Access control for objects having attributes defined against hierarchically organized domains containing fixed number of values
First Claim
1. A method of controlling access to objects, said method comprising:
- receiving data indicating a plurality of hierarchies of hierarchically organized domains, with each domain containing a corresponding fixed number of values,said plurality of hierarchies including a first hierarchy and a second hierarchy,said first hierarchy and said second hierarchy respectively specifying a first plurality of values and a second plurality of values which can be stored for attributes of said objects, wherein said objects are stored in a relational database server and access to said objects is performed using SQL (structured query language) queries;
displaying on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities, wherein said first plurality of values and said second plurality of values are displayed on said display unit at said first time instance;
enabling a user to specify a first combination and a second combination,said first combination comprising a user entity from said plurality of user entities, and a first set of values from the displayed values of the corresponding domains, wherein said first set of values includes a first value from said first plurality of values of said first hierarchy and a second value from said second plurality of values of said second hierarchy,wherein said second combination comprises said user entity and a second set of values from the displayed values, said second set of values containing said first value and a third value from said second plurality of values of said second hierarchy,wherein said user selects a third set of values from said first hierarchy, said third set of values comprising a fifth value of a first domain in said first hierarchy and a descendant flag, wherein said first domain is at a higher level in said first hierarchy, wherein said fifth value is associated with sub-domains that are at lower levels relative to said higher level in said first hierarchy,wherein said descendant flag indicates whether or not to include the sub-domains under said fifth value in said selection,wherein said selection includes the values of said first domain and the sub-domains under said fifth value in said third set of values if said descendant flag indicates sub-domains are to be included in said selection, and only the values of said first domain otherwise;
enabling said user to specify a first security rule and a second security rule, said first security rule being for said first combination of said user entity and said first set of values including said first value and said second value,said second security rule being for said second combination of said user entity and said second set of values including said first value and said third value; and
enforcing said first security rule and said second security rule, wherein said first security rule is enforced when an object having attributes matching said first set of values, including a first attribute of the object matching said first value and a second attribute of the object matching said second value, is accessed by said user entity,wherein said second security rule is enforced when another object having attributes matching said second set of values, including a third attribute of the another object matching said first value and a fourth attribute of the another object matching said third value, is accessed by said user entity,wherein said user specifies both of said first security rule and said second security based on the values of the corresponding domains displayed on said display unit at said first time instance,wherein access to a first object by said user entity is performed using a first SQL query, wherein said enforcing of said first security rule when said first object is accessed by said user entity comprises;
appending a condition to a WHERE clause of said first SQL query, said condition designed to check whether the attributes of said first object matches said first set of values.
1 Assignment
0 Petitions
Accused Products
Abstract
An aspect of the present disclosure facilitates controlling access to objects having attributes defined against hierarchically organized domains, with each domain containing a corresponding fixed number of values. In one embodiment, in response to receiving data indicating specific hierarchies of the hierarchically organized domains, the corresponding fixed number of values of the corresponding domains in each hierarchy is displayed. Accordingly, a user is enabled to select a desired set of values from the corresponding fixed number of values of the corresponding domains, and to specify a security rule for a combination of the selected set of values and a user entity. The security rule is thereafter enforced when objects having attributes matching the selected set of values are accessed by the user entity.
-
Citations
20 Claims
-
1. A method of controlling access to objects, said method comprising:
-
receiving data indicating a plurality of hierarchies of hierarchically organized domains, with each domain containing a corresponding fixed number of values, said plurality of hierarchies including a first hierarchy and a second hierarchy, said first hierarchy and said second hierarchy respectively specifying a first plurality of values and a second plurality of values which can be stored for attributes of said objects, wherein said objects are stored in a relational database server and access to said objects is performed using SQL (structured query language) queries; displaying on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities, wherein said first plurality of values and said second plurality of values are displayed on said display unit at said first time instance; enabling a user to specify a first combination and a second combination, said first combination comprising a user entity from said plurality of user entities, and a first set of values from the displayed values of the corresponding domains, wherein said first set of values includes a first value from said first plurality of values of said first hierarchy and a second value from said second plurality of values of said second hierarchy, wherein said second combination comprises said user entity and a second set of values from the displayed values, said second set of values containing said first value and a third value from said second plurality of values of said second hierarchy, wherein said user selects a third set of values from said first hierarchy, said third set of values comprising a fifth value of a first domain in said first hierarchy and a descendant flag, wherein said first domain is at a higher level in said first hierarchy, wherein said fifth value is associated with sub-domains that are at lower levels relative to said higher level in said first hierarchy, wherein said descendant flag indicates whether or not to include the sub-domains under said fifth value in said selection, wherein said selection includes the values of said first domain and the sub-domains under said fifth value in said third set of values if said descendant flag indicates sub-domains are to be included in said selection, and only the values of said first domain otherwise; enabling said user to specify a first security rule and a second security rule, said first security rule being for said first combination of said user entity and said first set of values including said first value and said second value, said second security rule being for said second combination of said user entity and said second set of values including said first value and said third value; and enforcing said first security rule and said second security rule, wherein said first security rule is enforced when an object having attributes matching said first set of values, including a first attribute of the object matching said first value and a second attribute of the object matching said second value, is accessed by said user entity, wherein said second security rule is enforced when another object having attributes matching said second set of values, including a third attribute of the another object matching said first value and a fourth attribute of the another object matching said third value, is accessed by said user entity, wherein said user specifies both of said first security rule and said second security based on the values of the corresponding domains displayed on said display unit at said first time instance, wherein access to a first object by said user entity is performed using a first SQL query, wherein said enforcing of said first security rule when said first object is accessed by said user entity comprises; appending a condition to a WHERE clause of said first SQL query, said condition designed to check whether the attributes of said first object matches said first set of values. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory machine readable medium storing one or more sequences of instructions for enabling a system to control access to objects, wherein execution of said one or more instructions by one or more processors contained in said system enables said system to perform the actions of:
-
receiving data indicating a plurality of hierarchies of hierarchically organized domains, with each domain containing a corresponding fixed number of values, said plurality of hierarchies including a first hierarchy and a second hierarchy, said first hierarchy and said second hierarchy respectively specifying a first plurality of values and a second plurality of values which can be stored for attributes of said objects, wherein said objects are stored in a relational database server and access to said objects is performed using SQL (structured query language) queries; displaying on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities, wherein said first plurality of values and said second plurality of values are displayed on said display unit at said first time instance; enabling a user to specify a first combination and a second combination, said first combination comprising a user entity from said plurality of user entities, and a first set of values from the displayed values of the corresponding domains, wherein said first set of values includes a first value from said first plurality of values of said first hierarchy and a second value from said second plurality of values of said second hierarchy, wherein said second combination comprises said user entity and a second set of values from the displayed values, said second set of values containing said first value and a third value from said second plurality of values of said second hierarchy, wherein said user selects a third set of values from said first hierarchy, said third set of values comprising a fifth value of a first domain in said first hierarchy and a descendant flag, wherein said first domain is at a higher level in said first hierarchy, wherein said fifth value is associated with sub-domains that are at lower levels relative to said higher level in said first hierarchy, wherein said descendant flag indicates whether or not to include the sub-domains under said fifth value in said selection, wherein said selection includes the values of said first domain and the sub-domains under said fifth value in said third set of values if said descendant flag indicates sub-domains are to be included in said selection, and only the values of said first domain otherwise; enabling said user to specify a first security rule and a second security rule, said first security rule being for said first combination of said user entity and said first set of values including said first value and said second value, said second security rule being for said second combination of said user entity and said second set of values including said first value and said third value; and enforcing said first security rule and said second security rule, wherein said first security rule is enforced when an object having attributes matching said first set of values, including a first attribute of the object matching said first value and a second attribute of the object matching said second value, is accessed by said user entity, wherein said second security rule is enforced when another object having attributes matching said second set of values, including a third attribute of the another object matching said first value and a fourth attribute of the another object matching said third value, is accessed by said user entity, wherein said user specifies both of said first security rule and said second security based on the values of the corresponding domains displayed on said display unit at said first time instance, wherein access to a first object by said user entity is performed using a first SQL query, wherein said enforcing of said first security rule when said first object is accessed by said user entity comprises; appending a condition to a WHERE clause of said first SQL query, said condition designed to check whether the attributes of said first object matches said first set of values. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computing system comprising:
-
a relational database server to store a plurality of objects; an administrator system operable to; receive data indicating a plurality of hierarchies of hierarchically organized domains, with each domain containing a corresponding fixed number of values, said plurality of hierarchies including a first hierarchy and a second hierarchy, said first hierarchy and said second hierarchy respectively specifying a first plurality of values and a second plurality of values which can be stored for attributes of said plurality of objects, wherein said objects are stored in a relational database server and access to said objects is performed using SQL (structured query language) queries; display on a display unit at a first time instance, the values of the corresponding domains in each hierarchy of said plurality of hierarchies along with a plurality of user entities, wherein said first plurality of values and said second plurality of values are displayed on said display unit at said first time instance; enable a user to specify a first combination and a second combination, said first combination comprising a user entity from said plurality of user entities, and a first set of values from the displayed values of the corresponding domains, wherein said first set of values includes a first value from said first plurality of values of said first hierarchy and a second value from said second plurality of values of said second hierarchy, wherein said second combination comprises said user entity and a second set of values from the displayed values, said second set of values containing said first value and a third value from said second plurality of values of said second hierarchy, wherein said user selects a third set of values from said first hierarchy, said third set of values comprising a fifth value of a first domain in said first hierarchy and a descendant flag, wherein said first domain is at a higher level in said first hierarchy, wherein said fifth value is associated with sub-domains that are at lower levels relative to said higher level in said first hierarchy, wherein said descendant flag indicates whether or not to include the sub-domains under said fifth value in said selection, wherein said selection includes the values of said first domain and the sub-domains under said fifth value in said third set of values if said descendant flag indicates sub-domains are to be included in said selection, and only the values of said first domain otherwise; and enable said user to specify a first security rule and a second security rule, said first security rule being for said first combination of said user entity and said first set of values including said first value and said second value, said second security rule being for said second combination of said user entity and said second set of values including said first value and said third value, wherein said user specifies both of said first security rule and said second security based on the values of the corresponding domains displayed on said display unit at said first time instance; and a server system operable to; receive a user request from said user entity; determine that a first object having attributes matching said first set of values, including a first attribute of said first object matching said first value and a second attribute of said first object matching said second value, is to be accessed for processing said user request; and enforce said first security rule as against said first object in processing said user request, as a response to said user having specified said first security rule for said combination of said first set of values and said user entity, wherein access to a first object by said user entity is performed using a first SQL query, wherein to enforce said first security rule when said first object is accessed by said user entity a condition is appended to a WHERE clause of said first SQL query, said condition designed to check whether the attributes of said first object matches said first set of values. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification