Method for implementing fine-grained access control using access restrictions
First Claim
1. A data processing system-implemented method to direct a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, wherein the elements of the relational objects comprise rows and columns thereof, the data processing system-implemented method comprising:
- receiving a user request to access one or more relational objects of the database, wherein the request contains a reference to said one or more relational objects and contains a predicate, and the relational objects are at least one of a table or a view;
parsing the user request;
identifying row and column access restrictions defined for the one or more relational objects;
determining whether the identified row and column access restrictions are applicable to the user request;
accessing a catalog which defines access restrictions for restricting user access to the relational objects of the database;
determining, based on the accessing of the catalog, whether the determined applicable row and column access restrictions are to be enforced for the user request; and
providing access to the one or more relational objects based on the determined enforceable row and column access restrictionswherein when the determined applicable row and column access restrictions are to be enforced for the request,constructing a definition for a pseudo-view representation based on the determined enforceable row and column access restrictions to provide access to the one or more relational objects, wherein the pseudo-view representation includes an aggregate of applicable column restrictions for the user request and applicable row restrictions of said one or more relational objects,replacing the reference in the request to the one or more relational objects with the pseudo-view to modify the received user request; and
compiling the modified user request,wherein the pseudo-view representation is dynamically created and is a dynamic representation of the access restrictions, wherein the pseudo-view representation is dynamically created by compiling and evaluating access restrictions defined for the said one or more relational objects; and
wherein the modified user request is compiled after replacing the reference in the request to the one or more relational objects with the pseudo-view.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a data processing system-implemented method, a data processing system and an article of manufacture for controlling access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects The data processing system-implemented method includes receiving a user request to access one or more relational objects of the database, identifying any access restrictions defined for the one or more relational objects, determining whether any identified access restrictions are applicable to the user request, determining whether any determined applicable access restrictions are to be enforced for the user request, and allowing access to the one or more relational objects based on the determined enforceable access restrictions.
-
Citations
24 Claims
-
1. A data processing system-implemented method to direct a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, wherein the elements of the relational objects comprise rows and columns thereof, the data processing system-implemented method comprising:
-
receiving a user request to access one or more relational objects of the database, wherein the request contains a reference to said one or more relational objects and contains a predicate, and the relational objects are at least one of a table or a view; parsing the user request; identifying row and column access restrictions defined for the one or more relational objects; determining whether the identified row and column access restrictions are applicable to the user request; accessing a catalog which defines access restrictions for restricting user access to the relational objects of the database; determining, based on the accessing of the catalog, whether the determined applicable row and column access restrictions are to be enforced for the user request; and providing access to the one or more relational objects based on the determined enforceable row and column access restrictions wherein when the determined applicable row and column access restrictions are to be enforced for the request, constructing a definition for a pseudo-view representation based on the determined enforceable row and column access restrictions to provide access to the one or more relational objects, wherein the pseudo-view representation includes an aggregate of applicable column restrictions for the user request and applicable row restrictions of said one or more relational objects, replacing the reference in the request to the one or more relational objects with the pseudo-view to modify the received user request; and compiling the modified user request, wherein the pseudo-view representation is dynamically created and is a dynamic representation of the access restrictions, wherein the pseudo-view representation is dynamically created by compiling and evaluating access restrictions defined for the said one or more relational objects; and
wherein the modified user request is compiled after replacing the reference in the request to the one or more relational objects with the pseudo-view. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21, 22, 23, 24)
-
-
10. An article of manufacture to direct a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, wherein the elements of the relational objects comprise rows and columns thereof, the article comprising:
-
a program usable medium embodying one or more executable data processing system instructions, the executable data processing system instructions comprising; executable data processing system instructions to receive a user request to access one or more relational objects of the database, wherein the request contains a reference to said one or more relational objects and contains a predicate, and the relational objects are at least one of tables or views; executable data processing system instructions to parse the user request; executable data processing system instructions to identify row and column access restrictions defined for the one or more relational objects; executable data processing system instructions to determine whether the identified row and column access restrictions are applicable to the user request; executable data processing system instructions to access a catalog which defines access restrictions for restricting user access to the relational objects of the database;
executable data processing system instructions to determine, based on the accessing of the catalog, whether the determined applicable row and column access restrictions are to be enforced for the user request; andexecutable data processing system instructions to provide access to the one or more relational objects based on the determined enforceable row and column access restrictions, wherein when the determined applicable row and column access restrictions are to be enforced for the request, executable data processing system instructions to construct a definition for a pseudo-view representation based on the determined enforceable row and column access restrictions to provide access to the one or more relational objects, wherein the pseudo-view representation includes an aggregate of applicable column restrictions for the user request and applicable row restrictions of said one or more relational objects, executable data processing system instructions to replace the reference in the request to the one or more relational objects with the pseudo-view to modify the received user request; executable data processing system instructions to compile the modified user request; wherein the pseudo-view representation is dynamically created and is a dynamic representation of the access restrictions, wherein the pseudo-view representation is dynamically created by compiling and evaluating access restrictions defined for the said one or more relational objects; and
wherein the modified user request is compiled after replacing the reference in the request to the one or more relational objects with the pseudo-view. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, wherein the elements of the relational objects comprise rows and columns thereof, the data processing system comprising:
-
a module to receive a request to access a relational object, wherein the request contains a reference to said relational object and contains a predicate, and the relational objects are at least one of table or views; a parser to parse the user request; a database catalog defining access restrictions to restrict access to the database, wherein each access restriction identifies a row or column in a relational object to which the access restriction applies, a type of user access which is restricted, and information concerning one or more entities to which the user access restriction applies; a restriction evaluation module including a component to identify user access restrictions defined for the one or more relational objects, a component to determine whether any identified row and column access restrictions are applicable to the request, and a component to determine, based on the accessing of the catalog, whether the determined applicable access restrictions are to be enforced for the user request; and a module to provide access to the one or more relational objects based on the determined enforceable row and column access restrictions, wherein if the determined applicable row and column access restrictions are to be enforced for the request, a module to construct a definition for a pseudo-view representation based on the determined enforceable row and column access restrictions to provide access to the one or more relational objects, wherein the pseudo-view representation includes an aggregate of applicable column restrictions for the user request and applicable row restrictions of said one or more relational objects, a module to replace the reference in the request to the one or more relational objects with the pseudo-view to modify the received user request; and a compiler to compile the modified user request wherein the pseudo-view representation is dynamically created and is a dynamic representation of the access restrictions, wherein the pseudo-view representation is dynamically created by compiling and evaluating access restrictions defined for the relational object and wherein the modified user request is compiled after replacing the reference in the request to the one or more relational objects with the pseudo-view. - View Dependent Claims (18, 19, 20)
-
Specification