Mechanism for uniform access control in a database system

US 7,051,039 B1
Filed: 09/27/2002
Issued: 05/23/2006
Est. Priority Date: 09/28/2001
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing data in a database system, comprising the steps of:

storing, in content structures, first resources that belong to an information hierarchy and first access control data used to define user access privileges for accessing said first resources;

storing, in a set of hierarchy structures, information that defines hierarchical relationships within said information hierarchy and second access control data used to define user access privileges for accessing said first resources;

maintaining said first access control data and said second access control data to maintain consistency between said first access control data and said second access control;

wherein said content structures include a first set of database objects that contain at least a portion of said first resources and said first access control data;

wherein said hierarchical structures include a second set of database objects, different than said first set of database objects, that contain at least a portion of said information that defines hierarchical relationships and said second access control data;

wherein said first set of database objects are one or more first database objects defined by the database system; and

wherein said second set of database objects are one or more second database objects defined said database system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for facilitating uniform access control to data managed by a database server that can emulate hierarchically organized systems, whether the data is accessed through hierarchical or relational access mechanisms. A database server that can emulate hierarchically organized systems uses separate relational or object-relational database tables to store the content of the resources that belong to a hierarchy (the “content structures”) and information that captures the hierarchy (the “hierarchy structures”). Both types of structures contain access control data that define consistent user access privileges. To determine access privileges for a user requesting access to data in the database, access control information is accessed in the hierarchy structures when the request is made through the hierarchical access mechanism, or accessed in the content structures when the request is made through a relational access mechanism. Access control is consistent between the hierarchical or relational access mechanisms because access through either is governed by user access data that reflects the same privileges.

188 Citations

26 Claims

1. A computer-implemented method for managing data in a database system, comprising the steps of:
- storing, in content structures, first resources that belong to an information hierarchy and first access control data used to define user access privileges for accessing said first resources;
  
  storing, in a set of hierarchy structures, information that defines hierarchical relationships within said information hierarchy and second access control data used to define user access privileges for accessing said first resources;
  
  maintaining said first access control data and said second access control data to maintain consistency between said first access control data and said second access control;
  
  wherein said content structures include a first set of database objects that contain at least a portion of said first resources and said first access control data;
  
  wherein said hierarchical structures include a second set of database objects, different than said first set of database objects, that contain at least a portion of said information that defines hierarchical relationships and said second access control data;
  
  wherein said first set of database objects are one or more first database objects defined by the database system; and
  
  wherein said second set of database objects are one or more second database objects defined said database system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, the steps further including:
    - receiving a request that requests data based on a position of the data within said information hierarchy and that requires a particular type of access to said first resources; and
      
      determining whether the said particular type of access to said first resources is permitted based on said second access control data.
  - 3. The method of claim 2, wherein:
    - the first set of database objects contain one or more tables;
      
      the steps further include;
      
      receiving a request for data that references a first table of said content structures; and
      
      determining whether said particular type of access to the first table is permitted based on said first access control data.
  - 4. The method of claim 1, wherein:
    - the steps further include making a modification to said first access control data; and
      
      wherein the step of maintaining includes causing said second access control data to reflect said modification.
  - 5. The method of claim 1, wherein:
    - the steps further include making a modification to said second access control data; and
      
      wherein the step of maintaining includes causing said first access control data to reflect said modification.
  - 6. The method of claim 1, wherein:
    - said first set of database objects include a table managed by a database server; and
      
      wherein said first access control data is stored in one or more columns of said table.
  - 7. The method of claim 6, wherein;
    - said one or more columns include a column that contains data used to identify a set of users and their access privileges for a resource from said first resources.
  - 8. The method of claim 1, wherein said first access control data references data managed by the database server to define user access privileges.
  - 9. The method of claim 8, wherein said data managed by the database server includes access control lists managed by the database server.
  - 10. The method of claim 1, wherein said second access control data references data managed by the database server to define user access privileges.
  - 11. The method of claim 1, wherein:
    - said first set of database objects include at least one table managed by a database server; and
      
      said first access control data references one or more sources external to said database system.
  - 12. The method of claim 11, wherein:
    - said first access control data includes identifiers that identify a set of users; and
      
      wherein information defining user access privileges of the set of users is managed by a server configured to support LDAP.
  - 13. The method of claim 1, wherein said content structures include one of more data files that contain non-relational data.

14. A computer-readable medium carrying one or more sequences of instructions for managing data in a database system, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- storing, in content structures, first resources that belong to an information hierarchy and first access control data used to define user access privileges for accessing said first resources;
  
  storing, in a set of hierarchy structures, information that defines hierarchical relationships within said information hierarchy and second access control data used to define user access privileges for accessing said first resources;
  
  maintaining said first access control data and said second access control data to maintain consistency between said first access control data and said second access control;
  
  wherein said content structures include a first set of database objects that contain at least a portion of said first resources and said first access control data;
  
  wherein said hierarchical structures include a second set of database objects, different than said first set of database objects that contain at least a portion of said information that defines hierarchical relationships and said second access control data;
  
  wherein said first set of database objects are one or more first database objects defined by the database system; and
  
  wherein said second set of database objects are one or more second database objects defined said database system.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The computer-readable medium of claim 14, the steps further including:
    - receiving a request that requests data based on a position of the data within said information hierarchy and that requires a particular type of access to said first resources; and
      
      determining whether the said particular type of access to said first resources is permitted based on said second access control data.
  - 16. The computer-readable medium of claim 15, wherein:
    - the first set of database objects contain one or more tables;
      
      the steps further include;
      
      receiving a request for data that references a first table of said content structures; and
      
      determining whether said particular type of access to the first table is permitted based on said first access control data.
  - 17. The computer-readable medium of claim 14, wherein:
    - the steps further include making a modification to said first access control data; and
      
      wherein the step of maintaining includes causing said second access control data to reflect said modification.
  - 18. The computer-readable medium of claim 14, wherein:
    - the steps further include making a modification to said second access control data; and
      
      wherein the step of maintaining includes causing said first access control data to reflect said modification.
  - 19. The computer-readable medium of claim 14, wherein:
    - said first set of database objects include a table managed by a database server; and
      
      wherein said first access control data is stored in one or more columns of said table.
  - 20. The computer-readable medium of claim 19, wherein;
    - said one or more columns include a column that contains data used to identify a set of users and their access privileges for a resource from said first resources.
  - 21. The computer-readable medium of claim 14, wherein said first access control data references data managed by the database server to define user access privileges.
  - 22. The computer-readable medium of claim 21, wherein said data managed by the database server includes access control lists managed by the database server.
  - 23. The computer-readable medium of claim 14, wherein said second access control data references data managed by the database server to define user access privileges.
  - 24. The computer-readable medium of claim 14, wherein:
    - said first set of database objects include at least one table managed by a database server; and
      
      said first access control data references one or more sources external to said database system.
  - 25. The computer-readable medium of claim 24, wherein:
    - said first access control data includes identifiers that identify a set of users; and
      
      wherein information defining user access privileges of the set of users is managed by a server configured to support LDAP.
  - 26. The computer-readable medium of claim 14, wherein said content structures include one of more data files that contain non-relational data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sedlar, Eric, Idicula, Sam, Murthy, Ravi, Agarwal, Nipun, Montoya, Nicolas
Primary Examiner(s)
Mofiz, Apu
Assistant Examiner(s)
Veillard, Jacques

Application Number

US10/259,176
Time in Patent Office

1,334 Days
Field of Search

707 1- 5, 707 8- 10, 707100-1041, 707200-203, 707/204, 709/219, 709/225, 709/229
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2145   Inheriting rights or proper...

Y10S 707/99935   Query augmenting and refini...

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99943   Generating database or data...

Y10S 707/99944   Object-oriented database st...

Y10S 707/99945   Object-oriented database st...

Mechanism for uniform access control in a database system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

188 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism for uniform access control in a database system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links