Controlling access to a database using database internal and external authorization information
Abstract
Techniques for using both database internal and database external authorization information to control access to a database are disclosed. Corporate accounts which are generally used in many corporate environments (e.g., operating system accounts) can be defined as “external” database accounts with database external authorization information that define database external access privileges for a database. The database external access-privileges are used in conjunction with a set of complementary database “internal” access privileges defined for database internal accounts. An integrated access-privilege set is generated and used as a single source to authorize access to a database regardless of whether database internal or external accounts are used to access the database. As a result, databases can be integrated with various non-database entities (e.g., corporate computing systems).
Claims
exact text as granted — not AI-modified1 . A computer-implemented method of controlling access to data stored in a computer readable storage medium of a database system that includes a computing system, wherein said computer-implemented method comprises:
obtaining, by said computing system, external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system; obtaining, by said computing system, authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account; obtaining, by said computing system and based on said authorization data, an integrated access privilege set that includes both: (a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; and determining, by said computing system and based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database.
2 . The computer-implemented method of claim 1 , wherein said authentication information is and/or includes a password.
3 . The computer-implemented method of claim 1 , wherein said external system is located in a remote entity with respect to said database system.
4 . The computer-implemented method of claim 1 , wherein said external system is owned and/or operated by an entity that does not own or operate said database system.
5 . The computer-implemented method of claim 1 ,
wherein said integrated set includes an ordered list, and wherein said determining of whether to allow access is determined based on said ordered list.
6 . A computer system operable to access data stored in a computer readable storage medium of a database system, wherein said computing system is further operable to:
obtaining external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system; obtaining authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account; obtaining, based on said authorization data, an integrated access privilege set that includes both: (a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; and determining, based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database.
7 . A computer readable storage medium storing at least executable computer code embodied in a tangible form for controlling access to data stored in a database system that includes a computing system, wherein said computer readable storage medium includes:
executable computer program code operable to obtain external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system; executable computer program code operable to obtain authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account; executable computer program code operable to obtain based on said authorization data, an integrated access privilege set that includes both: (a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; and executable computer program code operable to determine based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database.
8 . The computer readable storage medium of claim 7 , wherein said authentication information is and/or includes a password.
9 . The computer readable storage medium of claim 7 , wherein said external system is located in a remote entity with respect to said database system.
10 . A database system that includes a computing system operable to control access to a database, wherein said database system is configured and/or operable for:
receiving a request, from a remote database client component, to access said database, wherein said authentication information is for at least one database external account defined for an external system external to said database; sending authentication information associated with said request to an external authenticator for authentication; determining whether said external authenticator has authenticated said authentication information; obtaining, from said database, integrated authorization data that has been stored on said database for said authentication information when said external authenticator has authenticated said authentication information, wherein said integrated authorization data includes one or more first authorization identifiers for at least one database internal account and one or more second authorization identifiers for said at least one database external account defined for an external system that is external to said database, and wherein said first one or more authorization identifiers are different than said second one or more identifiers; searching, based on said integrated authorization data, an integrated access-privilege set associated with said integrated authorization data, wherein said integrated access-privilege set has also been stored on said database and includes first authorization information for at least one database internal account and second authorization information for said at least one database external account, wherein said first and second authorization information define different access-privileges for accessing said database; determining, based on said searching of said integrated access-privilege set, whether access to said database should be granted as said database internal account which has been defined for said database, or whether access to said database should be granted based on database external authorization information of said external account defined for said external system, wherein said external authorization information effectively defines at least one database external account for said database corresponding to said external account defined for said external system, thereby allowing said external account to be effectively used to access said database based on said external authorization information defined by said external system; authorizing access to said database based on access privilege information defined for a database internal account when said determines that access to said database should be granted as a database internal account defined for said database; and authorizing access to said database based on said external authorization information defined for said database external account when said determines that access to said database should be granted based on database external authorization information.
11 . A database system as recited in claim 10 , wherein said database system further comprises:
an authentication interface that is capable of communicating with said external authenticator, wherein said external authenticator is operate to: authenticate said authentication information; and forward database external authorization information to said authentication interface of said database server component.
12 . A database system as recited in claim 11 ,
wherein said database external authorization information includes one or more group names defined for said database system, and one or more access-privileges have been associated with each one of said one or more groups and stored as database external authentication information for said database.
13 . A database system as recited in claim 11 , wherein said integrated access-privilege set is an ordered list of access-privileges associated with both of said at least one database internal account and at least one database external account.
14 . A database system as recited in claim 10 , wherein said authentication information includes a username and a password, and
wherein said external authenticator is associated with an operating system.
15 . A database system as recited in claim 10 ,
wherein said database external privilege-identifiers are one or more group names defined for said database system, and wherein one or more access-privileges are associated with each one of said one or more groups and stored as database external authentication information for said database.
16 . A computer readable medium including at least executable computer program code embodied in a tangible form for controlling access to a database, comprising:
executable computer program code for receiving a request, from a database client component, to access said database, wherein said authentication information is for at least one database external account defined for an external system external to said database; executable computer program code for sending authentication information associated with said request to an external authenticator for authentication; executable computer program code for determining whether said external authenticator has authenticated said authentication information; executable computer program code for obtaining from said database integrated authorization data that has been stored on said database for said authentication information when said external authenticator has authenticated said authentication information, wherein said integrated authorization data includes one or more first authorization identifiers for said at least one database internal account and one or more second authorization identifiers for said at least one database external account, and wherein said first one or more authorization identifiers are different than said second one or more identifiers; executable computer program code for searching, based on said integrated authorization data, an integrated access-privilege set associated with said integrated authorization data, wherein said integrated access-privilege set has also been stored on said database and includes first authorization information for said at least one database internal account and second authorization information for said at least one database external account, wherein said first and second authorization information define different access-privileges for accessing said database; executable computer program code for determining, based on said searching of said integrated access-privilege set, whether access to said database should be granted as said database internal account which has been defined for said database, or whether access to said database should be granted based on database external authorization information of said external account defined for said external system, wherein said external authorization information effectively defines at least one database external account for said database corresponding to said external account defined for said external system, thereby allowing said external account to be effectively used to access said database based on said external authorization information defined by said external system; executable computer program code for authorizing access to said database based on access privilege information defined for a database internal account when said determines that access to said database should be granted as a database internal account which has been defined for said database; and executable computer program code for authorizing access to said database based on said external authorization information defined for said database external account when said determines that access to said database should be granted based on database external authorization information.
17 . A computer readable medium as recited in claim 16 , wherein said integrated access-privilege set is an ordered list of access-privileges associated with both of said at least one database internal account and at least one database external account.
18 . A computer readable medium as recited in claim 16 , wherein said authentication information is and/or includes a password.
19 . A computer readable medium as recited in claim 16 , wherein said external system is located in a remote entity with respect to said database system.
20 . A computer readable medium as recited in claim 16 , wherein said external system is owned and/or operated by an entity that does not own or operate said database system.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.