Database fine-grained access control
First Claim
1. A method for accessing data, the method comprising the steps of:
- storing values for a set of context attributes;
appending to a query a predicate that identifies a function, wherein the function has an input parameter that identifies a particular context attribute from the set of context attributes; and
executing the query as if the predicate specified the value associated with the particular context attribute.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and mechanism are provided for accessing data. Values are stored for a set of context attributes associated with a session between a database user and a database server. The database system includes an attribute setting mechanism that selectively restricts access to the set of context attributes based on a policy. During the session, the database server executes a query that contains a reference to one or more of the context attributes. For example, the query may contain a predicate that requires a comparison between a context attribute value and a constant. The database server processes the query based on current values of the one or more of the context attributes referenced in the query. A mechanism is also provided for dynamically attaching predicates to queries, where the predicates are attached based on a policy. For example, the database system detects that a query is issued against a database object. Prior to executing the query, a policy function associated with the database object is invoked. The policy function creates a modified query by selectively adding zero or more predicates to the query based on a policy associated with the database object. The modified query is then executed.
-
Citations
38 Claims
-
1. A method for accessing data, the method comprising the steps of:
-
storing values for a set of context attributes;
appending to a query a predicate that identifies a function, wherein the function has an input parameter that identifies a particular context attribute from the set of context attributes; and
executing the query as if the predicate specified the value associated with the particular context attribute. - View Dependent Claims (2, 3, 4)
-
-
5. A method for accessing data, the method comprising the steps of:
-
storing values for a set of context attributes;
providing an attribute accessing mechanism that accesses the set of context attributes;
executing a policy function to determine the current value of a particular context attribute from the set of context attributes by invoking the attribute accessing mechanism; and
appending the current value to a predicate of a query.
-
-
6. A method of accessing data, the method comprising the steps of:
-
storing values for a set of context attributes;
providing an attribute setting mechanism that selectively restricts access to the set of context attributes based on a policy; and
enforcing the policy based at least in part on whether a statement in a query is at least one of SELECT, INSERT, UPDATE, and DELETE statement. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method for a plurality of participating database servers participating in a distributed transaction to access data, the method comprising the steps of:
-
storing values for a set of context attributes within a participating database server of said plurality of participating database servers;
providing an attribute setting mechanism that selectively restricts access to the set of context attributes based on a policy;
each participating database server of the plurality of database servers accessing data by performing the steps of;
executing a query that contains a reference to one or more of the context attributes; and
processing the query based on current values of the one or more of the context attributes.
-
-
12. A computer-readable medium carrying instructions for accessing data, the instructions comprising instructions for performing the steps of:
-
storing values for a set of context attributes;
appending to a query a predicate that identifies a function, wherein the function has an input parameter that identifies a particular context attribute from the set of context attributes; and
executing the query as if the predicate specified the value associated with the particular context attribute. - View Dependent Claims (13, 14, 15)
-
-
16. A computer-readable medium for accessing data, the instructions comprising instructions for performing the steps of:
-
storing values for a set of context attributes;
providing an attribute accessing mechanism that accesses the set of context attributes;
executing a policy function to determine the current value of a particular context attribute from the set of context attributes by invoking the attribute accessing mechanism; and
appending the current value to a predicate of a query.
-
-
17. A computer-readable medium for accessing data, the instructions comprising instructions for performing the steps of:
-
storing values for a set of context attributes;
providing an attribute setting mechanism that selectively restricts access to the set of context attributes based on a policy; and
enforcing the policy based at least in part on whether a statement in a query is at least one of SELECT, INSERT, UPDATE, and DELETE statement. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A computer-readable medium for a plurality of participating database servers participating in a distributed transaction to access data, the instructions comprising instructions for performing the steps of:
-
storing values for a set of context attributes within a participating database server of said plurality of participating database servers;
providing an attribute setting mechanism that selectively restricts access to said set of context attributes based on a policy;
each participating database server of the plurality of database servers accessing data by performing the steps of;
executing a query that contains a reference to one or more of the context attributes; and
processing the query based on current values of the one or more of the context attributes.
-
-
23. A method for executing a query issued to a database server by a database client, the method comprising the steps of:
-
said database server receiving said query;
transparently to said database client and prior to the database server executing said query;
said database server detecting that said query requires access to a database object, and in response to detecting that said query requires access to said database object;
said database server creating a modified query by selectively adding one or more predicates to said query; and
executing, within said database server, said modified query to access data managed by said database server. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
the database server maintains values for a plurality of context attributes; and
the database server determines which predicates to add to said query based at least in part on current values of one or more of said plurality of context attributes.
-
-
25. The method of claim 24, wherein the step of adding one or more predicates includes adding at least one predicate that references said one or more of said plurality of context attributes.
-
26. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 25.
-
27. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 24.
-
28. The method of claim 23, wherein:
-
said database object is a view that requires access to a particular table; and
wherein said one or more predicates reference an attribute of said particular table.
-
-
29. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 28.
-
30. The method of claim 23 wherein:
-
the database object is a table;
the query accesses the table through a view; and
said database server, based on said query accessing the table through said view, performs the step of selectively adding one or more predicates.
-
-
31. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 30.
-
32. The method of claim 23, wherein the steps that are performed transparently to said database client and prior to the database server executing said query include:
-
invoking a function that said database server associates with said database object but not with other database objects managed by said database server; and
said function generating the one or more predicates to add.
-
-
33. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 32.
-
34. The method of claim 32, wherein:
-
the method further includes invoking an administrative interface; and
wherein invoking said administrative interface causes said database server to generate data that associates said function with said database object.
-
-
35. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 34.
-
36. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, causes the one or more processors to perform the method recited in claim 23.
-
37. A method for executing a query issued to a database server by a database client, the method comprising the steps of:
-
invoking an administrative interface supported by the database server;
wherein invoking said administrative interface causes said database server to generate data that associates a function with a database object;
storing values for a set of context attributes within the database server;
providing, within said database server, an attribute setting mechanism that governs access to said set of context attributes;
the database server receiving the query from the database client;
detecting that the query requires access to the database object;
transparently to said database client and prior to the database server executing said query, invoking one or more functions associated with said database object, wherein said one or more functions includes said function;
wherein invoking said function causes the attribute setting mechanism to change a value of said set of context attributes; and
processing said query based on current values of said set of said context attributes. - View Dependent Claims (38)
-
Specification