Method and mechanism for implementing synonym-based access control

US 7,185,357 B1
Filed: 05/10/2002
Issued: 02/27/2007
Est. Priority Date: 05/10/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for implementing access control to data in a computing system, comprising:

receiving a data query;

associating the data query with a named object, the named object associated with one or more security policies, each of the one or more security policies specifying data access parameters;

applying the one or more security policies associated with said named object to the data query by modifying the data query to include one or more new predicates; and

restricting access to data for the data query based upon the one or more security policies.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for implementing access control in a computer system is disclosed. Synonyms associated with shareable security policies and policy functions are employed to encapsulate data from underlying data sources. By controlling access and contents of synonyms and their underlying security policies, fine-grained access control can be implemented for system data sources.

8 Citations

View as Search Results

34 Claims

1. A computer-implemented method for implementing access control to data in a computing system, comprising:
- receiving a data query;
  
  associating the data query with a named object, the named object associated with one or more security policies, each of the one or more security policies specifying data access parameters;
  
  applying the one or more security policies associated with said named object to the data query by modifying the data query to include one or more new predicates; and
  
  restricting access to data for the data query based upon the one or more security policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, in which the one or more new predicates comprise a WHERE clause that implements a data filtering intent for selected ones of the one or more security policies associated with said named object.
  - 3. The method of claim 1 in which one or more policy functions perform the act of applying only the one or more security policies associated with said named object to the data query.
  - 4. The method of claim 1, in which the act of restricting access prevents execution of the data query.
  - 5. The method of claim 1, in which the one or more security policies comprise VPD security policies.
  - 6. The method of claim 1, in which a least one of the one or more security policies is a shareable security policy by a plurality of objects.
  - 7. The method of claim 1, in which the named object comprises a synonym.
  - 8. The method of claim 7, in which the synonym is either a public synonym or a private synonym.

9. A system for implementing access control to data in a computing system, comprising:
- one or more security policies specifying data access parameters;
  
  a named object associated with the one or more security policies; and
  
  one or more corresponding policy functions to implement the one or more security policies associated with said named object against a data query by modifying the data query to include one or more new predicates, the data query being associated with the named object.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, in which the named object comprises a synonym.
  - 11. The system of claim 10, in which the synonym is either a public synonym or a private synonym.
  - 12. The system of claim 9, in which the one or more new predicates comprise a WHERE clause that implements a data filtering intent for selected ones of the one or more security policies associated with said named object.
  - 13. The system of claim 9, in which the one or more policy functions implements the one or more security policies by preventing execution of the data query.
  - 14. The system of claim 9, in which a least one of the one or more security policies is a shareable security policy.

15. A computer-implemented method of creating a synonym for synonym-based access control, comprising:
- identifying whether one or more suitable security policies that match the data filtering intent of intended access control exist;
  
  creating the one or more suitable security policies if said one or more suitable security policies do not already exist;
  
  creating a synonym as a named data object to implement the data filtering intent of the intended access control; and
  
  associating the one or more suitable security policies with the synonym.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, in which the synonym is a uniquely named object.
  - 17. The method of claim 15, further comprising the act of determining access rights to the synonym.
  - 18. The method of claim 15, further comprising the act of making the synonym available to be accessed by users.

19. A computer program product comprising a computer usable storage medium having executable code to execute a method for implementing access control to data in a computing system, the method comprising the steps of:
- receiving a data query;
  
  associating the data query with a named object, the named object associated with one or more security policies, each of the one or more security policies specifying data access parameters;
  
  applying the one or more security policies associated with said named object to the data query by modifying the data query to include one or more new predicates; and
  
  restricting access to data for the data query based upon the one or more security policies.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The computer program product of claim 19, in which the one or more new predicates comprise a WHERE clause that implements a data filtering intent for selected ones of the one or more security policies associated with said named object.
  - 21. The computer program product of claim 19, in which one or more policy functions perform an act of applying the one or more security policies associated with said named object to the data query.
  - 22. The computer program product of claim 19, in which the act of restricting access prevents execution of the data query.
  - 23. The computer program product of claim 19, in which the one or more security policies comprise VPD security policies.
  - 24. The computer program product of claim 19, in which a least one of the one or more security policies is a shareable security policy by many objects.
  - 25. The computer program product of claim 19, in which the named object comprises a synonym.
  - 26. The computer program product of claim 25, in which the synonym is either a public synonym or a private synonym.

27. A system of creating a synonym for synonym-based access control, comprising:
- means for identifying whether one or more suitable security policies that match the data filtering intent of intended access control exist;
  
  means for creating the one or more suitable security policies if said one or more suitable security policies do not already exist;
  
  means for creating a synonym as a named data object to implement the data filtering intent of the intended access control; and
  
  means for associating the one or more suitable security policies with the synonym.
- View Dependent Claims (28, 29, 30)
- - 28. The system of claim 27, in which the synonym is a uniquely named object.
  - 29. The system of claim 27, further comprising means for determining access rights to the synonym.
  - 30. The system of claim 27 further comprising means for making the synonym available to be accessed by users.

31. A computer program product comprising a computer usable storage medium having executable code to execute a method for creating a synonym for synonym-based access control, comprising the steps of:
- identifying whether one or more suitable security policies that match the data filtering intent of intended access control exist;
  
  creating the one or more suitable security policies if said one or more suitable security policies do not already exist;
  
  creating a synonym as a named data object to implement the data filtering intent of the intended access control; and
  
  associating the one or more suitable security policies with the synonym.
- View Dependent Claims (32, 33, 34)
- - 32. The computer program product of claim 31, in which the synonym is a uniquely named object.
  - 33. The computer program product of claim 31, further comprising the step of determining access rights to the synonym.
  - 34. The computer program product of claim 31, further comprising the step of making the synonym available to be accessed by users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Lei, Chon Hei, Alomari, Ahmed, Wong, Daniel Man-Hung
Primary Examiner(s)
Song; Hosuk

Application Number

US10/144,668
Time in Patent Office

1,754 Days
Field of Search

726 1- 6, 726 27- 30, 707/1, 707/3, 707/9, 707/100
US Class Current

726/1
CPC Class Codes

G06F 21/6227 where protection concerns t...

Method and mechanism for implementing synonym-based access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

Method and mechanism for implementing synonym-based access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others