Computer relational database method and system having role based access control

US 9,852,206 B2
Filed: 05/08/2015
Issued: 12/26/2017
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to secured data, the method comprising:

employing a repository, wherein the repository is operatively coupled to one or more databases storing secure data, wherein the employing a repository comprises;

intercepting a user query of one database of the one or more databases;

automatically determining from the user query, a user who generated the user query and a user role assigned to the user;

parsing the user query and identifying objects in the one database that are to be accessed as part of the user query;

looking up security information of identified objects in a metamodel stored in the one or more databases and determining which of the identified objects to filter out of the user query, wherein the security information qualifies which data objects are accessible by certain roles;

based on the user role and the identified objects to be filtered out of the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to generate a modified user query to filter out secure data for which the user does not have access rights; and

applying the modified user query to the one database of the one or more databases;

using the repository to secure the security information in a database model; and

enabling the security information to be dynamically adjustable at runtime.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a method of controlling access to secured data, a repository operatively coupled to one or more databases storing secure data is employed to intercept a user query of one database of the one or more databases. A user who generated the user query and a user role assigned to the user is automatically determined from the intercepted query. The intercepted query is parsed. Security information of the identified objects is looked up in a metamodel stored in the one or more databases. Based on the determined user role and the identified objects to be filtered out of the user query, an expression tree to filter out secure data is automatically built and the user query is modified by appending the expression tree to the user query. The modified query is applied to the one database.

Citations

20 Claims

1. A method of controlling access to secured data, the method comprising:
- employing a repository, wherein the repository is operatively coupled to one or more databases storing secure data, wherein the employing a repository comprises;
  
  intercepting a user query of one database of the one or more databases;
  
  automatically determining from the user query, a user who generated the user query and a user role assigned to the user;
  
  parsing the user query and identifying objects in the one database that are to be accessed as part of the user query;
  
  looking up security information of identified objects in a metamodel stored in the one or more databases and determining which of the identified objects to filter out of the user query, wherein the security information qualifies which data objects are accessible by certain roles;
  
  based on the user role and the identified objects to be filtered out of the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to generate a modified user query to filter out secure data for which the user does not have access rights; and
  
  applying the modified user query to the one database of the one or more databases;
  
  using the repository to secure the security information in a database model; and
  
  enabling the security information to be dynamically adjustable at runtime.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the user query comprises an indication of the user, the method further comprising:
    - using the repository to look up the security information of the identified objects in a metamodel of the one or more databases.
  - 3. The method of claim 2 further comprising:
    - using the repository to resolve any group memberships.
  - 4. The method of claim 1 wherein the automatically determining from the user query, a user who generated the user query and a user role assigned to the user comprises:
    - decoupling objects and row level security from the one database.
  - 5. The method of claim 1 wherein the modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights comprises:
    - decoupling objects and row level security from the one database.
  - 6. The method of claim 1 further comprising:
    - processing the modified user query on the one database and returning results of the modified user query to the user.
  - 7. The method of claim 1 wherein the one database is a relational database.
  - 8. The method of claim 7 wherein the modifying the user query by appending the expression tree to the user query to generate the modified user query to filter out secure data for which the user does not have access rights comprises:
    - inserting an SQL Where clause to filter out certain secure data/objects in the one database that are part of the user query.
  - 9. The method as claimed in claim 1 wherein the one or more databases are unrelated to each other and non-centrally managed.

10. A method of controlling access to secured data, the method comprising:
- intercepting a user query of one database of one or more databases;
  
  automatically determining from the user query, a user who generated the user query and a user role assigned to the user;
  
  parsing the user query and identifying objects in the one database that are to be accessed as part of the user query;
  
  looking up security information of identified objects in a metamodel stored in the one or more databases and determining which of the identified objects to filter out of the user query, wherein the security information qualifies which data objects are accessible by certain roles;
  
  based on the user role and the identified objects to be filtered out of the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to generate a modified user query to filter out secure data for which the user does not have access rights; and
  
  applying the modified user query to the one database.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 further comprising:
    - securing the security information in a database model.
  - 12. The method of claim 10 further comprising:
    - enabling the security information to be dynamically adjustable at runtime.
  - 13. The method of claim 10 wherein the user query comprises an indication of the user, the method further comprising:
    - looking up the security information of the identified objects in a metamodel of the one or more databases.
  - 14. The method of claim 13, further comprising:
    - resolving any group memberships.
  - 15. The method of claim 10 wherein the automatically determining from the user query, a user who generated the user query and a user role assigned to the user comprises:
    - decoupling objects and row level security from the one database.
  - 16. The method of claim 10 wherein the modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights comprises:
    - decoupling objects and row level security from the one database.
  - 17. The method of claim 10 further comprising:
    - processing the modified user query on the one database and returning results of the modified user query to the user.
  - 18. The method of claim 10 wherein the modifying the user query by appending the expression tree to the user query to generate the modified user query to filter out secure data for which the user does not have access rights comprises:
    - inserting an SQL Where clause to filter out certain secure data/objects in the one database that are part of the user query.

19. A non-transitory computer readable storage medium having a computer readable program embodied therein that when executed by a processor causes a computing system to perform a method of controlling access to secured data, the method comprising:
- intercepting a user query of one database of one or more databases;
  
  automatically determining from the user query, a user who generated the user query and a user role assigned to the user;
  
  parsing the user query and identifying objects in the one database that are to be accessed as part of the user query;
  
  looking up security information of identified objects in a metamodel stored in the one or more databases and determining which of the identified objects to filter out of the user query, wherein the security information qualifies which data objects are accessible by certain roles;
  
  based on the user role and the identified objects to be filtered out of the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to generate a modified user query to filter out secure data for which the user does not have access rights; and
  
  applying the modified user query to the one database.
- View Dependent Claims (20)
- - 20. The non-transitory computer readable storage medium of claim 19, wherein the method further comprises:
    - securing the security information in a database model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Muller, Leslie, Wasser, Michael Morris, Maestro, Alberto Arias
Primary Examiner(s)
Pham, Hung Q

Application Number

US14/707,949
Publication Number

US 20150317486A1
Time in Patent Office

963 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/212   with details for data model...

G06F 16/24549   Run-time optimisation

G06F 16/24565   Triggers; Constraints

G06F 16/2471   Distributed queries

G06F 16/27   Replication, distribution o...

G06F 16/283   Multi-dimensional databases...

G06F 16/284   Relational databases

G06F 16/9535   Search customisation based ...

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

Computer relational database method and system having role based access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer relational database method and system having role based access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links