System and method for RDBMS to protect records in accordance with non-RDBMS access control rules
First Claim
1. A data system including an information management system (IMS) programmed to undertake method acts for controlling access to a database management system (DBMS) in communication with the IMS for responding to user queries, the method acts undertaken by the data system including:
- prior to a query time, receiving a precomputed Access Authorization table (AAT) generated by at least one algorithm; and
at a subsequent query time, in response to a query and using the AAT, populating a view for presentation thereof to the user;
whereinthe user communicates with the IMS over a first data path, the user also communicating directly with the DBMS over a second data path at least to receive query results directly from the DBMS without the results going through the IMS, wherein the query is executed by joining the Access Authorization table and the information table.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method are provided for an information management system (IMS) having an underlying relational database management system (RDBMS) that allows applications to access the RDBMS directly for improved performance without going through the IMS, while maintaining access control. An access control list (ACL) is generated, with tables in the RDBMS being bound using codes in the ACL. At run time or, more preferably, pre-run time, user-defined functions (UDF) evaluate access control attributes and generate an access authorization table, which is joined with the appropriate information table(s) in response to a query against a view on the table. The view is presented to the querying user. Thus, access control rules are encapsulated in the view that is presented to the user.
-
Citations
17 Claims
-
1. A data system including an information management system (IMS) programmed to undertake method acts for controlling access to a database management system (DBMS) in communication with the IMS for responding to user queries, the method acts undertaken by the data system including:
-
prior to a query time, receiving a precomputed Access Authorization table (AAT) generated by at least one algorithm; and at a subsequent query time, in response to a query and using the AAT, populating a view for presentation thereof to the user;
whereinthe user communicates with the IMS over a first data path, the user also communicating directly with the DBMS over a second data path at least to receive query results directly from the DBMS without the results going through the IMS, wherein the query is executed by joining the Access Authorization table and the information table. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for enforcing at least one access control rule in a data system including at least one application accessing at least one information management system (IMS) associated with a database management system (DBMS), the application accessing the DBMS using at least one direct communication path bypassing the IMS, the method comprising:
-
prior to a query time, receiving at least one access control rule; reflecting the access control rule in an access control table (AAT) in response to receiving or changing the access control rule, prior to the query time;
thenreceiving a query for data; and populating a view in response to the query using the AAT, such that the view encapsulates the access control rule, wherein the AAT is generated by at least one algorithm resident in and executed by an application generating the query. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A method for enforcing high level access control rules of an information management system (IMS) for an application directly communicating with a relational database management system (RDBMS) associated with the IMS, comprising:
-
providing at least one precomputed Access Authorization table (AAT), the AAT containing data representing high level access control rules, the AAT being computed prior to a query time; providing at least one information table in the RDBMS; and in response to a query for data from the application, joining the AAT with at least one information table to return a result in accordance with at least one of the high level access control rules. - View Dependent Claims (14, 15, 16, 17)
-
Specification