Access control for elements in a database object

US 7,865,521 B2
Filed: 12/12/2005
Issued: 01/04/2011
Est. Priority Date: 12/12/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method of controlling access to elements in a database object, the method comprising:

receiving a request from a user to access the database object, wherein the request includes a query to retrieve information from the database object;

determining whether an access restriction is imposed on the database object, the access restriction specifying a first user group to which the access restriction is applicable, defining a first dynamic condition the first user group must satisfy in order to access the database object, and identifying a first element set in the database object accessible to the first user group when the first dynamic condition is satisfied, wherein the first element set includes at least one, and less than all, table columns of the database object to restrict access to one or more table columns, wherein the first dynamic condition indicates access information including one or more of a session context and session purpose for the user to access the database object, and wherein two or more of said session contexts and purposes for the user to access the database object enable access to be restricted to at least one different table column of said database object; and

controlling access to the elements in the database object by the user based on the access restriction, wherein controlling access to the elements in the database objects comprises;

confirming whether the user is in the first user group when the access restriction is imposed on the database object;

verifying whether the user satisfies the first dynamic condition when the user is in the first user group by ascertaining session information for the user from one or more session variables associated with the user, wherein the session information includes one or more of the session context and session purpose for access of the database object, and comparing the session information for the user against the access information indicated by the first dynamic condition to determine satisfaction of that condition; and

allowing the user to access the first element set when the user satisfies the first dynamic condition, wherein allowing the user to access the first element set comprises;

dynamically generating a dynamic pseudo-view of the database object comprising only the first element set in response to said verification of the user satisfying the first dynamic condition; and

responding to the request from the user by applying the received query to the dynamic pseudo-view of the database object to retrieve the information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, for controlling access to elements in a database object are provided. The method provide for receiving a request from a user to access the database object, determining whether an access restriction is imposed on the database object, and controlling access to the elements in the database object by the user based on the access restriction. The access restriction specifies one or more users to which the access restriction is applicable, defines a dynamic condition the one or more users must satisfy in order to access the database object, and identifies one or more of the elements in the database object accessible to the one or more users when the dynamic condition is satisfied.

Citations

30 Claims

1. A method of controlling access to elements in a database object, the method comprising:
- receiving a request from a user to access the database object, wherein the request includes a query to retrieve information from the database object;
  
  determining whether an access restriction is imposed on the database object, the access restriction specifying a first user group to which the access restriction is applicable, defining a first dynamic condition the first user group must satisfy in order to access the database object, and identifying a first element set in the database object accessible to the first user group when the first dynamic condition is satisfied, wherein the first element set includes at least one, and less than all, table columns of the database object to restrict access to one or more table columns, wherein the first dynamic condition indicates access information including one or more of a session context and session purpose for the user to access the database object, and wherein two or more of said session contexts and purposes for the user to access the database object enable access to be restricted to at least one different table column of said database object; and
  
  controlling access to the elements in the database object by the user based on the access restriction, wherein controlling access to the elements in the database objects comprises;
  
  confirming whether the user is in the first user group when the access restriction is imposed on the database object;
  
  verifying whether the user satisfies the first dynamic condition when the user is in the first user group by ascertaining session information for the user from one or more session variables associated with the user, wherein the session information includes one or more of the session context and session purpose for access of the database object, and comparing the session information for the user against the access information indicated by the first dynamic condition to determine satisfaction of that condition; and
  
  allowing the user to access the first element set when the user satisfies the first dynamic condition, wherein allowing the user to access the first element set comprises;
  
  dynamically generating a dynamic pseudo-view of the database object comprising only the first element set in response to said verification of the user satisfying the first dynamic condition; and
  
  responding to the request from the user by applying the received query to the dynamic pseudo-view of the database object to retrieve the information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the database object is a table or a view.
  - 3. The method of claim 1, wherein the access restriction further defines a second dynamic condition the first user group must alternatively satisfy in order to access the database object and further identifies a second element set in the database object accessible to the first user group when the second dynamic condition is satisfied.
  - 4. The method of claim 3, wherein at least one element in the first element set is also an element in the second element set.
  - 5. The method of claim 1, wherein the access restriction further defines an additional dynamic condition the first user group must satisfy in order to access the first element set.
  - 6. The method of claim 1, further comprising:
    - determining whether another access restriction is imposed on the database object, the other access restriction specifying a second user group to which the other access restriction is applicable.
  - 7. The method of claim 6, wherein the other access restriction further defines another dynamic condition the second user group must satisfy in order to access the database object and identifies another element set in the database object accessible to the second user group when the other dynamic condition is satisfied.
  - 8. The method of claim 7, wherein the other element set is a subset of the first element set.
  - 9. The method of claim 6, wherein at least one user in the first user group is also a user in the second user group.
  - 10. The method of claim 1, further comprising:
    - deciding whether an exception to the access restriction is applicable to the user requesting access to the database object; and
      
      permitting the user to access the elements in the database object when the exception to the access restriction is applicable to the user.

11. A system comprising:
- a database operable to store a database object, the database object comprising elements; and
  
  a server coupled to the database, the server comprising a processor and a memory, the server being operable to;
  
  receive a request from a user to access the database object, wherein the request includes a query to retrieve information from the database object;
  
  determine whether an access restriction is imposed on the database object, the access restriction specifying a first user group to which the access restriction is applicable, defining a first dynamic condition the first user group must satisfy in order to access the database object, and identifying a first element set in the database object accessible to the first user group when the first dynamic condition is satisfied, wherein the first element set includes at least one, and less than all, table columns of the database object to restrict access to one or more table columns, wherein the first dynamic condition indicates access information including one or more of a session context and session purpose for the user to access the database object, and wherein two or more of said session contexts and purposes for the user to access the database object enable access to be restricted to at least one different table column of said database object; and
  
  control access to the elements in the database object by the user based on the access restriction, wherein controlling access to the elements in the database object comprises;
  
  confirming whether the user is in the first user group when the access restriction is imposed on the database object;
  
  verifying whether the user satisfies the first dynamic condition when the user is in the first user group by ascertaining session information for the user from one or more session variables associated with the user, wherein the session information includes one or more of the session context and session purpose for access of the database object, and comparing the session information for the user against the access information indicated by the first dynamic condition to determine satisfaction of that condition; and
  
  allowing the user to access the first element set when the user satisfies the first dynamic condition, wherein allowing the user to access the first element set comprises;
  
  dynamically generating a dynamic pseudo-view of the database object comprising only the first element set in response to said verification of the user satisfying the first dynamic condition; and
  
  responding to the request from the user by applying the received query to the dynamic pseudo-view of the database object to retrieve the information.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the database object is a table or a view.
  - 13. The system of claim 11, wherein the access restriction further defines a second dynamic condition the first user group must alternatively satisfy in order to access the database object and further identifies a second element set in the database object accessible to the first user group when the second dynamic condition is satisfied.
  - 14. The system of claim 13, wherein at least one element in the first element set is also an element in the second element set.
  - 15. The system of claim 11, wherein the access restriction further defines an additional dynamic condition the first user group must satisfy in order to access the first element set.
  - 16. The system of claim 11, wherein the server is further operable to:
    - determine whether another access restriction is imposed on the database object, the other access restriction specifying a second user group to which the other access restriction is applicable.
  - 17. The system of claim 16, wherein the other access restriction further defines another dynamic condition the second user group must satisfy in order to access the database object and identifies another element set in the database object accessible to the second user group when the other dynamic condition is satisfied.
  - 18. The system of claim 17, wherein the other element set is a subset of the first element set.
  - 19. The system of claim 16, wherein at least one user in the first user group is also a user in the second user group.
  - 20. The system of claim 11, wherein the server is further operable to:
    - decide whether an exception to the access restriction is applicable to the user requesting access to the database object; and
      
      permit the user to access the elements in the database object when the exception to the access restriction is applicable to the user.

21. A computer program product comprising a computer-readable storage medium, the computer-readable storage medium including a computer-readable program for controlling access to elements in a database object, wherein the computer-readable program when executed on a computer causes the computer to:
- receive a request from a user to access the database object, wherein the request includes a query to retrieve information from the database object;
  
  determine whether an access restriction is imposed on the database object, the access restriction specifying a first user group to which the access restriction is applicable, defining a first dynamic condition the first user group must satisfy in order to access the database object, and identifying a first element set in the database object accessible to the first user group when the first dynamic condition is satisfied, wherein the first element set includes at least one, and less than all, table columns of the database object to restrict access to one or more table columns, wherein the first dynamic condition indicates access information including one or more of a session context and session purpose for the user to access the database object, and wherein two or more of said session contexts and purposes for the user to access the database object enable access to be restricted to at least one different table column of said database object; and
  
  control access to the elements in the database object by the user based on the access restriction, wherein controlling access to the elements in the database object comprises;
  
  confirming whether the user is in the first user group when the access restriction is imposed on the database object;
  
  verifying whether the user satisfies the first dynamic condition when the user is in the first user group by ascertaining session information for the user from one or more session variables associated with the user, wherein the session information includes one or more of the session context and session purpose for access of the database object, and comparing the session information for the user against the access information indicated by the first dynamic condition to determine satisfaction of that condition; and
  
  allowing the user to access the first element set when the user satisfies the first dynamic condition, wherein allowing the user to access the first element set comprises;
  
  dynamically generating a dynamic pseudo-view of the database object comprising only the first element set in response to said verification of the user satisfying the first dynamic condition; and
  
  responding to the request from the user by applying the received query to the dynamic pseudo-view of the database object to retrieve the information.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer program product of claim 21, wherein the database object is a table or a view.
  - 23. The computer program product of claim 21, wherein the access restriction further defines a second dynamic condition the first user group must alternatively satisfy in order to access the database object and further identifies a second element set in the database object accessible to the first user group when the second dynamic condition is satisfied.
  - 24. The computer program product of claim 23, wherein at least one element in the first element set is also an element in the second element set.
  - 25. The computer program product of claim 21, wherein the access restriction further defines an additional dynamic condition the first user group must satisfy in order to access the first element set.
  - 26. The computer program product of claim 21, wherein the computer-readable program when executed on the computer further causes the computer to:
    - determine whether another access restriction is imposed on the database object, the other access restriction specifying a second user group to which the other access restriction is applicable.
  - 27. The computer program product of claim 26, wherein the other access restriction further defines another dynamic condition the second user group must satisfy in order to access the database object and identifies another element set in the database object accessible to the second user group when the other dynamic condition is satisfied.
  - 28. The computer program product of claim 27, wherein the other element set is a subset of the first element set.
  - 29. The computer program product of claim 26, wherein at least one user in the first user group is also a user in the second user group.
  - 30. The computer program product of claim 21, wherein the computer-readable program when executed on the computer further causes the computer to:
    - decide whether an exception to the access restriction is applicable to the user requesting access to the database object; and
      
      permit the user to access the elements in the database object when the exception to the access restriction is applicable to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bird, Paul Miller, Rjaibi, Walid
Primary Examiner(s)
Breene; John E
Assistant Examiner(s)
Jami; Hares

Application Number

US11/299,857
Publication Number

US 20070136291A1
Time in Patent Office

1,849 Days
Field of Search

707 1- 10, 707/781, 707/783, 707/999.1, 707/999.9
US Class Current

707/781
CPC Class Codes

G06F 21/6227 where protection concerns t...

Access control for elements in a database object

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Access control for elements in a database object

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links