Row-level security in a relational database management system
First Claim
Patent Images
1. A method for making a computer implemented process to enable controlling access to a relational database, said method comprising:
- instantiating first computer instructions onto a computer readable medium said first instructions configured to receive a user request for data from the database, the request including a request to perform a database operation and a user security label;
instantiating second computer instructions onto a computer readable medium said second instructions configured to determine user security information from the user security label;
instantiating third computer instructions onto a computer readable medium said third instructions configured to retrieve, in response to the user request, rows of data from a table in the database satisfying the database operation, the rows each having a security label;
instantiating fourth computer instructions onto a computer readable medium said fourth instructions configured to determine row security information for each of the retrieved rows based on the row'"'"'s security label;
instantiating fifth computer instructions onto a computer readable medium said fifth instructions configured to determine, for each retrieved row, whether the user is authorized to access the row based on the user security information and the row security information by determining if the user security information dominates the row security information; and
instantiating sixth computer instructions onto a computer readable medium said sixth instructions configured to return only the rows for which the user is determined to have authorization to access,wherein the user security label is one of a plurality of security labels arranged in a hierarchy of security levels,wherein the user is determined to be authorized to access the retrieved row only if the user security label corresponds to a security level having greater than or equal degree of access than a security level indicated by the retrieved row'"'"'s security label andonly if the retrieved row'"'"'s security label corresponds to security categories that are a proper subset of security categories corresponding to the user security label.
1 Assignment
0 Petitions
Accused Products
Abstract
Access control methods provide multilevel and mandatory access control for a database management system. The access control techniques provide access control at the row level in a relational database table. The database table contains a security label column within which is recorded a security label that is defined within a hierarchical security scheme. A user'"'"'s security label is encoded with security information concerning the user. When a user requests access to a row, a security mechanism compares the user'"'"'s security information with the security information in the row. If the user'"'"'s security dominates the row'"'"'s security, the user is given access to the row.
-
Citations
6 Claims
-
1. A method for making a computer implemented process to enable controlling access to a relational database, said method comprising:
-
instantiating first computer instructions onto a computer readable medium said first instructions configured to receive a user request for data from the database, the request including a request to perform a database operation and a user security label; instantiating second computer instructions onto a computer readable medium said second instructions configured to determine user security information from the user security label; instantiating third computer instructions onto a computer readable medium said third instructions configured to retrieve, in response to the user request, rows of data from a table in the database satisfying the database operation, the rows each having a security label; instantiating fourth computer instructions onto a computer readable medium said fourth instructions configured to determine row security information for each of the retrieved rows based on the row'"'"'s security label; instantiating fifth computer instructions onto a computer readable medium said fifth instructions configured to determine, for each retrieved row, whether the user is authorized to access the row based on the user security information and the row security information by determining if the user security information dominates the row security information; and instantiating sixth computer instructions onto a computer readable medium said sixth instructions configured to return only the rows for which the user is determined to have authorization to access, wherein the user security label is one of a plurality of security labels arranged in a hierarchy of security levels, wherein the user is determined to be authorized to access the retrieved row only if the user security label corresponds to a security level having greater than or equal degree of access than a security level indicated by the retrieved row'"'"'s security label and only if the retrieved row'"'"'s security label corresponds to security categories that are a proper subset of security categories corresponding to the user security label. - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsMiller, Roger Lee, Cotner, Curt
-
Primary Examiner(s)TRUONG, CAM Y T
-
Application NumberUS11/746,896Publication NumberTime in Patent Office579 DaysField of Search707/3, 707/4, 707/5US Class Current1/1CPC Class CodesG06F 16/21 Design, administration or m...G06F 16/284 Relational databasesG06F 21/6227 where protection concerns t...G06F 2221/2113 Multi-level security, e.g. ...G06F 2221/2145 Inheriting rights or proper...Y10S 707/954 RelationalY10S 707/956 HierarchicalY10S 707/99933 Query processing, i.e. sear...Y10S 707/99934 Query formulation, input pr...Y10S 707/99935 Query augmenting and refini...Y10S 707/99939 Privileged access
