Computer Relational Database Method and System Having Role Based Access Control

US 20130138666A1
Filed: 03/11/2011
Published: 05/30/2013
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to secured data, comprising:

operatively coupling a repository to one or more databases storing secure data;

employing the repository, intercepting a user query of one of the databases;

automatically determining from the intercepted query, a user who generated the user query and a user role assigned to the user;

based on determined user role, automatically modifying the user query to filter out secure data for which the user does not have access rights; and

applying the modified query to the one database.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer method, system and apparatus control access to secured data in a plurality of databases. A repository is coupled to the databases and has a security runtime subsystem. The repository intercepts a user query of a subject database in the plurality. The security runtime subsystem determines from the intercepted query a user and corresponding user role. Based on user role, the security runtime subsystem automatically modifies the user query to filter out secure data for which the identified user is unauthorized to access but are part of the user query.

15 Citations

View as Search Results

22 Claims

1. A method of controlling access to secured data, comprising:
- operatively coupling a repository to one or more databases storing secure data;
  
  employing the repository, intercepting a user query of one of the databases;
  
  automatically determining from the intercepted query, a user who generated the user query and a user role assigned to the user;
  
  based on determined user role, automatically modifying the user query to filter out secure data for which the user does not have access rights; and
  
  applying the modified query to the one database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method of claim 1 further comprising parsing the intercepted query and identifying objects in the one database that are to be accessed as part of the user query.
  - 3. A method of claim 2 wherein the user query includes an indication of the user;
    - andthe repository is further configured to look up security information of the identified objects in a metamodel of the one database, and resolve any group memberships.
  - 4. A method of claim 2 further comprising storing in a metamodel of the one database, security information that qualifies which data objects are accessible by certain user roles, andthe repository being further configured to look up security information of the identified objects in the metamodel and determine which identified objects to filter out of the user query.
  - 5. A method of claim 4 further comprising:
    - using the repository to secure the security information, and enabling the security information to be dynamically adjustable at runtime.
  - 6. A method of claim 1 wherein the steps of automatically determining and automatically modifying include decoupling object and row level security from the database.
  - 7. A method of claim 1 further comprising processing the modified query on the one database and returning results of the modified query to the user.
  - 8. A method of claim 1 wherein the one database is a relational database.
  - 9. A method of claim 8 wherein the step of automatically modifying the user query includes inserting an SQL Where clause to filter out certain secure data/objects in the database that are part of the user query.
  - 10. A method as claimed in claim 1 wherein the one or more databases are unrelated to each other and non-centrally managed.

11. A computer system of controlling access to secured data, comprising:
- a repository operatively coupled to one or more databases storing secure data, the repository configured to intercept a user query of one of the databases; and
  
  a security runtime subsystem of the repository (i) automatically determining from the intercepted query a user who generated the user query and a user role assigned to the user, and (ii) based on determined user role, automatically modifying the user query to filter out secure data for which the user is ineligible to access,the repository applying the modified query to the one database and retrieving qualifying data as authorized by user role.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. A computer system as claimed in claim 11 wherein the security runtime subsystem parses the intercepted query and identifies entities in the one database that are to be accessed as part of the user query.
  - 13. A computer system as claimed in claim 12 wherein the user query includes an indication of the user;
    - andthe repository is further configured to look up security information of the identified entities in a metamodel of the one database, and resolve any group memberships.
  - 14. A computer system as claimed in claim 12 further comprising:
    - a metamodel of the one database, the metamodel being configured to store security information that qualifies which data entities are accessible by certain user roles, andthe security runtime subsystem further being configured to look up security information of the identified entities in the metamodel and determine which identified entities to filter out of the user query.
  - 15. A computer system as claimed in claim 14 wherein the repository further secures the security information and enables the security information to be dynamically adjustable at runtime.
  - 16. A computer system as claimed in claim 11 wherein the security runtime subsystem is configured to decouple object level security and row level security from the one database.
  - 17. A computer system as claimed in claim 11 wherein the repository further returns to the user results of the modified query as applied to the one database.
  - 18. A computer system as claimed in claim 11 wherein the one database is a relational database.
  - 19. A computer system as claimed in claim 18 wherein the security runtime subsystem automatically modifying the user query includes inserting an SQL Where clause to filter out the secure data for which the user is ineligible to access but are part of the user query.
  - 20. A computer system as claimed in claim 11 wherein the one or more databases are unrelated to each other and are non-centrally managed.

21. A computer program product comprising:
- a computer readable storage medium having a computer readable program embodied therewith,the computer readable program including program code to;
  
  (a) operatively couple a repository to a plurality of databases storing secure data;
  
  (b) employ the repository to intercept a user query of one of the databases;
  
  (c) automatically determine from the intercepted query, a user who generated the user query and a user role assigned to the user;
  
  (d) based on determined user role, automatically modify the user query to filter out secure data for which the user does not have access rights; and
  
  (e) apply the modified query to the one database.
- View Dependent Claims (22)
- - 22. A computer program product as claimed in claim 21 wherein the one database is a relational database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Muller, Leslie, Wasser, Michael Morris, Maestro, Alberto Arias

Granted Patent

US 9,058,353 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/754
CPC Class Codes

G06F 16/212   with details for data model...

G06F 16/24549   Run-time optimisation

G06F 16/24565   Triggers; Constraints

G06F 16/2471   Distributed queries

G06F 16/27   Replication, distribution o...

G06F 16/283   Multi-dimensional databases...

G06F 16/284   Relational databases

G06F 16/9535   Search customisation based ...

G06F 21/10   Protecting distributed prog...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

Computer Relational Database Method and System Having Role Based Access Control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Computer Relational Database Method and System Having Role Based Access Control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links