Intelligent use of user data to pre-emptively prevent execution of a query violating access controls
First Claim
Patent Images
1. A method of providing security with respect to data, comprising:
- generating at least one security list comprising an entry for each field of the data having an associated security rule;
for a given user, generating a user specific instance of the at least one security list, the generating comprising;
a) for each field of each entry in the security list, determining whether data exists for the field that is specific to the given user; and
b) if not, removing the entry from the security list;
after generating the user specific instance of the at least one security list, receiving a query issued against a database by the given user, wherein the query is configured with at least one field and an associated value for the at least one field;
accessing the security list to determine whether the security list contains an entry corresponding to the at least one field of the query; and
if the security list contains an entry corresponding to the at least one field of the query, enforcing a security rule associated with the at least one field;
whereby security rules specified for fields in queries are enforced based upon the existence of data specific to the user for the fields.
1 Assignment
0 Petitions
Accused Products
Abstract
A system, method and article of manufacture are provided for securing data. Security rules are defined for fields and/or field values. The security rules specify one or more users to which the rules apply. A query is examined for content and a determination is made as to whether security action is required based on the content (e.g., a field and/or a value of the field) and user-specific data.
32 Citations
7 Claims
-
1. A method of providing security with respect to data, comprising:
-
generating at least one security list comprising an entry for each field of the data having an associated security rule; for a given user, generating a user specific instance of the at least one security list, the generating comprising; a) for each field of each entry in the security list, determining whether data exists for the field that is specific to the given user; and b) if not, removing the entry from the security list; after generating the user specific instance of the at least one security list, receiving a query issued against a database by the given user, wherein the query is configured with at least one field and an associated value for the at least one field; accessing the security list to determine whether the security list contains an entry corresponding to the at least one field of the query; and
if the security list contains an entry corresponding to the at least one field of the query, enforcing a security rule associated with the at least one field;whereby security rules specified for fields in queries are enforced based upon the existence of data specific to the user for the fields. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of providing security with respect to physical data, comprising:
-
providing a data abstraction model comprising a plurality of logical field definitions each abstractly describing one or more physical field of the physical data and specifying one or more security rules; on the basis of the data abstraction model, generating at least one security list comprising an entry for each logical field definition having an associated security rule; for a given user, generating a user specific instance of the at least one security list, the generating comprising; a) for each logical field definition having an entry in the security list, determining whether a corresponding physical field exists in the physical data that is specific to the given user; and b) if not, removing the entry of the logical field definition in the security list; receiving a query issued against a database by the given user, wherein the query is configured with at least one logical field and an associated value for the at least one logical field, wherein the at least one logical field has a corresponding logical field definition in the data abstraction model; accessing the security list to determine whether the security list contains an entry corresponding to the at least one logical field of the query; and if the security list contains an entry corresponding to the at least one logical field of the query, enforcing a security rule associated with the at least one logical field; whereby security rules specified for logical fields in queries are enforced based upon the existence of data specific to the user for the logical fields.
-
Specification