System and method for efficiently securing enterprise data resources
First Claim
1. A method of implementing policy based access controls within a role based access control model of a data management system comprising a plurality of data resources, said method comprising:
- receiving a policy based security definition specifying a set of policy based rules to define a logical partition of the data resources, the logical partition specifying data that is accessible within the data resources;
according to the policy based security definition, defining a set of filters as a secure resource, each filter specifying a portion of the data resources available to a user submitting a query, the available portion of the data resources based on a set of user attributes associated with each filter, each filter being parameterized based on the set of user attributes associated with a role of the user submitting the query;
storing the secure resource and the set of policy based rules defining the logical partition in a secure repository;
by a computer, producing a role based security definition by configuring a role based access control declaration for the secure resource based on at least one particular user role and at least one user attribute, the secure resource for modifying a submitted query for processing, the query being modified based on the set of user attributes associated with each filter, wherein processing the submitted query comprises executing the submitted query with each filter on the data resources; and
storing the role based access control declaration in the secure repository.
9 Assignments
0 Petitions
Accused Products
Abstract
Some embodiments provide a system and method that secures access to data objects of an enterprise that includes multiple data objects and multiple user applications that access data attributes of the data objects. In some embodiments, access is provided by secure resources that (1) filter a set of the data objects using a user attribute to identify a subset of data attributes of the data objects and (2) performing a query by identifying the secure resources accessible by the user based on the particular user attribute and retrieving data attributes from the secure resources according to the query.
126 Citations
16 Claims
-
1. A method of implementing policy based access controls within a role based access control model of a data management system comprising a plurality of data resources, said method comprising:
-
receiving a policy based security definition specifying a set of policy based rules to define a logical partition of the data resources, the logical partition specifying data that is accessible within the data resources; according to the policy based security definition, defining a set of filters as a secure resource, each filter specifying a portion of the data resources available to a user submitting a query, the available portion of the data resources based on a set of user attributes associated with each filter, each filter being parameterized based on the set of user attributes associated with a role of the user submitting the query; storing the secure resource and the set of policy based rules defining the logical partition in a secure repository; by a computer, producing a role based security definition by configuring a role based access control declaration for the secure resource based on at least one particular user role and at least one user attribute, the secure resource for modifying a submitted query for processing, the query being modified based on the set of user attributes associated with each filter, wherein processing the submitted query comprises executing the submitted query with each filter on the data resources; and storing the role based access control declaration in the secure repository. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
receiving a query from a user requesting access to a plurality of data objects stored within an enterprise; retrieving a policy based security definition from a secure repository, the policy based security definition specifying a set of policy based rules to define a logical partition of the data objects, the logical partition specifying data that is accessible within the data objects; retrieving a secure resource from the secure repository, the secure resource defined by a set of filters, each filter specifying a portion of the data objects available to the user submitting the query, the logical partition of data objects based on a set of attributes associated with each filter, wherein each filter is parameterized based on the set of user attributes associated with a role of the user submitting the query; retrieving a role based access control declaration for the secure resource from the secure repository, the role based access control declaration based on the role of the user submitting the query and the set of user attributes associated with each filter; by a computer, modifying the query to restrict user access to the portion of the data objects based on the secure resource and the set of user attributes associated with each filter; and using the modified query to query the portion of the data objects accessible to the user based on the set of user attributes associated with each filter. - View Dependent Claims (7, 8)
-
-
9. A method of managing access to data objects in a data management system of an enterprise, the method comprising:
-
defining a set of filters as a secure resource according to a policy based security definition specifying at least one policy based access rule for defining a logical partition of the data objects, the logical partition specifying data that is accessible within the data objects, each filter specifying a portion of the data objects available to a user submitting a query, the logical partition of the data objects based on a set of user attributes associated with each filter, each filter being parameterized based on a role associated with the user submitting the query and the set of user attributes associated with the role of the user submitting the query; storing the secure resource and the policy based access rules for the logical partition in a secure repository; configuring a role based security definition by configuring a role based access control declaration for the secure resource according to at least one particular user role and at least one user attribute; storing the role based access control declaration in the secure repository; by a computer, modifying the user submitted query based on the secure resource and the set of user attributes associated with each filter; and performing the modified user query over the portion of the data objects that are accessible to the user. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. An apparatus comprising:
-
a processor; and a non-volatile memory storing; a first configurable module which when executed by the processor (i) produces a policy based security definition specifying a set of policy based rules to define a logical partition of a set of data resources, the logical partition specifying data that is accessible within the data resources, (ii) defines, according to the policy based security definition, a set of filters as a secure resource, each filter specifying a portion of the data resources available to a user submitting a query, the logical partition of the data resources based on a set of user attributes associated with each filter, each filter being parameterized based on the set of user attributes associated with a role of the user submitting the query, (iii) configures a role based security definition by configuring a role based access control declaration for the secure resource according to at least one particular user role and at least one user attribute, and (iv) stores the secure resource, the set of policy based rules defining the logical partition, and the role based security definition in a secure repository; and a second configurable module, which when executed by the processor, modifies the query submitted against the set of data resources to include the set of user attributes associated with each filter, wherein the modified query is performed against the portion of the data resources available to the user based on the set of user attributes associated with each filter. - View Dependent Claims (16)
-
Specification