Access control for elements in a database object
First Claim
1. A method of controlling access to elements in a database object, the method comprising:
- receiving a request from a user to access the database object, wherein the request includes a query to retrieve information from the database object;
determining whether an access restriction is imposed on the database object, the access restriction specifying a first user group to which the access restriction is applicable, defining a first dynamic condition the first user group must satisfy in order to access the database object, and identifying a first element set in the database object accessible to the first user group when the first dynamic condition is satisfied, wherein the first element set includes at least one, and less than all, table columns of the database object to restrict access to one or more table columns, wherein the first dynamic condition indicates access information including one or more of a session context and session purpose for the user to access the database object, and wherein two or more of said session contexts and purposes for the user to access the database object enable access to be restricted to at least one different table column of said database object; and
controlling access to the elements in the database object by the user based on the access restriction, wherein controlling access to the elements in the database objects comprises;
confirming whether the user is in the first user group when the access restriction is imposed on the database object;
verifying whether the user satisfies the first dynamic condition when the user is in the first user group by ascertaining session information for the user from one or more session variables associated with the user, wherein the session information includes one or more of the session context and session purpose for access of the database object, and comparing the session information for the user against the access information indicated by the first dynamic condition to determine satisfaction of that condition; and
allowing the user to access the first element set when the user satisfies the first dynamic condition, wherein allowing the user to access the first element set comprises;
dynamically generating a dynamic pseudo-view of the database object comprising only the first element set in response to said verification of the user satisfying the first dynamic condition; and
responding to the request from the user by applying the received query to the dynamic pseudo-view of the database object to retrieve the information.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, for controlling access to elements in a database object are provided. The method provide for receiving a request from a user to access the database object, determining whether an access restriction is imposed on the database object, and controlling access to the elements in the database object by the user based on the access restriction. The access restriction specifies one or more users to which the access restriction is applicable, defines a dynamic condition the one or more users must satisfy in order to access the database object, and identifies one or more of the elements in the database object accessible to the one or more users when the dynamic condition is satisfied.
-
Citations
30 Claims
-
1. A method of controlling access to elements in a database object, the method comprising:
-
receiving a request from a user to access the database object, wherein the request includes a query to retrieve information from the database object; determining whether an access restriction is imposed on the database object, the access restriction specifying a first user group to which the access restriction is applicable, defining a first dynamic condition the first user group must satisfy in order to access the database object, and identifying a first element set in the database object accessible to the first user group when the first dynamic condition is satisfied, wherein the first element set includes at least one, and less than all, table columns of the database object to restrict access to one or more table columns, wherein the first dynamic condition indicates access information including one or more of a session context and session purpose for the user to access the database object, and wherein two or more of said session contexts and purposes for the user to access the database object enable access to be restricted to at least one different table column of said database object; and controlling access to the elements in the database object by the user based on the access restriction, wherein controlling access to the elements in the database objects comprises; confirming whether the user is in the first user group when the access restriction is imposed on the database object; verifying whether the user satisfies the first dynamic condition when the user is in the first user group by ascertaining session information for the user from one or more session variables associated with the user, wherein the session information includes one or more of the session context and session purpose for access of the database object, and comparing the session information for the user against the access information indicated by the first dynamic condition to determine satisfaction of that condition; and allowing the user to access the first element set when the user satisfies the first dynamic condition, wherein allowing the user to access the first element set comprises; dynamically generating a dynamic pseudo-view of the database object comprising only the first element set in response to said verification of the user satisfying the first dynamic condition; and responding to the request from the user by applying the received query to the dynamic pseudo-view of the database object to retrieve the information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a database operable to store a database object, the database object comprising elements; and a server coupled to the database, the server comprising a processor and a memory, the server being operable to; receive a request from a user to access the database object, wherein the request includes a query to retrieve information from the database object; determine whether an access restriction is imposed on the database object, the access restriction specifying a first user group to which the access restriction is applicable, defining a first dynamic condition the first user group must satisfy in order to access the database object, and identifying a first element set in the database object accessible to the first user group when the first dynamic condition is satisfied, wherein the first element set includes at least one, and less than all, table columns of the database object to restrict access to one or more table columns, wherein the first dynamic condition indicates access information including one or more of a session context and session purpose for the user to access the database object, and wherein two or more of said session contexts and purposes for the user to access the database object enable access to be restricted to at least one different table column of said database object; and control access to the elements in the database object by the user based on the access restriction, wherein controlling access to the elements in the database object comprises; confirming whether the user is in the first user group when the access restriction is imposed on the database object; verifying whether the user satisfies the first dynamic condition when the user is in the first user group by ascertaining session information for the user from one or more session variables associated with the user, wherein the session information includes one or more of the session context and session purpose for access of the database object, and comparing the session information for the user against the access information indicated by the first dynamic condition to determine satisfaction of that condition; and allowing the user to access the first element set when the user satisfies the first dynamic condition, wherein allowing the user to access the first element set comprises; dynamically generating a dynamic pseudo-view of the database object comprising only the first element set in response to said verification of the user satisfying the first dynamic condition; and responding to the request from the user by applying the received query to the dynamic pseudo-view of the database object to retrieve the information. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A computer program product comprising a computer-readable storage medium, the computer-readable storage medium including a computer-readable program for controlling access to elements in a database object, wherein the computer-readable program when executed on a computer causes the computer to:
-
receive a request from a user to access the database object, wherein the request includes a query to retrieve information from the database object; determine whether an access restriction is imposed on the database object, the access restriction specifying a first user group to which the access restriction is applicable, defining a first dynamic condition the first user group must satisfy in order to access the database object, and identifying a first element set in the database object accessible to the first user group when the first dynamic condition is satisfied, wherein the first element set includes at least one, and less than all, table columns of the database object to restrict access to one or more table columns, wherein the first dynamic condition indicates access information including one or more of a session context and session purpose for the user to access the database object, and wherein two or more of said session contexts and purposes for the user to access the database object enable access to be restricted to at least one different table column of said database object; and control access to the elements in the database object by the user based on the access restriction, wherein controlling access to the elements in the database object comprises; confirming whether the user is in the first user group when the access restriction is imposed on the database object; verifying whether the user satisfies the first dynamic condition when the user is in the first user group by ascertaining session information for the user from one or more session variables associated with the user, wherein the session information includes one or more of the session context and session purpose for access of the database object, and comparing the session information for the user against the access information indicated by the first dynamic condition to determine satisfaction of that condition; and allowing the user to access the first element set when the user satisfies the first dynamic condition, wherein allowing the user to access the first element set comprises; dynamically generating a dynamic pseudo-view of the database object comprising only the first element set in response to said verification of the user satisfying the first dynamic condition; and responding to the request from the user by applying the received query to the dynamic pseudo-view of the database object to retrieve the information. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification