System and method for RDBMS to protect records in accordance with non-RDBMS access control rules
First Claim
1. A data system including a server computer programmed to undertake method acts for responding to user queries for data from a database controlled by the server computer, the method acts undertaken by the server computer including:
- receiving a query;
receiving an access control output from at least one algorithm from an information management system (IMS);
in response to the query and the access control output, populating a view for presentation thereof to the user, wherein the query is received from an application, the system includes a database management system (DBMS) hosting the view, and the application directly communicates with the DBMS.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method are provided for an information management system (IMS) having an underlying relational database management system (RDBMS) that allows applications to access the RDBMS directly for improved performance without going through the IMS, while maintaining access control. An access control list (ACL) is generated, with tables in the RDBMS being bound using codes in the ACL. At run time or, more preferably, pre-run time, user-defined functions (UDF) evaluate access control attributes and generate an access authorization table, which is joined with the appropriate information table(s) in response to a query against a view on the table. The view is presented to the querying user. Thus, access control rules are encapsulated in the view that is presented to the user.
-
Citations
29 Claims
-
1. A data system including a server computer programmed to undertake method acts for responding to user queries for data from a database controlled by the server computer, the method acts undertaken by the server computer including:
-
receiving a query;
receiving an access control output from at least one algorithm from an information management system (IMS);
in response to the query and the access control output, populating a view for presentation thereof to the user, wherein the query is received from an application, the system includes a database management system (DBMS) hosting the view, and the application directly communicates with the DBMS. - View Dependent Claims (2, 3, 4, 5, 6)
defining at least one view on at least one table in the database;
executing a query against the view using at least the access control output; and
returning the results of the query against the view.
-
-
3. The system of claim 2, wherein the access control output is represented by at least one Access Authorization table, and the view is defined as a join between the Access Authorization table and the information table.
-
4. The system of claim 3, wherein the tables are joined using a join key, and the join key is at least one access control code.
-
5. The system of claim 4, wherein multiple rows of the information table are bound using respective multiple access control codes.
-
6. The system of claim 4, wherein all rows of the information table are bound using a single access control code.
-
7. A method for enforcing at least one information management system (IMS) access control rule in a data system including at least one application accessing at least one IMS associated with a database management system (DBMS), the application accessing the DBMS using at least one direct communication path bypassing the IMS, the method comprising:
-
receiving a specification for IMS data schema;
generating a DBMS view in response to the specification, the view encapsulating the IMS access control rule; and
presenting the view to a user via the direct communication path. - View Dependent Claims (8, 9, 10, 11, 12)
defining at least one view on at least one table controlled by the DBMS;
executing a query against the view using at least the access control rule; and
returning the results of the query against the view.
-
-
9. The method of claim 8, wherein the access control rule is represented by at least one Access Authorization table, and the view is defined as a join between the Access Authorization table and the information table.
-
10. The method of claim 9, wherein the tables are joined using a join key, and the join key is at least one access control code.
-
11. The method of claim 10, wherein multiple rows of the information table are bound using respective multiple access control codes.
-
12. The method of claim 10, wherein all rows of the information table are bound using a single access control code.
-
13. A method for enforcing high level access control rules of an information management system (IMS) for an application directly communicating with a relational database management system (RDBMS) associated with the IMS, comprising:
-
providing at least one Access Authorization table (AAT), the AAT containing data representing high level access control rules;
providing at least one information table in the RDBMS; and
in response to a query for data from the application, joining the AAT with at least one information table to return a result in accordance with at least one of the high level access control rules. - View Dependent Claims (14, 15, 16)
defining at least one view on at least one table controlled by the DBMS;
executing a query against the view using at least the access control rule; and
returning the results of the query against the view.
-
-
15. The method of claim 14, wherein the tables are joined using a join key, and the join key is at least one access control code binding the information table to the access control rule.
-
16. The method of claim 15, wherein multiple rows of the information table are bound using respective multiple access control codes.
-
17. A data system including a server computer programmed to undertake method acts for responding to user queries for data from a database controlled by the server computer, the method acts undertaken by the server computer including:
-
storing the database in a second system;
maintaining access control specifications that restrict access to data;
allowing a user to access data directly through the second system; and
in response to the direct access by the user, causing the second system to enforce the access control specifications without intervention from the data system. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
creating at least one RDBMS view by joining a data table with the first table, wherein the view can be used by the user for directly accessing data.
-
-
25. The system of claim 24, wherein the view includes at least one UDF on the first table, the UDF implementing the data system'"'"'s access control model.
-
26. The system of claim 24, wherein the view is created when the data table is created.
-
27. The system of claim 23, wherein resolutions of the access control specifications are computed using the data system'"'"'s access control model, and are stored in an access authorization table (AAT) in the RDBMS.
-
28. The system of claim 27, wherein at least one RDBMS view is created, the view is a join between a data table and the AAT, and the view is used by a user for direct access to data.
-
29. The system of claim 28, wherein the view is created when the data table is created.
Specification