Method for storing sparse hierarchical data in a relational database
First Claim
1. A relational database, comprising:
- a first table storing data on objects with explicitly set ACLs;
a second table storing data on whether individual ACLs art inherited by descendant objects;
a third table storing data regarding permissions which a user may perform on an object; and
a fourth table storing data for a set of ancestor objects having respective ACLs for each of a set of descendant objects.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for securing sparse access control list (ACL) data in a relational database used as a backing store for a hierarchical-based directory service. The sparse ACL data is secured in a plurality of tables. An owner table stores data objects with explicitly set ACLs. A propagation table stores data on whether individual ACLs are inherited by descendant objects. A permissions table stores data regarding permissions which a user may perform on an object. A source table stores data for a set of ancestor objects having respective ACLs for each of a set of descendant objects. Preferably, the tables are stored in the relational database together with the objects. For a given object, data in the tables is used to determine the given object'"'"'s entry owner and ACL. The inventive technique has particular applicability in a Lightweight Directory Access Protocol (LDAP) directory service having a relational database as a backing store.
135 Citations
14 Claims
-
1. A relational database, comprising:
-
a first table storing data on objects with explicitly set ACLs;
a second table storing data on whether individual ACLs art inherited by descendant objects;
a third table storing data regarding permissions which a user may perform on an object; and
a fourth table storing data for a set of ancestor objects having respective ACLs for each of a set of descendant objects.
-
-
2. A computer program product in a computer-readable medium for use in a sparse access control list (ACL) mechanism wherein entries without an explicitly set ACL inherit an ACL set for an ancestor entry, comprising;
-
means for storing in a first table data on objects with explicitly set ACLs, means for storing in a second table data on whether individual ACLs are inherited by descendant objects;
means for storing in a third table data regarding permissions which a user may perform on an object;
means for storing in a fourth table data for a set of ancestor objects having respective ACLs for each of a set of descendant objects; and
means for using data in the first, second, third and fourth tables for a given object, to determine the given object'"'"'s entry owner and ACL.
-
-
3. In a sparse access control list (ACL) mechanism wherein entries without an explicitly set ACL inherit ACL set for an ancestor entry, a method for securing ACL data in a relational database, comprising the steps of;
-
storing in a first table data on objects with explicitly set ACLs;
storing in a second table data on whether individual ACLs are inherited by descendant objects;
storing in a first table data regarding permissions which a user may perform on an object;
storing in a fourth table data for a set of ancestor objects having respective ACLs for each of a set of descendant objects; and
for a given object, using data in the first, second, third and fourth tables to determine the given object'"'"'s entry owner and ACL. - View Dependent Claims (4, 5, 6, 7, 8)
-
-
9. In a directory service having a directory organized as a naming hierarchy, the hierarchy including a plurality of entries each represented by a unique identifier, the improvement comprising:
-
a relational database management system having a backing store for storing directory data;
a sparse access control list (ACL) mechanism wherein entries without an explicitly set ACL inherit and ACL set for an ancestor entry; and
means for securing ACL data in the backing store in a plurality of tables, including;
a first table storing data on objects with explicitly set ACLs;
a second table storing data on whether individual ACLs are inherited by descendent objects;
a third table storing data regarding permissions which a user may perform on an object; and
a fourth table storing data for a set of ancestor objects having respective ACLs for each of a set of descendent objects, wherein, for a given object, data in the first, second, third and fourth tables is useful for determining the given object'"'"'s entry owner and ACL. - View Dependent Claims (10, 11)
-
-
12. A directory service, comprising:
-
a directory organized as a naming hierarchy having a plurality of entries each represented by a unique identifier;
a relational database management system having a backing store for storing directory data;
a sparse access control list (ACL) mechanism wherein entries without an explicitly set ACL inherent and ACL set for an ancestor entry; and
means for securing ACL data in the backing store in a plurality of tables, including;
a first table storing data on objects with explicitly set ACLs;
a second table storing data on whether individual ACLs are inherited by descendant objects;
a third table storing data permissions which a user may perform on an object; and
a fourth table storing data for a set of ancestor objects having respective ACLs for each of a set of descendent objects, wherein, for a given object, data in the first, second, third and fourth tables is useful for determining the given object'"'"'s entry owner and ACL. - View Dependent Claims (13, 14)
-
Specification