Row-level security in a relational database management system
First Claim
1. A method for making a computer implemented process to enable controlling access to a relational database, said method comprising:
- instantiating first computer instructions onto a computer readable medium said first instructions configured to receive a user request for data from the database, the request including a request to perform a database operation and a user security label;
instantiating second computer instructions onto a computer readable medium said second instructions configured to determine user security information from the user security label;
instantiating third computer instructions onto a computer readable medium said third instructions configured to retrieve, in response to the user request, rows of data from a table in the database satisfying the database operation, the rows each having a security label;
instantiating fourth computer instructions onto a computer readable medium said fourth instructions configured to determine row security information for each of the retrieved rows based on the row'"'"'s security label;
instantiating fifth computer instructions onto a computer readable medium said fifth instructions configured to determine, for each retrieved row, whether the user is authorized to access the row based on the user security information and the row security information by determining if the user security information dominates the row security information; and
instantiating sixth computer instructions onto a computer readable medium said sixth instructions configured to return only the rows for which the user is determined to have authorization to access,wherein the user security label is one of a plurality of security labels arranged in a hierarchy of security levels,wherein the user is determined to be authorized to access the retrieved row only if the user security label corresponds to a security level having greater than or equal degree of access than a security level indicated by the retrieved row'"'"'s security label andonly if the retrieved row'"'"'s security label corresponds to security categories that are a proper subset of security categories corresponding to the user security label.
1 Assignment
0 Petitions
Accused Products
Abstract
Access control methods provide multilevel and mandatory access control for a database management system. The access control techniques provide access control at the row level in a relational database table. The database table contains a security label column within which is recorded a security label that is defined within a hierarchical security scheme. A user'"'"'s security label is encoded with security information concerning the user. When a user requests access to a row, a security mechanism compares the user'"'"'s security information with the security information in the row. If the user'"'"'s security dominates the row'"'"'s security, the user is given access to the row.
-
Citations
6 Claims
-
1. A method for making a computer implemented process to enable controlling access to a relational database, said method comprising:
-
instantiating first computer instructions onto a computer readable medium said first instructions configured to receive a user request for data from the database, the request including a request to perform a database operation and a user security label; instantiating second computer instructions onto a computer readable medium said second instructions configured to determine user security information from the user security label; instantiating third computer instructions onto a computer readable medium said third instructions configured to retrieve, in response to the user request, rows of data from a table in the database satisfying the database operation, the rows each having a security label; instantiating fourth computer instructions onto a computer readable medium said fourth instructions configured to determine row security information for each of the retrieved rows based on the row'"'"'s security label; instantiating fifth computer instructions onto a computer readable medium said fifth instructions configured to determine, for each retrieved row, whether the user is authorized to access the row based on the user security information and the row security information by determining if the user security information dominates the row security information; and instantiating sixth computer instructions onto a computer readable medium said sixth instructions configured to return only the rows for which the user is determined to have authorization to access, wherein the user security label is one of a plurality of security labels arranged in a hierarchy of security levels, wherein the user is determined to be authorized to access the retrieved row only if the user security label corresponds to a security level having greater than or equal degree of access than a security level indicated by the retrieved row'"'"'s security label and only if the retrieved row'"'"'s security label corresponds to security categories that are a proper subset of security categories corresponding to the user security label. - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification