System and method for restricting database access to managed object information using a permissions table that specifies access rights to the managed objects
First Claim
1. A computer program product for controlling access to managed objects in a distributed network, the computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
- instructions that store an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
instructions for retrieving management information from the managed objects, in response to user access requests, the retrieving instructions including instructions for granting and denying access requests in accordance with the access rights information stored in the access control database;
instructions that send management information from the network to a database management system;
the management information sent to the database system replicating information stored in the managed objects in the network;
instructions that, in the database management system;
store in a set of database tables the management information sent by the send instructions, wherein each table in the set of database tables stores in individual rows the management information for corresponding managed objects;
store in at least one permissions table, including permission objects, the permission objects collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users;
intercept a user access request to access management information stored in the database tables;
invoke an access control procedure when the user access request is a select statement to access any of the set of database tables;
limit access, in the access control procedure, to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and
access management information stored in the permitted rows in the set of database tables.
0 Assignments
0 Petitions
Accused Products
Abstract
An access control database has access control objects that collectively store information that specifies access rights by users to specified sets of the managed objects. The specified access rights include access rights to obtain management information from the network. An access control server provides users access to the managed objects in accordance with the access rights specified by the access control database. An information transfer mechanism sends management information from the network to a database management system (DBMS) for storage in a set of database tables. Each database table stores management information for a corresponding class of managed objects. An access control procedure limits access to the management information stored in the database tables using at least one permissions table. A permissions table defines a subset of rows in the database tables that are accessible to at least one of the users. The set of database table rows that are accessible corresponds to the managed object access rights specified by the access control database. A user access request to access management information in the database is intercepted, and the access control procedure is invoked when the user access request is a select statement. The database access engine accesses information in the set of database tables using the permissions tables such that each user is allowed access only to management information in the set of database tables that the user would be allowed by the access control database to access.
-
Citations
38 Claims
-
1. A computer program product for controlling access to managed objects in a distributed network, the computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
-
instructions that store an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network;
instructions for retrieving management information from the managed objects, in response to user access requests, the retrieving instructions including instructions for granting and denying access requests in accordance with the access rights information stored in the access control database;
instructions that send management information from the network to a database management system;
the management information sent to the database system replicating information stored in the managed objects in the network;
instructions that, in the database management system;
store in a set of database tables the management information sent by the send instructions, wherein each table in the set of database tables stores in individual rows the management information for corresponding managed objects;
store in at least one permissions table, including permission objects, the permission objects collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users;
intercept a user access request to access management information stored in the database tables;
invoke an access control procedure when the user access request is a select statement to access any of the set of database tables;
limit access, in the access control procedure, to the management information stored in the set of database tables, the access control procedure using the set of access rights stored in the at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users; and
access management information stored in the permitted rows in the set of database tables. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product for controlling access to managed objects in a distributed network, the computer program product for use in conjunction with a computer system, the computer program product comprising a computer readable storage medium and a computer program mechanism embedded therein, the computer program mechanism comprising:
-
an access control procedure that limits access to management information stored in a set of database tables, the access control procedure using a set of access rights stored in at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one user;
wherein the at least one permissions table include a plurality of grant entries and a plurality of deny entries, each grant entry specifying one or more rows in at least one of the database tables that are accessible by a specified user or group of users, and each deny entry specifying one or more rows in at least one of the database tables that are not accessible by a specified user or group of users;
instructions that intercept a user access request to access management information stored in the set of database tables; and
instructions that invoke the access control procedure when the user access request is a select statement to access any of the set of database tables to define the permitted subset of rows in the database tables;
the access control procedure applying the grant entries and deny entries, if any, applicable to the user access request in accordance with a predefined set of rules so as to define the permitted subset of rows.- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
one or more instructions that create the at least one permissions table including permission objects, the permission objects for collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network.
-
-
11. The computer program product of claim 10 wherein the computer program mechanism further comprises:
-
instructions that store an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users.
-
-
12. The computer program product of claim 9 wherein the computer program mechanism further comprises:
a database management system comprising the set of database tables wherein each table in the set of database tables stores management information for corresponding managed objects in rows.
-
13. The computer program product of claim 9 wherein the computer program mechanism further comprises:
instructions that access the management information stored in the permitted subset of rows in the set of database tables.
-
14. The computer program product of claim 9 wherein the computer program mechanism further comprises:
-
instructions that receive management information from the network; and
instructions that store in the set of database tables the received management information, wherein each table in the set of database tables stores in rows the management information for corresponding managed objects.
-
-
15. The computer program product of claim 9 wherein the computer program mechanism further comprises:
instructions that store the information that specifies the access rights by users to specified sets of the managed objects in the at least one permissions table.
-
16. The computer program product of claim 9 wherein the access control procedure further comprises:
instructions that return a list of permitted rows, and the select statement uses the returned list to access the permitted rows.
-
17. The computer program product of claim 9 wherein the instructions that invoke the access control procedure include a trigger.
-
18. The computer program product of claim 9 wherein the select statement causes a trigger to invoke the access control procedure and the access control procedure includes instructions that modify at least one parameter of the select statement so as to access only the permitted subset of rows.
-
19. A method of controlling access to managed objects in a distributed network, comprising:
-
intercepting a user access request to access management information for managed objects stored in a set of database tables; and
invoking an access control procedure to limit access to the management information stored in the set of database tables when the user access request is a select statement to access any of the set of database tables to define the permitted subset of rows in the database tables, the access control procedure using a set of access rights stored in at least one permissions table to define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to managed object access rights specified by the at least one permissions table for at least one user;
wherein the at least one permissions table includes a plurality of grant entries and a plurality of deny entries, each grant entry specifying one or more rows in at least one of the database tables that are accessible by a specified user or group of users, and each deny entry specifying one or more rows in at least one of the database tables that are not accessible by a specified user or group of user;
the access control procedure applying the grant entries and deny entries, if any, applicable to the user access request in accordance with a predefined set of rules so as to define the permitted subset of rows.- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
creating the at least one permissions table including permission objects, the permission objects for collectively storing information that specifies the access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network.
-
-
21. The method of claim 20 further comprising:
-
storing an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users.
-
-
22. The method of claim 19 wherein a database management system includes the set of database tables wherein each table in the set of database tables stores management information for corresponding managed objects in rows.
-
23. The method of claim 19 further comprising:
accessing the management information stored in the permitted subset of rows in the set of database tables.
-
24. The method of claim 19 further comprising:
-
receiving management information from the network; and
storing in the set of database tables the received management information, wherein each table in the set of database tables stores in rows the management information for corresponding managed objects.
-
-
25. The method of claim 19 further comprising:
storing the information that specifies the access rights by users to specified sets of the managed objects in the at least one permissions table.
-
26. The method of claim 19 further comprising:
returning a list of permitted rows, wherein the select statement uses the returned list to access the permitted rows.
-
27. The method of claim 19 wherein said invoking includes a trigger.
-
28. The method of claim 19 wherein the select statement causes a trigger to invoke an access control procedure that modifies at least one parameter of the select statement so as to access only the permitted subset of rows.
-
29. An access control system for controlling access to managed objects in a distributed network, comprising:
-
an interceptor that intercepts a user access request to access management information for managed objects in a set of database tables; and
an access control procedure that limits access to the management in formation stored in the set of database tables when the user access request is a select statement to access the management information for any of the managed objects, the access control procedure using a set of access rights stored in at least one permissions table that define a permitted subset of rows in at least one of the database tables that are accessible, wherein the permitted subset of rows corresponds to the managed object access rights specified by the at least one permissions table for at least one of the users;
wherein the at least one permissions table includes a plurality of grant entries and a plurality of deny entries, each grant entry specifying one or more rows in at least one of the database tables that are accessible by a specified user or group of users, and each deny entry specifying one or more rows in at least one of the database tables that are not accessible by a specified user or group of users;
the access control procedure applying the grant entries and deny entries, if any, applicable to the user access request in accordance with a predefined set of rules so as to define the permitted subset of rows.- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
an access control database, including access control objects, the access control objects collectively storing information that specifies access rights by users to specified sets of the managed objects, the specified access rights including access rights to obtain management information from the network, wherein the access rights of the permission objects correspond to the managed object access rights specified by the access control database for at least one of the users.
-
-
32. The computer system of claim 29 further comprising:
a database management system comprising the set of database tables wherein each table in the set of database tables stores management information for corresponding managed objects in rows.
-
33. The computer system of claim 29 further comprising:
a database access engine that accesses the management information stored in the permitted rows in the set of database tables.
-
34. The computer system of claim 33 wherein the database access engine returns a list of permitted rows, and the select statement uses the returned list to access the permitted rows.
-
35. The computer system of claim 29 further comprising:
an information transfer mechanism that receives the management information from the network, and stores the received management information in the set of database tables, wherein each table in the set of database tables stores the management information for corresponding managed objects in rows.
-
36. The computer system of claim 29 wherein the information that specifies the access rights by users to specified sets of the managed objects is stored in the at least one permissions table.
-
37. The computer system of claim 29 wherein the access control procedure is invoked using a trigger when the user access request is a select statement to access the management information for any of the managed objects.
-
38. The computer system of claim 29 wherein the select statement causes a trigger to invoke the access control procedure when the user access request is a select statement to access the management information for any of the managed objects, and the access control procedure includes instructions that modify at least one parameter of the select statement so as to access only the permitted subset of rows.
Specification