Method for implementing fine-grained access control using access restrictions

US 7,958,150 B2
Filed: 04/30/2004
Issued: 06/07/2011
Est. Priority Date: 04/30/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A data processing system-implemented method to direct a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, wherein the elements of the relational objects comprise rows and columns thereof, the data processing system-implemented method comprising:

receiving a user request to access one or more relational objects of the database, wherein the request contains a reference to said one or more relational objects and contains a predicate, and the relational objects are at least one of a table or a view;

parsing the user request;

identifying row and column access restrictions defined for the one or more relational objects;

determining whether the identified row and column access restrictions are applicable to the user request;

accessing a catalog which defines access restrictions for restricting user access to the relational objects of the database;

determining, based on the accessing of the catalog, whether the determined applicable row and column access restrictions are to be enforced for the user request; and

providing access to the one or more relational objects based on the determined enforceable row and column access restrictionswherein when the determined applicable row and column access restrictions are to be enforced for the request,constructing a definition for a pseudo-view representation based on the determined enforceable row and column access restrictions to provide access to the one or more relational objects, wherein the pseudo-view representation includes an aggregate of applicable column restrictions for the user request and applicable row restrictions of said one or more relational objects,replacing the reference in the request to the one or more relational objects with the pseudo-view to modify the received user request; and

compiling the modified user request,wherein the pseudo-view representation is dynamically created and is a dynamic representation of the access restrictions, wherein the pseudo-view representation is dynamically created by compiling and evaluating access restrictions defined for the said one or more relational objects; and

wherein the modified user request is compiled after replacing the reference in the request to the one or more relational objects with the pseudo-view.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a data processing system-implemented method, a data processing system and an article of manufacture for controlling access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects The data processing system-implemented method includes receiving a user request to access one or more relational objects of the database, identifying any access restrictions defined for the one or more relational objects, determining whether any identified access restrictions are applicable to the user request, determining whether any determined applicable access restrictions are to be enforced for the user request, and allowing access to the one or more relational objects based on the determined enforceable access restrictions.

Citations

24 Claims

1. A data processing system-implemented method to direct a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, wherein the elements of the relational objects comprise rows and columns thereof, the data processing system-implemented method comprising:
- receiving a user request to access one or more relational objects of the database, wherein the request contains a reference to said one or more relational objects and contains a predicate, and the relational objects are at least one of a table or a view;
  
  parsing the user request;
  
  identifying row and column access restrictions defined for the one or more relational objects;
  
  determining whether the identified row and column access restrictions are applicable to the user request;
  
  accessing a catalog which defines access restrictions for restricting user access to the relational objects of the database;
  
  determining, based on the accessing of the catalog, whether the determined applicable row and column access restrictions are to be enforced for the user request; and
  
  providing access to the one or more relational objects based on the determined enforceable row and column access restrictionswherein when the determined applicable row and column access restrictions are to be enforced for the request,constructing a definition for a pseudo-view representation based on the determined enforceable row and column access restrictions to provide access to the one or more relational objects, wherein the pseudo-view representation includes an aggregate of applicable column restrictions for the user request and applicable row restrictions of said one or more relational objects,replacing the reference in the request to the one or more relational objects with the pseudo-view to modify the received user request; and
  
  compiling the modified user request,wherein the pseudo-view representation is dynamically created and is a dynamic representation of the access restrictions, wherein the pseudo-view representation is dynamically created by compiling and evaluating access restrictions defined for the said one or more relational objects; and
  
  wherein the modified user request is compiled after replacing the reference in the request to the one or more relational objects with the pseudo-view.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21, 22, 23, 24)
- - 2. The data processing system-implemented method as claimed in claim 1, the data processing system-implemented method further comprising:
    - storing access restrictions to restrict access to the database, wherein each access restriction identifies;
      
      a row or column in a relational object to which the access restriction applies, a type of access which is restricted, and information concerning one or more entities to which the access restriction applies.
  - 3. The data processing system-implemented method as claimed in claim 1, wherein the determining whether any determined applicable access restrictions are to be enforced for the request includes determining whether an exception to an applicable access restriction has been defined for an entity attempting the access.
  - 4. The data processing system-implemented method as claimed in claim 3, wherein the request identifies a type of access being attempted and is associated with information about the entity attempting the access.
  - 5. The data processing system-implemented method as claimed in claim 4, wherein the determining whether any identified access restrictions are applicable to the request includes comparing the identified access restrictions with information about the request concerning the type of access being attempted and the entity attempting the access.
  - 6. The data processing system-implemented method as claimed in claim 5, wherein an exception to an access restriction identifies a defined access restriction to which the exception applies, and information about the entity to which the exception applies.
  - 7. The data processing system-implemented method as claimed in claim 6, wherein the information about the entity attempting the access is an identifier of a user or a group identifier associated with the user.
  - 8. The data processing system-implemented method as claimed in claim 6, further comprising, after the determining whether any determined applicable access restrictions are to be enforced for the request:
    - when an access restriction to be enforced is a column restriction for restricting access to a column in a relational object, adding the access restriction to a column list;
      
      when an access restriction to be enforced is a row restriction for restricting access to a row in a relational object, adding the access restriction to a predicate list; and
      
      constructing the definition for the pseudo-view representation based on the column list and predicate list for providing access to one or more relational objects based on the determined enforceable access restrictions.
  - 9. The data processing system-implemented method as claimed in claim 8, wherein the access restrictions and exceptions thereto are data entities defined in a database catalog associated with the database.
  - 21. The data processing system-implemented method as claimed in claim 1, wherein the pseudo view is dynamically constructed in response to receiving the request.
  - 22. The data processing system-implemented method as claimed in claim 1, wherein the definition for the pseudo-view representation is applied to the request, during execution of the request.
  - 23. The data processing system-implemented method as claimed in claim 1, wherein an internal representation of the definition for the pseudo-view is injected into the request immediately before the one or more relational objects to which the determined enforceable access restrictions apply.
  - 24. The data processing system-implemented method as claimed in claim 8, wherein the definition of the pseudo-view includes an aggregate of the enforceable column restrictions for the request in the column list, with the enforceable row restrictions for the request added to the definition of the pseudo-view in a form of joined predicates based on the predicate list.

10. An article of manufacture to direct a data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, wherein the elements of the relational objects comprise rows and columns thereof, the article comprising:
- a program usable medium embodying one or more executable data processing system instructions, the executable data processing system instructions comprising;
  
  executable data processing system instructions to receive a user request to access one or more relational objects of the database, wherein the request contains a reference to said one or more relational objects and contains a predicate, and the relational objects are at least one of tables or views;
  
  executable data processing system instructions to parse the user request;
  
  executable data processing system instructions to identify row and column access restrictions defined for the one or more relational objects;
  
  executable data processing system instructions to determine whether the identified row and column access restrictions are applicable to the user request;
  
  executable data processing system instructions to access a catalog which defines access restrictions for restricting user access to the relational objects of the database;
  
  executable data processing system instructions to determine, based on the accessing of the catalog, whether the determined applicable row and column access restrictions are to be enforced for the user request; and
  
  executable data processing system instructions to provide access to the one or more relational objects based on the determined enforceable row and column access restrictions,wherein when the determined applicable row and column access restrictions are to be enforced for the request,executable data processing system instructions to construct a definition for a pseudo-view representation based on the determined enforceable row and column access restrictions to provide access to the one or more relational objects, wherein the pseudo-view representation includes an aggregate of applicable column restrictions for the user request and applicable row restrictions of said one or more relational objects,executable data processing system instructions to replace the reference in the request to the one or more relational objects with the pseudo-view to modify the received user request;
  
  executable data processing system instructions to compile the modified user request;
  
  wherein the pseudo-view representation is dynamically created and is a dynamic representation of the access restrictions, wherein the pseudo-view representation is dynamically created by compiling and evaluating access restrictions defined for the said one or more relational objects; and
  
  wherein the modified user request is compiled after replacing the reference in the request to the one or more relational objects with the pseudo-view.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The article as claimed in claim 10, the computer program product further comprises:
    - executable data processing system instructions to store access restrictions for restricting access to the database, wherein each access restriction identifies a row or column in a relational object to which the access restriction applies, a type of access which is restricted, and information concerning one or more entities to which the access restriction applies.
  - 12. The article as claimed in claim 10, wherein the executable data processing system instructions to determine whether any determined applicable access restrictions are to be enforced for the request includes executable data processing system instructions to determine whether an exception to an applicable access restriction has been defined for an entity attempting the access.
  - 13. The article as claimed in claim 12, wherein the request identifies a type of access being attempted and is associated with information about the entity attempting the access.
  - 14. The article as claimed in claim 13, wherein the executable data processing system instructions to determine whether any identified access restrictions are applicable to the request comprises executable data processing system instructions for comparing the identified access restrictions with information about the request concerning the type of access being attempted and the entity attempting the access.
  - 15. The article as claimed in claim 14, wherein an exception to an access restriction identifies a defined access restriction to which the exception applies, and information about the entity to which the exception applies.
  - 16. The article as claimed in claim 15, further comprising:
    - executable data processing system instructions adding the access restriction to a column list responsive to an enforceable access restriction which is a column restriction for restricting access to a column in a relational object executable data processing system instructions restricting access to a row in a relational object for adding the access restriction to a predicate list responsive to an enforceable access restriction which is a row restriction; and
      
      executable data processing system instructions constructing the definition for the pseudo-view representation based on the column list and predicate list for providing access to one or more relational objects based on the determined enforceable access restrictions.

17. A data processing system to control access to data stored on a database having relational objects for which access restrictions are defined for elements of the relational objects, wherein the elements of the relational objects comprise rows and columns thereof, the data processing system comprising:
- a module to receive a request to access a relational object, wherein the request contains a reference to said relational object and contains a predicate, and the relational objects are at least one of table or views;
  
  a parser to parse the user request;
  
  a database catalog defining access restrictions to restrict access to the database, wherein each access restriction identifies a row or column in a relational object to which the access restriction applies, a type of user access which is restricted, and information concerning one or more entities to which the user access restriction applies;
  
  a restriction evaluation module including a component to identify user access restrictions defined for the one or more relational objects, a component to determine whether any identified row and column access restrictions are applicable to the request, and a component to determine, based on the accessing of the catalog, whether the determined applicable access restrictions are to be enforced for the user request; and
  
  a module to provide access to the one or more relational objects based on the determined enforceable row and column access restrictions,wherein if the determined applicable row and column access restrictions are to be enforced for the request,a module to construct a definition for a pseudo-view representation based on the determined enforceable row and column access restrictions to provide access to the one or more relational objects, wherein the pseudo-view representation includes an aggregate of applicable column restrictions for the user request and applicable row restrictions of said one or more relational objects,a module to replace the reference in the request to the one or more relational objects with the pseudo-view to modify the received user request; and
  
  a compiler to compile the modified user requestwherein the pseudo-view representation is dynamically created and is a dynamic representation of the access restrictions, wherein the pseudo-view representation is dynamically created by compiling and evaluating access restrictions defined for the relational object and wherein the modified user request is compiled after replacing the reference in the request to the one or more relational objects with the pseudo-view.
- View Dependent Claims (18, 19, 20)
- - 18. The data processing system as claimed in claim 17, wherein said component to determine whether any determined applicable access restrictions are to be enforced for the request includes a component to determine whether an exception to an applicable access restriction has been defined for an entity attempting the access.
  - 19. The data processing system as claimed in claim 18, wherein the request identifies a type of access being attempted and is associated with information about the entity attempting the access, wherein said component to determine whether any identified access restrictions are applicable to the request includes a component to compare the identified access restrictions with information about the request concerning the type of access being attempted and the entity attempting the access, and wherein an exception to an access restriction identifies a defined access restriction to which the exception applies, and information about the entity to which the exception applies.
  - 20. The data processing system as claimed in claim 19, said restriction evaluation module comprising:
    - a module responsive to an enforceable access restriction which is a column restriction to restrict access to a column in a relational object for adding the access restriction to a column list;
      
      a module responsive to an enforceable access restriction which is a row restriction to restrict access to a row in a relational object for adding the access restriction to a predicate list; and
      
      a module to construct the definition for the pseudo-view representation based on the column list and predicate list to provide access to one or more relational objects based on the determined enforceable access restrictions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Bird, Paul Miller
Primary Examiner(s)
HICKS, MICHAEL J

Application Number

US10/837,387
Publication Number

US 20050246338A1
Time in Patent Office

2,594 Days
Field of Search

None
US Class Current

707/785
CPC Class Codes

G06F 16/24534   Query rewriting; Transforma...

G06F 16/24539   using cached or materialise...

G06F 16/90335   Query processing

G06F 21/6227   where protection concerns t...

Method for implementing fine-grained access control using access restrictions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method for implementing fine-grained access control using access restrictions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links