
- instructions that store an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
  
  instructions for retrieving management information from the managed objects, in response to user access requests, the retrieving instructions including instructions for granting and denying access requests in accordance with the access rights information stored in the access control database;
  
  instructions that send management information from the network to a database management system;
  
  the management information sent to the database system replicating information stored in the managed objects in the network;
  
  instructions that, in the database management system;
  
  store in a set of database tables the management information sent by the send instructions, wherein each table in the set of database tables stores in individual rows the management information for corresponding managed objects;
  
  store in at least one permissions table, including permission objects, the permission objects collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users;
  
  intercept a user access request to access management information stored in the database tables;
  
  invoke an access control procedure when the user access request is a select statement to access any of the set of database tables;
  
  limit access, in the access control procedure, to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and
  
  access management information stored in the permitted rows in the set of database tables.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the access control procedure accesses the permitted rows stored in the set of database tables.
  - 3. The method of claim 1 wherein the access control procedure returns a list of permitted rows, and the select statement uses the returned list to access the permitted rows.
  - 4. The method of claim 1 wherein a trigger is used to invoke the access control procedure.
  - 5. The method of claim 1 wherein the select statement causes a trigger to invoke the access control procedure and the access control procedure modifies at least one parameter of the select statement so as to access only the permitted subset of rows.
  - 6. The method of claim 5, further including the updating the at least one permissions table for a specified set of users and a specified subset of the managed objects.
  - 7. The method of claim 6, wherein the updating is invoked when a new managed object is added to the network.
  - 8. The method of claim 6, wherein the updating is invoked when the specified access rights are changed.

9. A computer program product for controlling access to managed objects in a distributed network, the computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
- an access control procedure that limits access to management information stored in a set of database tables, the access control procedure using a set of access rights stored in at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one user;
  
  wherein the at least one permissions table include a plurality of grant entries and a plurality of deny entries, each grant entry specifying one or more rows in at least one of the database tables that are accessible by a specified user or group of users, and each deny entry specifying one or more rows in at least one of the database tables that are not accessible by a specified user or group of users;
  
  instructions that intercept a user access request to access management information stored in the set of database tables; and
  
  instructions that invoke the access control procedure when the user access request is a select statement to access any of the set of database tables to define the permitted subset of rows in the database tables;
  
  the access control procedure applying the grant entries and deny entries, if any, applicable to the user access request in accordance with a predefined set of rules so as to define the permitted subset of rows.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. The computer program product of claim 9 wherein the computer program mechanism further comprises:
11. The computer program product of claim 10 wherein the computer program mechanism further comprises:
- instructions that store an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users.
12. The computer program product of claim 9 wherein the computer program mechanism further comprises:
- a database management system comprising the set of database tables wherein each table in the set of database tables stores management information for corresponding managed objects in rows.
13. The computer program product of claim 9 wherein the computer program mechanism further comprises:
- instructions that access the management information stored in the permitted subset of rows in the set of database tables.
14. The computer program product of claim 9 wherein the computer program mechanism further comprises:
- instructions that receive management information from the network; and
  
  instructions that store in the set of database tables the received management information, wherein each table in the set of database tables stores in rows the management information for corresponding managed objects.
15. The computer program product of claim 9 wherein the computer program mechanism further comprises:
- instructions that store the information that specifies the access rights by users to specified sets of the managed objects in the at least one permissions table.
16. The computer program product of claim 9 wherein the access control procedure further comprises:
- instructions that return a list of permitted rows, and the select statement uses the returned list to access the permitted rows.
17. The computer program product of claim 9 wherein the instructions that invoke the access control procedure include a trigger.
18. The computer program product of claim 9 wherein the select statement causes a trigger to invoke the access control procedure and the access control procedure includes instructions that modify at least one parameter of the select statement so as to access only the permitted subset of rows.

19. A method of controlling access to managed objects in a distributed network, comprising:
- intercepting a user access request to access management information for managed objects stored in a set of database tables; and
  
  invoking an access control procedure to limit access to the management information stored in the set of database tables when the user access request is a select statement to access any of the set of database tables to define the permitted subset of rows in the database tables, the access control procedure using a set of access rights stored in at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to managed object access rights specified by the at least one permissions table for at least one user;
  
  wherein the at least one permissions table includes a plurality of grant entries and a plurality of deny entries, each grant entry specifying one or more rows in at least one of the database tables that are accessible by a specified user or group of users, and each deny entry specifying one or more rows in at least one of the database tables that are not accessible by a specified user or group of user;
  
  the access control procedure applying the grant entries and deny entries, if any, applicable to the user access request in accordance with a predefined set of rules so as to define the permitted subset of rows.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The method of claim 19 further comprising:
21. The method of claim 20 further comprising:
- storing an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users.
22. The method of claim 19 wherein a database management system includes the set of database tables wherein each table in the set of database tables stores management information for corresponding managed objects in rows.
23. The method of claim 19 further comprising:
- accessing the management information stored in the permitted subset of rows in the set of database tables.
24. The method of claim 19 further comprising:
- receiving management information from the network; and
  
  storing in the set of database tables the received management information, wherein each table in the set of database tables stores in rows the management information for corresponding managed objects.
25. The method of claim 19 further comprising:
- storing the information that specifies the access rights by users to specified sets of the managed objects in the at least one permissions table.
26. The method of claim 19 further comprising:
- returning a list of permitted rows, wherein the select statement uses the returned list to access the permitted rows.
27. The method of claim 19 wherein said invoking includes a trigger.
28. The method of claim 19 wherein the select statement causes a trigger to invoke an access control procedure that modifies at least one parameter of the select statement so as to access only the permitted subset of rows.

29. An access control system for controlling access to managed objects in a distributed network, comprising:
- an interceptor that intercepts a user access request to access management information for managed objects in a set of database tables; and
  
  an access control procedure that limits access to the management in formation stored in the set of database tables when the user access request is a select statement to access the management information for any of the managed objects, the access control procedure using a set of access rights stored in at least one permissions table that define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users;
  
  wherein the at least one permissions table includes a plurality of grant entries and a plurality of deny entries, each grant entry specifying one or more rows in at least one of the database tables that are accessible by a specified user or group of users, and each deny entry specifying one or more rows in at least one of the database tables that are not accessible by a specified user or group of users;
  
  the access control procedure applying the grant entries and deny entries, if any, applicable to the user access request in accordance with a predefined set of rules so as to define the permitted subset of rows.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 30. The computer system of claim 29 wherein the at least one permissions table includes permission objects, the permission objects for collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network.
  - 31. The computer system of claim 30 further comprising:
32. The computer system of claim 29 further comprising:
- a database management system comprising the set of database tables wherein each table in the set of database tables stores management information for corresponding managed objects in rows.
33. The computer system of claim 29 further comprising:
- a database access engine that accesses the management information stored in the permitted rows in the set of database tables.
34. The computer system of claim 33 wherein the database access engine returns a list of permitted rows, and the select statement uses the returned list to access the permitted rows.
35. The computer system of claim 29 further comprising:
- an information transfer mechanism that receives the management information from the network, and stores the received management information in the set of database tables, wherein each table in the set of database tables stores the management information for corresponding managed objects in rows.
36. The computer system of claim 29 wherein the information that specifies the access rights by users to specified sets of the managed objects is stored in the at least one permissions table.
37. The computer system of claim 29 wherein the access control procedure is invoked using a trigger when the user access request is a select statement to access the management information for any of the managed objects.
38. The computer system of claim 29 wherein the select statement causes a trigger to invoke the access control procedure when the user access request is a select statement to access the management information for any of the managed objects, and the access control procedure includes instructions that modify at least one parameter of the select statement so as to access only the permitted subset of rows.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Bapat, Subodh, Fisher, Bart Lee
Primary Examiner(s)
Black, Thomas
Assistant Examiner(s)
JUNG, DAVID YIUK

Application Number

US09/465,672
Time in Patent Office

523 Days
Field of Search

707/3-6, 707/100-104, 707/201-204, 707/2, 707/9, 709/223, 450/428, 370/217, 370/254, 379/243
US Class Current

1/1
CPC Class Codes

G06F 1/00   Details not covered by grou...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

H04L 41/024   using relational databases ...

H04L 41/28   Restricting access to netwo...

H04L 63/101   Access control lists [ACL]

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99936   Pattern matching access

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99939   Privileged access

Y10S 707/99942   Manipulating data structure...

Y10S 707/99953   Recoverability

System and method for restricting database access to managed object information using a permissions table that specifies access rights to the managed objects

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for restricting database access to managed object information using a permissions table that specifies access rights to the managed objects

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links