Access control framework
Abstract
The described implementations relate to an access control framework for a database system. One implementation can receive, from a user, a request for data that identifies a resource, such as a view that obtains data from a database. The implementation can check the identity of the user to identify user roles associated with the user. The implementation can identify an access policy that is associated with the resource, and a rule that is associated with the access policy and applies to the user roles associated with the user. The rule can be applied to the request for data using attributes of the access policy. For example, if the request for data is a query on a view, the query can be rewritten to apply the rule.
Claims
exact text as granted — not AI-modified1 . A method comprising:
associating attributes with an access policy; binding the attributes to a data source that provides values of the attributes; associating rules with the attributes; and binding one or more resources to the access policy to apply the rules to inputs or outputs of the one or more resources using the values of the attributes.
2 . The method according to claim 1 , wherein the data source comprises a database table.
3 . The method according to claim 1 , wherein the one or more resources comprise one or more views.
4 . The method according to claim 1 , further comprising:
creating the access policy.
5 . The method according to claim 1 , further comprising:
associating one or more user roles with the access policy.
6 . The method according to claim 1 , further comprising:
assigning an individual rule to an individual user role to apply the individual rule to users having the individual user role.
7 . At least one computer-readable storage medium having instructions stored thereon that, when executed by one or more computing devices, cause the one or more computing devices to perform acts, the acts comprising:
receiving a request for data from a user, the request identifying a resource; checking an identity of the user to identify one or more user roles associated with the user; identifying an access policy associated with the resource; identifying a rule associated with the access policy, wherein the rule applies to an individual user role that is associated with the user; and applying the rule to the request using one or more attributes of the access policy.
8 . The at least one computer-readable storage medium of claim 7 , the resource comprising a view.
9 . The at least one computer-readable storage medium of claim 8 , the request comprising a query on the view.
10 . The at least one computer-readable storage medium of claim 9 , wherein applying the rule comprises rewriting the query.
11 . The at least one computer-readable storage medium of claim 10 , wherein rewriting the query comprises including the rule in the query.
12 . The at least one computer-readable storage medium of claim 10 , wherein rewriting the query comprises joining the query with at least one database table.
13 . The at least one computer-readable storage medium of claim 12 , wherein the user is associated with multiple user roles having multiple associated rules, and the acts further comprise applying each of the multiple associated rules for the multiple user roles associated with the user.
14 . A system comprising:
a policy creation module configured to:
create an access policy;
associate attributes with the access policy;
bind the attributes to one or more data sources;
associate rules with the attributes; and
bind one or more resources to the access policy to apply the rules to inputs or outputs of the one or more resources;
a rule application module configured to:
receive a request for data, the request identifying an individual resource that is bound to the access policy;
check an identity of a user associated with the request, the user having a user role;
identify an individual rule associated with the user role; and
apply the individual rule to the request to obtain results that are not prohibited by the individual rule; and
at least one processor configured to execute one or more of the policy creation module or the rule application module.
15 . The system according to claim 14 , wherein the user role is one of a plurality of user roles associated with the access policy.
16 . The system according to claim 14 , wherein the individual rule determines which rows of a database table are accessible by the user.
17 . The system according to claim 16 , wherein the individual rule also determines whether the user can access sensitive columns of the rows that are accessible by the user.
18 . The system according to claim 14 , wherein the rule application module is further configured to provide the results to the user after applying the individual rule, and, in at least one instance, the user is provided with fewer rows of data than are requested.
19 . The system according to claim 14 , wherein the rule application module is configured to rewrite the request with at least two relational operations on the individual resource.
20 . The system according to claim 19 , wherein the at least two relational operations comprise JOIN and SELECT.
21 . A method comprising:
marking one or more fields of a data source as protected fields; rewriting a data request to include conditions for the protected fields; tracking dependencies of the protected fields using the conditions; and surfacing results of the data request using the dependencies that are tracked using the conditions.
22 . A method comprising:
creating one or more application roles associated with an application at design time, the application comprising at least one of application functions or application views; associating sets of the application functions or sets of the application views with the one or more application roles at design time; and providing access to individual application functions or individual application views based on the application roles by associating users with the application roles when the application is deployed.
23 . A method comprising:
creating a first entity and a second entity; associating a resource with the first entity; associating one or more rules with the first entity; and inheriting an individual rule from the first entity to the second entity.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.