Column masking of tables
First Claim
Patent Images
1. A machine-implemented method for managing access to data, the method comprising the steps of:
- detecting that a database statement is issued;
wherein said database statement requires access to at least one column in a table;
invoking a policy function which database metadata associates with at least one column in a table;
receiving an expression returned by invoking said policy function;
rewriting said database statement by creating a modified database statement that incorporates said expression;
wherein the modified database statement specifies, based on the expression, whether to mask a value of the at least one column by returning a mask of the value instead of the value; and
executing said modified database statement.
1 Assignment
0 Petitions
Accused Products
Abstract
Returning rows having column values masked is disclosed. In response to receiving a database command, a modified database command is created that specifies whether to mask a value by returning a mask of the value instead of the value.
In an embodiment, the condition expression is included in a policy function that is referenced by a policy. In an embodiment, the policy determines how the condition expressions are used. The condition expression may be used to determine which column values to mask. The condition expression may also be used to filter which rows are returned.
71 Citations
18 Claims
-
1. A machine-implemented method for managing access to data, the method comprising the steps of:
-
detecting that a database statement is issued; wherein said database statement requires access to at least one column in a table; invoking a policy function which database metadata associates with at least one column in a table; receiving an expression returned by invoking said policy function; rewriting said database statement by creating a modified database statement that incorporates said expression; wherein the modified database statement specifies, based on the expression, whether to mask a value of the at least one column by returning a mask of the value instead of the value; and executing said modified database statement. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A machine-readable storage medium carrying one or more sequences of instructions, which when executed by one or more processors, causes the one or more processors to perform a method comprising the steps of:
-
detecting that a database statement is issued; wherein said database statement requires access to at least one column in a table; invoking a policy function which database metadata associates with at least one column in a table; receiving an expression returned by invoking said policy function; rewriting said database statement by creating a modified database statement that incorporates said expression; wherein the modified database statement specifies, based on the expression, whether to mask a value of the at least one column by returning a mask of the value instead of the value; and executing said modified database statement. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification