System and method for RDBMS to protect records in accordance with non-RDBMS access control rules

US 7,216,126 B2
Filed: 04/04/2003
Issued: 05/08/2007
Est. Priority Date: 06/21/2000
Status: Expired due to Term

First Claim

Patent Images

1. A data system including an information management system (IMS) programmed to undertake method acts for controlling access to a database management system (DBMS) in communication with the IMS for responding to user queries, the method acts undertaken by the data system including:

prior to a query time, receiving a precomputed Access Authorization table (AAT) generated by at least one algorithm; and

at a subsequent query time, in response to a query and using the AAT, populating a view for presentation thereof to the user;

whereinthe user communicates with the IMS over a first data path, the user also communicating directly with the DBMS over a second data path at least to receive query results directly from the DBMS without the results going through the IMS, wherein the query is executed by joining the Access Authorization table and the information table.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for an information management system (IMS) having an underlying relational database management system (RDBMS) that allows applications to access the RDBMS directly for improved performance without going through the IMS, while maintaining access control. An access control list (ACL) is generated, with tables in the RDBMS being bound using codes in the ACL. At run time or, more preferably, pre-run time, user-defined functions (UDF) evaluate access control attributes and generate an access authorization table, which is joined with the appropriate information table(s) in response to a query against a view on the table. The view is presented to the querying user. Thus, access control rules are encapsulated in the view that is presented to the user.

Citations

17 Claims

1. A data system including an information management system (IMS) programmed to undertake method acts for controlling access to a database management system (DBMS) in communication with the IMS for responding to user queries, the method acts undertaken by the data system including:
- prior to a query time, receiving a precomputed Access Authorization table (AAT) generated by at least one algorithm; and
  
  at a subsequent query time, in response to a query and using the AAT, populating a view for presentation thereof to the user;
  
  whereinthe user communicates with the IMS over a first data path, the user also communicating directly with the DBMS over a second data path at least to receive query results directly from the DBMS without the results going through the IMS, wherein the query is executed by joining the Access Authorization table and the information table.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 wherein the algorithm is a UDF (user defined function) associated with a DBMS.
  - 3. The system of claim 1 wherein the algorithm is resident in and executed by an application generating the query.
  - 4. The system of claim 1 wherein the AAT is generated by joining at least two of:
    - a user table, a user group table, an operation table.
  - 5. The system of claim 1 wherein at least one element in the AAT is modified at a change time prior to query time, the change time being established by at least one of:
    - a definition of a new access control element, a change to an access control element, a deletion of an access control element.
  - 6. The system of claim 1 wherein the query is received from an application.
  - 7. The system of claim 1 wherein the method acts further comprise:
    - defining at least one view on at least one table in the DBMS;
      
      executing a query against the view using at least the AAT; and
      
      returning the results of the query against the view.

8. A method for enforcing at least one access control rule in a data system including at least one application accessing at least one information management system (IMS) associated with a database management system (DBMS), the application accessing the DBMS using at least one direct communication path bypassing the IMS, the method comprising:
- prior to a query time, receiving at least one access control rule;
  
  reflecting the access control rule in an access control table (AAT) in response to receiving or changing the access control rule, prior to the query time;
  
  thenreceiving a query for data; and
  
  populating a view in response to the query using the AAT, such that the view encapsulates the access control rule, wherein the AAT is generated by at least one algorithm resident in and executed by an application generating the query.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, further comprising presenting the view to a user via the direct communication path between a DBMS and the user.
  - 10. The method of claim 8, wherein the AAT is generated by at least one UDF (user defined function) associated with a DBMS.
  - 11. The method of claim 8, wherein the AAT is generated by joining at least two of:
    - a user table, a user group table, an operation table.
  - 12. The method of claim 8, wherein at least one element in the AAT is modified at a change time prior to query time, the change time being established by at least one of:
    - a definition of a new access control element, a change to an access control element, a deletion of an access control element.

13. A method for enforcing high level access control rules of an information management system (IMS) for an application directly communicating with a relational database management system (RDBMS) associated with the IMS, comprising:
- providing at least one precomputed Access Authorization table (AAT), the AAT containing data representing high level access control rules, the AAT being computed prior to a query time;
  
  providing at least one information table in the RDBMS; and
  
  in response to a query for data from the application, joining the AAT with at least one information table to return a result in accordance with at least one of the high level access control rules.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein the AAT is generated by at least one UDF (user defined function) associated with the RDBMS.
  - 15. The method of claim 13, wherein the AAT is generated by at least one algorithm resident in and executed by the application generating the query.
  - 16. The method of claim 13, wherein the AAT is generated by joining at least two of:
    - a user table, a user group table, an operation table.
  - 17. The method of claim 13, wherein at least one clement in the AAT is modified at a change dine prior to query time, the change time being established by at least one of:
    - a definition of a new access control element, a change to an access control element, a deletion of an access control element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Choy, David Mun-Hien
Primary Examiner(s)
Gaffin; Jeffrey
Assistant Examiner(s)
NGUYEN, CAM LINH T

Application Number

US10/407,387
Publication Number

US 20030191768A1
Time in Patent Office

1,495 Days
Field of Search

707/9, 707/10, 707/103, 709/229
US Class Current

707/785
CPC Class Codes

G06F 16/284   Relational databases

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

Y10S 707/954   Relational

Y10S 707/99939   Privileged access

System and method for RDBMS to protect records in accordance with non-RDBMS access control rules

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for RDBMS to protect records in accordance with non-RDBMS access control rules

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links