Method and apparatus to support privileges at multiple levels of authentication using a constraining ACL

US 9,471,801 B2
Filed: 11/29/2007
Issued: 10/18/2016
Est. Priority Date: 11/29/2007
Status: Active Grant

First Claim

Patent Images

1. A method for using ACLs (access control lists) to determine user privileges in a database, the method comprising:

authenticating, by a computer, a user using an authentication method selected from a plurality of authentication methods corresponding to a plurality of authentication levels;

determining an authentication level of the selected authentication method, wherein the authentication level indicates a security strength of the selected authentication method, and wherein the authentication level corresponds to a user role associated with the user;

identifying an entry in a constraining ACL based on the determined authentication level, wherein the entry in the constraining ACL specifies a global security policy that is specific to the determined authentication level and applies to all applications interacting with the database;

receiving a request from the user to perform an operation on data;

identifying a child ACL, which specifies the user'"'"'s privileges;

establishing a constraining inheritance relationship between the child ACL and the constraining ACL, which involves requiring a check of the constraining ACL whenever the child ACL is checked; and

performing, by the computer, the operation on the data in response to determining that the operation is permitted based on the user role, the child ACL and the constraining ACL.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege.

21 Citations

18 Claims

1. A method for using ACLs (access control lists) to determine user privileges in a database, the method comprising:
- authenticating, by a computer, a user using an authentication method selected from a plurality of authentication methods corresponding to a plurality of authentication levels;
  
  determining an authentication level of the selected authentication method, wherein the authentication level indicates a security strength of the selected authentication method, and wherein the authentication level corresponds to a user role associated with the user;
  
  identifying an entry in a constraining ACL based on the determined authentication level, wherein the entry in the constraining ACL specifies a global security policy that is specific to the determined authentication level and applies to all applications interacting with the database;
  
  receiving a request from the user to perform an operation on data;
  
  identifying a child ACL, which specifies the user'"'"'s privileges;
  
  establishing a constraining inheritance relationship between the child ACL and the constraining ACL, which involves requiring a check of the constraining ACL whenever the child ACL is checked; and
  
  performing, by the computer, the operation on the data in response to determining that the operation is permitted based on the user role, the child ACL and the constraining ACL.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising reporting an error in response to determining that the operation is not permitted by the child ACL.
  - 3. The method of claim 1, further comprising reporting an error in response to determining that the operation is not permitted by the constraining ACL.
  - 4. The method of claim 1, wherein all ACLs except for the constraining ACL inherit from the constraining ACL.
  - 5. The method of claim 1, wherein the child ACL is encoded in XML (extensible markup language).
  - 6. The method of claim 5, wherein the constraining inheritance relationship is encoded in XML.
  - 7. The method of claim 1, wherein establishing a constraining inheritance relationship involves:
    - in response to a description of the child ACL not specifying that the child ACL inherits from the constraining ACL, modifying the description of the child ACL so that the modified description specifies that the child ACL inherits from the constraining ACL; and
      
      creating the child ACL using the modified description.

8. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for using ACLs (access control lists) to determine user privileges in a database, the method comprising:
- authenticating a user using an authentication method selected from a plurality of authentication methods corresponding to a plurality of authentication levels;
  
  determining an authentication level of the selected authentication method, wherein the authentication level indicates a security strength of the selected authentication method, and wherein the authentication level corresponds to a user role associated with the user;
  
  identifying an entry in a constraining ACL based on the determined authentication level, wherein the entry in the constraining ACL specifies a global security policy that is specific to the determined authentication level and applies to all applications interacting with the database;
  
  receiving a request from the user to perform an operation on data;
  
  identifying a child ACL, which specifies the user'"'"'s privileges;
  
  establishing a constraining inheritance relationship between the child ACL and the constraining ACL, which involves requiring a check of the constraining ACL whenever the child ACL is checked; and
  
  performing, by the computer, the operation on the data in response to determining that operation is permitted based on the user role, the child ACL and the constraining ACL.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-readable storage medium of claim 8, the method further comprising reporting an error in response to determining that the operation is not permitted by the child ACL.
  - 10. The computer-readable storage medium of claim 8, the method further comprising reporting an error in response to determining that the operation is not permitted by the constraining ACL.
  - 11. The computer-readable storage medium of claim 8, wherein all ACLs except for the constraining ACL inherit from the constraining ACL.
  - 12. The computer-readable storage medium of claim 8, wherein the child ACL is encoded in XML (extensible markup language).
  - 13. The computer-readable storage medium of claim 12, wherein the constraining inheritance relationship is encoded in XML.

14. A computer system that uses ACLs (access control lists) to determine user privileges in a database, the system comprising:
- a processor;
  
  an authentication mechanism configured to authenticate a user using an authentication method selected from a plurality of authentication methods corresponding to a plurality of authentication levels;
  
  a determination mechanism configured to determine an authentication level of the selected authentication method, wherein the authentication level indicates a security strength of the selected authentication method, and wherein the authentication level corresponds to a user role associated with the user;
  
  a first ACL-identifying mechanism configured to identify an entry in a constraining ACL based on the determined authentication level, wherein the entry in the constraining ACL specifies a global security policy that is specific to the determined authentication level and applies to all applications interacting with the database;
  
  a receiving mechanism configured to receive a request from the user to perform an operation on data;
  
  a second ACL-identifying mechanism configured to identify a child ACL, which specifies the user'"'"'s privileges;
  
  an inheritance mechanism configured to establish a constraining inheritance relationship between the child ACL and the constraining ACL, which involves requiring a check of the constraining ACL whenever the child ACL is checked; and
  
  an operation mechanism configured to perform the operation on the data in response to determining that operation is permitted based on the user role, the child ACL and the constraining ACL.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer system of claim 14, comprising a reporting mechanism configured to report an error in response to determining that the operation is not permitted by the child ACL.
  - 16. The computer system of claim 14, comprising a reporting mechanism configured to report an error in response to determining that the operation is not permitted by the constraining ACL.
  - 17. The computer system of claim 14, wherein all ACLs except for the constraining ACL inherit from the constraining ACL.
  - 18. The computer system of claim 14, wherein the child ACL is encoded in XML (extensible markup language), and wherein the constraining inheritance relationship is encoded in XML.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Idicula, Sam, Keefe, Thomas, Rafiq, Mohammed Irfan, Ahmed, Tanvir, Pesati, Vikram, Agarwal, Nipun
Primary Examiner(s)
Schwartz, Darren B

Application Number

US11/947,235
Publication Number

US 20090144804A1
Time in Patent Office

3,246 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

Method and apparatus to support privileges at multiple levels of authentication using a constraining ACL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

21 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to support privileges at multiple levels of authentication using a constraining ACL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links