Computer relational database method and system having role based access control

US 9,058,353 B2
Filed: 03/11/2011
Issued: 06/16/2015
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to secured data, comprising:

operatively coupling a repository to one or more databases storing secure data;

storing, in a metamodel of the one or more databases, security information that qualifies which data objects are accessible by certain roles;

employing the repository;

intercepting a user query of one database of the one or more databases;

automatically determining from the intercepted query, a user who generated the user query and a user role assigned to the user;

parsing the intercepted query and identifying objects in the one database that are to be accessed as part of the user query;

looking up security information of the identified objects in the metamodel and determine which identified objects to filter out of the user query;

based on the determined user role and the identified objects to be filtered out of the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and

applying the modified query to the one database;

using the repository to secure the security information in a database model; and

enabling the security information to be dynamically adjustable at runtime.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer method, system and apparatus control access to secured data in a plurality of databases. A repository is coupled to the databases and has a security runtime subsystem. The repository intercepts a user query of a subject database in the plurality. The security runtime subsystem determines from the intercepted query a user and corresponding user role. Based on user role, the security runtime subsystem automatically modifies the user query to filter out secure data for which the identified user is unauthorized to access but are part of the user query.

42 Citations

View as Search Results

16 Claims

1. A method of controlling access to secured data, comprising:
- operatively coupling a repository to one or more databases storing secure data;
  
  storing, in a metamodel of the one or more databases, security information that qualifies which data objects are accessible by certain roles;
  
  employing the repository;
  
  intercepting a user query of one database of the one or more databases;
  
  automatically determining from the intercepted query, a user who generated the user query and a user role assigned to the user;
  
  parsing the intercepted query and identifying objects in the one database that are to be accessed as part of the user query;
  
  looking up security information of the identified objects in the metamodel and determine which identified objects to filter out of the user query;
  
  based on the determined user role and the identified objects to be filtered out of the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and
  
  applying the modified query to the one database;
  
  using the repository to secure the security information in a database model; and
  
  enabling the security information to be dynamically adjustable at runtime.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method of claim 1 wherein the user query includes an indication of the user;
    - and the repository is further configured to look up security information of the identified objects in a metamodel of the one database, and resolve any group memberships.
  - 3. A method of claim 1 wherein the steps of automatically determining and automatically modifying include decoupling objects and row level security from the one database.
  - 4. A method of claim 1 further comprising processing the modified query on the one database and returning results of the modified query to the user.
  - 5. A method of claim 1 wherein the one database is a relational database.
  - 6. A method of claim 5 wherein the step of automatically modifying the user query includes inserting an SQL Where clause to filter out certain secure data/objects in the one database that are part of the user query.
  - 7. A method as claimed in claim 1 wherein the one or more databases are unrelated to each other and non-centrally managed.

8. A computer system of controlling access to secured data, comprising:
- a repository operatively coupled to one or more databases storing secure data, the repository configured to intercept a user query of one database of the one or more databases;
  
  a metamodel of the one database, the metamodel being configured to store security information that qualifies which data entities are accessible by certain user roles; and
  
  a security runtime subsystem of the repository configures to automatically determine from the intercepted query a user who generated the user query and a user role assigned to the user;
  
  parse the intercepted query and identifying entities in the one database that are to be accessed as part of the user query;
  
  look up security information of the identified entities in the metamodel to determine which identified entities to filter out of the user query;
  
  based on the determined user role and identified entities to be filtered out in the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to filter out secure data for which the user is ineligible to access;
  
  the repository applying the modified query to the one database and retrieving qualifying data as authorized by the user role;
  
  wherein the repository is configured to secure the security information in a database model, and to enable the security information in the database model to be dynamically adjustable at runtime.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A computer system as claimed in claim 8 wherein the user query includes an indication of the user;
    - and the repository is further configured to look up security information of the identified entities in a metamodel of the one database, and resolve any group memberships.
  - 10. A computer system as claimed in claim 8 wherein the security runtime subsystem is configured to decouple object level security and row level security from the one database.
  - 11. A computer system as claimed in claim 8 wherein the repository further returns results to the user of the modified query as applied to the one database.
  - 12. A computer system as claimed in claim 8 wherein the one database is a relational database.
  - 13. A computer system as claimed in claim 12 wherein the security runtime subsystem automatically modifying the user query includes inserting an SQLwhere clause to filter out the secure data for which the user is ineligible to access but are part of the user query.
  - 14. A computer system as claimed in claim 8 wherein the one or more databases are unrelated to each other and are non-centrally managed.

15. A non-transitory computer readable storage medium having a computer readable program embodied therein that when executed causes a computing system to perform a method of controlling access to secured data, wherein the method comprises:
- operatively coupling a repository to a plurality of databases storing secure data;
  
  storing, in a metamodel of the plurality of databases, security information that qualifies which data objects are accessible by certain roles;
  
  employing the repository;
  
  intercepting a user query of one database of the plurality of databases;
  
  automatically determining from the intercepted query, a user who generated the user query and a user role assigned to the user;
  
  parsing the intercepted query and identifying objects in the one database that are to be accessed as part of the user query;
  
  looking up security information of the identified objects in the metamodel and determine which identified objects to filter out of the user query;
  
  based on the determined user role and the identified objects to be filtered out of the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and
  
  applying the modified query to the one database;
  
  using the repository to secure the security information in a database model; and
  
  enabling the security information to be dynamically adjustable at runtime.
- View Dependent Claims (16)
- - 16. The non-transitory computer readable storage medium as claimed in claim 15, wherein the one database is a relational database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Muller, Leslie, Wasser, Michael Morris, Maestro, Alberto Arias
Primary Examiner(s)
Pham, Hung Q

Application Number

US13/635,300
Publication Number

US 20130138666A1
Time in Patent Office

1,558 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/212   with details for data model...

G06F 16/24549   Run-time optimisation

G06F 16/24565   Triggers; Constraints

G06F 16/2471   Distributed queries

G06F 16/27   Replication, distribution o...

G06F 16/283   Multi-dimensional databases...

G06F 16/284   Relational databases

G06F 16/9535   Search customisation based ...

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

Computer relational database method and system having role based access control

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Computer relational database method and system having role based access control

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others