US2013117313A1PendingUtilityA1

Access control framework

51
Assignee: MIAO YIPriority: Nov 8, 2011Filed: Nov 8, 2011Published: May 9, 2013
Est. expiryNov 8, 2031(~5.3 yrs left)· nominal 20-yr term from priority
G16Z 99/00G16H 10/60G16H 40/20G06F 16/284G06F 16/2433G06F 21/6245G06F 21/6227G06F 21/604
51
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

The described implementations relate to an access control framework for a database system. One implementation can receive, from a user, a request for data that identifies a resource, such as a view that obtains data from a database. The implementation can check the identity of the user to identify user roles associated with the user. The implementation can identify an access policy that is associated with the resource, and a rule that is associated with the access policy and applies to the user roles associated with the user. The rule can be applied to the request for data using attributes of the access policy. For example, if the request for data is a query on a view, the query can be rewritten to apply the rule.

Claims

exact text as granted — not AI-modified
1 . A method comprising:
 associating attributes with an access policy;   binding the attributes to a data source that provides values of the attributes;   associating rules with the attributes; and   binding one or more resources to the access policy to apply the rules to inputs or outputs of the one or more resources using the values of the attributes.   
     
     
         2 . The method according to  claim 1 , wherein the data source comprises a database table. 
     
     
         3 . The method according to  claim 1 , wherein the one or more resources comprise one or more views. 
     
     
         4 . The method according to  claim 1 , further comprising:
 creating the access policy.   
     
     
         5 . The method according to  claim 1 , further comprising:
 associating one or more user roles with the access policy.   
     
     
         6 . The method according to  claim 1 , further comprising:
 assigning an individual rule to an individual user role to apply the individual rule to users having the individual user role.   
     
     
         7 . At least one computer-readable storage medium having instructions stored thereon that, when executed by one or more computing devices, cause the one or more computing devices to perform acts, the acts comprising:
 receiving a request for data from a user, the request identifying a resource;   checking an identity of the user to identify one or more user roles associated with the user;   identifying an access policy associated with the resource;   identifying a rule associated with the access policy, wherein the rule applies to an individual user role that is associated with the user; and   applying the rule to the request using one or more attributes of the access policy.   
     
     
         8 . The at least one computer-readable storage medium of  claim 7 , the resource comprising a view. 
     
     
         9 . The at least one computer-readable storage medium of  claim 8 , the request comprising a query on the view. 
     
     
         10 . The at least one computer-readable storage medium of  claim 9 , wherein applying the rule comprises rewriting the query. 
     
     
         11 . The at least one computer-readable storage medium of  claim 10 , wherein rewriting the query comprises including the rule in the query. 
     
     
         12 . The at least one computer-readable storage medium of  claim 10 , wherein rewriting the query comprises joining the query with at least one database table. 
     
     
         13 . The at least one computer-readable storage medium of  claim 12 , wherein the user is associated with multiple user roles having multiple associated rules, and the acts further comprise applying each of the multiple associated rules for the multiple user roles associated with the user. 
     
     
         14 . A system comprising:
 a policy creation module configured to:
 create an access policy; 
 associate attributes with the access policy; 
 bind the attributes to one or more data sources; 
 associate rules with the attributes; and 
 bind one or more resources to the access policy to apply the rules to inputs or outputs of the one or more resources; 
   a rule application module configured to:
 receive a request for data, the request identifying an individual resource that is bound to the access policy; 
 check an identity of a user associated with the request, the user having a user role; 
 identify an individual rule associated with the user role; and 
 apply the individual rule to the request to obtain results that are not prohibited by the individual rule; and 
   at least one processor configured to execute one or more of the policy creation module or the rule application module.   
     
     
         15 . The system according to  claim 14 , wherein the user role is one of a plurality of user roles associated with the access policy. 
     
     
         16 . The system according to  claim 14 , wherein the individual rule determines which rows of a database table are accessible by the user. 
     
     
         17 . The system according to  claim 16 , wherein the individual rule also determines whether the user can access sensitive columns of the rows that are accessible by the user. 
     
     
         18 . The system according to  claim 14 , wherein the rule application module is further configured to provide the results to the user after applying the individual rule, and, in at least one instance, the user is provided with fewer rows of data than are requested. 
     
     
         19 . The system according to  claim 14 , wherein the rule application module is configured to rewrite the request with at least two relational operations on the individual resource. 
     
     
         20 . The system according to  claim 19 , wherein the at least two relational operations comprise JOIN and SELECT. 
     
     
         21 . A method comprising:
 marking one or more fields of a data source as protected fields;   rewriting a data request to include conditions for the protected fields;   tracking dependencies of the protected fields using the conditions; and   surfacing results of the data request using the dependencies that are tracked using the conditions.   
     
     
         22 . A method comprising:
 creating one or more application roles associated with an application at design time, the application comprising at least one of application functions or application views;   associating sets of the application functions or sets of the application views with the one or more application roles at design time; and   providing access to individual application functions or individual application views based on the application roles by associating users with the application roles when the application is deployed.   
     
     
         23 . A method comprising:
 creating a first entity and a second entity;   associating a resource with the first entity;   associating one or more rules with the first entity; and   inheriting an individual rule from the first entity to the second entity.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.