Database fine-grained access control

US 6,631,371 B1
Filed: 09/18/2002
Issued: 10/07/2003
Est. Priority Date: 10/05/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for accessing data, the method comprising the steps of:

storing values for a set of context attributes;

appending to a query a predicate that identifies a function, wherein the function has an input parameter that identifies a particular context attribute from the set of context attributes; and

executing the query as if the predicate specified the value associated with the particular context attribute.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and mechanism are provided for accessing data. Values are stored for a set of context attributes associated with a session between a database user and a database server. The database system includes an attribute setting mechanism that selectively restricts access to the set of context attributes based on a policy. During the session, the database server executes a query that contains a reference to one or more of the context attributes. For example, the query may contain a predicate that requires a comparison between a context attribute value and a constant. The database server processes the query based on current values of the one or more of the context attributes referenced in the query. A mechanism is also provided for dynamically attaching predicates to queries, where the predicates are attached based on a policy. For example, the database system detects that a query is issued against a database object. Prior to executing the query, a policy function associated with the database object is invoked. The policy function creates a modified query by selectively adding zero or more predicates to the query based on a policy associated with the database object. The modified query is then executed.

Citations

38 Claims

1. A method for accessing data, the method comprising the steps of:
- storing values for a set of context attributes;
  
  appending to a query a predicate that identifies a function, wherein the function has an input parameter that identifies a particular context attribute from the set of context attributes; and
  
  executing the query as if the predicate specified the value associated with the particular context attribute.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the particular context attribute is associated with a date, and the step of executing the query includes executing the query as if the predicate specified the date.
  - 3. The method of claim 1, wherein the particular context attribute is associated with a time, and the step of executing the query includes executing the query as if the predicate specified the time.
  - 4. The method of claim 1, wherein the particular context attribute is associated with a type of application, and the step of executing the query includes executing the query as if the predicate specified the type of application.

5. A method for accessing data, the method comprising the steps of:
- storing values for a set of context attributes;
  
  providing an attribute accessing mechanism that accesses the set of context attributes;
  
  executing a policy function to determine the current value of a particular context attribute from the set of context attributes by invoking the attribute accessing mechanism; and
  
  appending the current value to a predicate of a query.

6. A method of accessing data, the method comprising the steps of:
- storing values for a set of context attributes;
  
  providing an attribute setting mechanism that selectively restricts access to the set of context attributes based on a policy; and
  
  enforcing the policy based at least in part on whether a statement in a query is at least one of SELECT, INSERT, UPDATE, and DELETE statement.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein the statement is a SELECT statement, and the step of enforcing the policy is based at least in part on the fact that the statement is a SELECT statement.
  - 8. The method of claim 6, wherein the statement is an INSERT statement, and the step of enforcing the policy is based at least in part on the statement being an INSERT statement.
  - 9. The method of claim 6, wherein the statement is an UPDATE statement, and the step of enforcing the policy is based at least in part on the statement being an UPDATE statement.
  - 10. The method of claim 6, wherein the statement is a DELETE statement, and the step of enforcing the policy is based at least in part on the statement being a DELETE statement.

11. A method for a plurality of participating database servers participating in a distributed transaction to access data, the method comprising the steps of:
- storing values for a set of context attributes within a participating database server of said plurality of participating database servers;
  
  providing an attribute setting mechanism that selectively restricts access to the set of context attributes based on a policy;
  
  each participating database server of the plurality of database servers accessing data by performing the steps of;
  
  executing a query that contains a reference to one or more of the context attributes; and
  
  processing the query based on current values of the one or more of the context attributes.

12. A computer-readable medium carrying instructions for accessing data, the instructions comprising instructions for performing the steps of:
- storing values for a set of context attributes;
  
  appending to a query a predicate that identifies a function, wherein the function has an input parameter that identifies a particular context attribute from the set of context attributes; and
  
  executing the query as if the predicate specified the value associated with the particular context attribute.
- View Dependent Claims (13, 14, 15)
- - 13. The computer-readable medium of claim 12, wherein the particular context attribute is associated with a date, and the step of executing the query includes executing the query as if the predicate specified the date.
  - 14. The computer-readable medium of claim 12, wherein the particular context attribute is associated with a time, and the step of executing the query includes executing the query as if the predicate specified the time.
  - 15. The computer-readable medium of claim 12, wherein the particular context attribute is associated with a type of application, and the step of executing the query includes executing the query as if the predicate specified the type of application.

16. A computer-readable medium for accessing data, the instructions comprising instructions for performing the steps of:
- storing values for a set of context attributes;
  
  providing an attribute accessing mechanism that accesses the set of context attributes;
  
  executing a policy function to determine the current value of a particular context attribute from the set of context attributes by invoking the attribute accessing mechanism; and
  
  appending the current value to a predicate of a query.

17. A computer-readable medium for accessing data, the instructions comprising instructions for performing the steps of:
- storing values for a set of context attributes;
  
  providing an attribute setting mechanism that selectively restricts access to the set of context attributes based on a policy; and
  
  enforcing the policy based at least in part on whether a statement in a query is at least one of SELECT, INSERT, UPDATE, and DELETE statement.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The computer-readable medium of claim 17, wherein the statement is a SELECT statement, and the step of enforcing the policy is based at least in part on the statement being a SELECT statement.
  - 19. The computer-readable medium of claim 17, wherein the statement is an INSERT statement, and the step of enforcing the policy is based at least in part on the statement being an INSERT statement.
  - 20. The computer-readable medium of claim 17, wherein the statement is an UPDATE statement, and the step of enforcing the policy is based at least in part on the statement being an UPDATE statement.
  - 21. The computer-readable medium of claim 17, wherein the statement is a DELETE statement, and the step of enforcing the policy is based at least in part on the statement being a DELETE statement.

22. A computer-readable medium for a plurality of participating database servers participating in a distributed transaction to access data, the instructions comprising instructions for performing the steps of:
- storing values for a set of context attributes within a participating database server of said plurality of participating database servers;
  
  providing an attribute setting mechanism that selectively restricts access to said set of context attributes based on a policy;
  
  each participating database server of the plurality of database servers accessing data by performing the steps of;
  
  executing a query that contains a reference to one or more of the context attributes; and
  
  processing the query based on current values of the one or more of the context attributes.

23. A method for executing a query issued to a database server by a database client, the method comprising the steps of:
- said database server receiving said query;
  
  transparently to said database client and prior to the database server executing said query;
  
  said database server detecting that said query requires access to a database object, and in response to detecting that said query requires access to said database object;
  
  said database server creating a modified query by selectively adding one or more predicates to said query; and
  
  executing, within said database server, said modified query to access data managed by said database server.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 24. The method of claim 23 wherein:
25. The method of claim 24, wherein the step of adding one or more predicates includes adding at least one predicate that references said one or more of said plurality of context attributes.
26. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 25.
27. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 24.
28. The method of claim 23, wherein:
- said database object is a view that requires access to a particular table; and
  
  wherein said one or more predicates reference an attribute of said particular table.
29. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 28.
30. The method of claim 23 wherein:
- the database object is a table;
  
  the query accesses the table through a view; and
  
  said database server, based on said query accessing the table through said view, performs the step of selectively adding one or more predicates.
31. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 30.
32. The method of claim 23, wherein the steps that are performed transparently to said database client and prior to the database server executing said query include:
- invoking a function that said database server associates with said database object but not with other database objects managed by said database server; and
  
  said function generating the one or more predicates to add.
33. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 32.
34. The method of claim 32, wherein:
- the method further includes invoking an administrative interface; and
  
  wherein invoking said administrative interface causes said database server to generate data that associates said function with said database object.
35. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 34.
36. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 23.

37. A method for executing a query issued to a database server by a database client, the method comprising the steps of:
- invoking an administrative interface supported by the database server;
  
  wherein invoking said administrative interface causes said database server to generate data that associates a function with a database object;
  
  storing values for a set of context attributes within the database server;
  
  providing, within said database server, an attribute setting mechanism that governs access to said set of context attributes;
  
  the database server receiving the query from the database client;
  
  detecting that the query requires access to the database object;
  
  transparently to said database client and prior to the database server executing said query, invoking one or more functions associated with said database object, wherein said one or more functions includes said function;
  
  wherein invoking said function causes the attribute setting mechanism to change a value of said set of context attributes; and
  
  processing said query based on current values of said set of said context attributes.
- View Dependent Claims (38)
- - 38. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 37.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle Corporation
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Lei, Chon Hei, McMahon, Douglas James
Primary Examiner(s)
KINDRED, ALFORD W

Application Number

US10/247,323
Time in Patent Office

384 Days
Field of Search

707/1-6, 707/100-103, 707/103.Y, 707/500, 707/526, 707/529-530
US Class Current

707/694
CPC Class Codes

G06F 16/24575   using context

G06F 21/6227   where protection concerns t...

Y10S 707/955   Object-oriented

Y10S 707/966   Distributed

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99934   Query formulation, input pr...

Y10S 707/99935   Query augmenting and refini...

Y10S 707/99939   Privileged access

Database fine-grained access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Database fine-grained access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links