WO1995022792A1 - A method and apparatus for controlling access to a database - Google Patents
A method and apparatus for controlling access to a database Download PDFInfo
- Publication number
- WO1995022792A1 WO1995022792A1 PCT/GB1995/000305 GB9500305W WO9522792A1 WO 1995022792 A1 WO1995022792 A1 WO 1995022792A1 GB 9500305 W GB9500305 W GB 9500305W WO 9522792 A1 WO9522792 A1 WO 9522792A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- database
- tags
- tag
- security
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000013507 mapping Methods 0.000 claims abstract description 13
- 230000008859 change Effects 0.000 abstract description 4
- 238000012986 modification Methods 0.000 abstract description 2
- 230000004048 modification Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- XILIYVSXLSWUAI-UHFFFAOYSA-N 2-(diethylamino)ethyl n'-phenylcarbamimidothioate;dihydrobromide Chemical compound Br.Br.CCN(CC)CCSC(N)=NC1=CC=CC=C1 XILIYVSXLSWUAI-UHFFFAOYSA-N 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013479 data entry Methods 0.000 description 2
- 230000010076 replication Effects 0.000 description 2
- 101100004188 Arabidopsis thaliana BARD1 gene Proteins 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99931—Database or file accessing
- Y10S707/99939—Privileged access
Definitions
- This invention relates to a method and apparatus for controlling access to a database.
- ORACLE registered trademark of Oracle Corporation
- ORACLE is a relational database management system. In a relational database, only one type of data structure exists and this is the table which is a two dimensional structure of rows and columns of data.
- a query language called Structured Query Language (SQL) may be used to access data in a database in a non-procedural way.
- SQL Structured Query Language
- each class of user is provided with its own copy of that part of the data held in the central database for which it is appropriate for that group to have access to.
- This method has been called the replication method because it results in the data being replicated since at least some of the data will exist in more than one copies.
- a method is very inefficient in terms of memory usage.
- one copy of the data is changed in some way by, for example, a user of a particular group updating a value, then a number of other copies of that data held by other groups will have to be updated. This will be time consuming and the way in which the system is administered will have to be very precise to ensure that data is maintained in a consistent state if, for example, the system crashes.
- a method for controlling access by a user to data in a database comprising configuring at least part of the database such that at least some of the data of the configured database is associated with a security tag, configuring a storage structure of user identifiers and associated user tags, configuring a storage structure of user tags and associated security tags and mapping a user identifier to at least a subset of the data by determining from the storage structure of user tags and associated security tags a security tag or tags appropriate to the user tag of the user identifier and allowing access to the data from the configured database associated with the security tag or tags.
- security tag it is meant a data entry which indicates that the associated data has particular attributes such as security classification. It may be a number or a character or other data entry.
- storage structure it is meant some grouping of data, for example, in the form of trees, records, sets, tables or other storage structures.
- a method for controlling access to a database by a user comprising creating a database of data and associated security tags, creating a first storage structure of identifiers and identifier tags, creating a second storage structure of identifier tags and associated security tags and creating a view onto the database appropriate to at least one of the identifiers by determining from the first storage structure an associated identifier tag and determining from the second storage structure at least one security tag appropriate to that determined identifier tag and selecting from the database, data associated with that security tag or tags.
- view it is meant a subset of the data which may be manipulated by the user as required.
- a view may be created for a user which allows the user to perform operations in the data.
- the view may be made secure that is to say alterations made by a user to the data may not be written back to the database without the CHECK option being satisfied. This is particularly useful where a user is not to have write access to the data in the database but is permitted to read the data and to manipulate it for his own use only.
- a system operating in accordance with the invention has to have one copy of the data only which is shared by the users and thus avoids at least some of the problems associated with the known replication methods such as storage memory inefficiency or the need for additional data management and processing time.
- the storage structure of user identifiers and user tags and the storage structure of user tags and security tags may be configured such that at least some of the users cannot gain access to all parts of the storage structures. In this way, the precluded user is prevented from determining what security rating he has and the system can be thought of as "transparent" that is, the user is not aware of the security policy and has no evidence for believing that access is being denied to some of the central database.
- apparatus for controlling access by a user to a database comprising means to configure: at least part of the database such that at least some of the data of the configured database is associated with a security tag; a storage structure of user identifiers and associated user tags; a storage structure of user tags and associated security tags; and means to map a user identifier to at least a subset of the data by determining from the storage structure of user tags and associated security tags a security tag or tags appropriate to the user tag of the user identifier and allowing the user access to the data from the configured database associated with the security tag or tags.
- the apparatus or method could be used for the access of employee records or other information such as information on a telecommunications network. Such information could be used to configure the telecommunications network by a network manager.
- the apparatus could also be configured to combine both a network managing function and a database security function.
- Figure 1 shows, in schematic block diagram form, hardware of a database system operating in accordance with an embodiment of the invention
- Figure 2 shows a set of database accounts supported by the database system
- Figure 3 shows a software view of the database system
- FIGS. 4 to 6 show, in schematic form, tables used in the database system
- Figure 7 is an explanatory diagram of operation of the database system
- Figure 8 is an explanatory diagram of a mapping operation carried out by the database system
- Figure 9 is a further explanatory diagram showing steps in the mapping operation.
- Figure 10 shows in schematic block diagram form the database system being used in a network management application.
- a database system 1 comprises a number of elements including a mainframe computer 2 of well known type such as a DEC Micro Vax connected to a number of user terminals 3, 4 and 5 each of which comprises a microcomputer of well known type such as an IBM PC.
- the connection is made by means of coaxial cable 6 of well known type and the communication between the elements of the system 1 is achieved by a well known communications protocol such as
- TCP/IP Transmission Control Protocol/Internet Protocol
- the user terminals 3, 4 and 5 are nominally identical. Each has a microprocessor 3a, 4a and 5a; memory 3b, 4b and 5b; an input/output device 3c, 4c and 5c; a buffer 3d, 4d and 5d; a visual display unit (VDU) 3e, 4e and 5e, and a keyboard 3f, 4f and 5f.
- a microprocessor 3a, 4a and 5a memory 3b, 4b and 5b
- an input/output device 3c, 4c and 5c a buffer 3d, 4d and 5d
- VDU visual display unit
- the memory 3b, 4b and 5b can be in the form of random access memory, read only memory or combinations of the both.
- the memory may be of solid state form as semiconductor "chips” or disc (optical or magnetic) or a combination of these forms.
- the memory comprises a number of memory locations. These locations will contain instructions for governing the operation of the microprocessor 3a, 4a and 5a with which the particular memory is associated.
- the microprocessor 3a, 4a and 5a accesses the memory to obtain the instructions.
- a program for governing the operation of the terminal is held in the memory as a set of instructions located at a number of the memory locations.
- the instructions will be in the form of a hexadecimal number.
- the memory is linked to the microprocessor by a databus in a manner well know.
- the databus also links the microprocessor to the other elements of the terminal.
- the input/output device 3c, 4c and 5c acts as an interface between the terminal and the other computers in the system.
- each terminal interacts with the terminal' s microprocessor via the buffer in a well known manner. Collectively, they provide an interface between the system and a user wishing to interact with the system.
- the main frame computer 2 has a processor 2a, memory 2b, an input/output device 2 ⁇ , a peripheral buffer 2d and associated VDU 2e and keyboard 2f.
- the mainframe computer 2 is of the same form as the user terminals 3, 4 and 5.
- the major difference is that the storage capacity of the memory 2b is far greater than that of the memory of the user terminals.
- An administrator of the database system can access the system by utilising the keyboard 2f and VDU 2e.
- the terminals 3, 4 and 5 and the mainframe computer 2 are interconnected by the coaxial cable 6 which extends between the input/output devices 3c, 4c and 5c of the terminals and the input/output device 2c of the mainframe.
- a protocol called TCP/IP is used for communication between elements of the system 1.
- the memory 2b contains a database of information. This information can be accessed by the users from their terminals. However the extent to which each user is allowed to access the information may vary between users. The system administrator will have access to all the database.
- the system can be considered as providing a set of database accounts, as depicted in figure 2.
- the administrator will have an administrator account 21 and the users will have user accounts 22, 23 and 24.
- the users are named Brown, Smith and Jones and the accounts are labelled accordingly.
- the memory 2b holds, as well as the database, a program for controlling the processor 2a, in particular, the way in which the database is accessed by each of the users.
- the processor 2a acts as a database engine.
- Smith, Brown and Jones can input requests into the database engine 31 and the engine will process the request accessing the database 32 as required.
- the database engine 31 then outputs a response to the querying user. These requests will be carried by transmission over the coaxial cable 6.
- the database 32 is subdivided into three parts, each part being an SQL table.
- the first subdivision is a table 33 called "EMPLOY”.
- the second subdivision is a table 34 called “SECURITY” and the third subdivision is a table 35 called "USER”.
- the database system 1 utilises a programming language called ORACLE SQL (registered trade mark of the Oracle Corporation) to set up and utilise the tables. The way in which the tables are initially created will be described later.
- the "EMPLOY" table 33 comprises information about employees in a company. It comprises a number of datafields as shown in figure 4.
- the datafields include a datafield 33a called "EMP NO" which includes the employee reference numbers for the employees of a particular company.
- NAME includes the names of employees of the company held as a string of thirty characters (CHAR) or less.
- the next datafield is a datafield 33 ⁇ which is called "POSITION".
- the "POSITION" datafield 33c contains information about the position of a particular employee in the company, for example, the employee may be a manager, clerk or secretary. This information is also stored as a string of ten characters or less.
- the next datafield is datafield 33d and this is called "SAL". This contains information about each employees salary expressed numerically in seven digits.
- Datafield 33e is called "DEPT" and this includes the name of the department within which the employees work. This information is held as a string of ten characters.
- Datafield 33f is called “ ROW_TAG” .
- This datafield contains a one character string indicative of a security status of the row of information to which it belongs. This field is of particular significance to the way in which access is allowed to particular rows of the "EMPLOY” table 33.
- the "SECURITY" table 34 comprises two datafields, a first datafield 34a called “ ROWJTAG” and a second datafield 34b called “ USER_TAG” , as shown in figure 5.
- the " ROW_TAG” datafield 34a will include the same characters as held in the " ROW_TAG” datafield 33f of the "EMPLOY” table. This will permit a mapping operation to be explained later in which rows of the "EMPLOY” table are selected by selecting these rows having a “ ROW_TAG” the same as the " ROW_TAG” of the "SECURITY” table 34.
- the "USERJTAG” datafield 34b holds one character data. The function of this field is to enable the mapping operation mentioned above and this will be more fully explained later.
- the "SECURITY" table 34 is thus named because the system security policy is embodied in the table.
- the "ROW_TAG” and " USER_TAG” of this table are termed security tags since the security policy is governed by these tags.
- the security policy may be conveniently modified by modifying this table. This aspect of the system will be more fully explained later.
- the "USER” table 35 is shown in figure 6 and comprises a " USER_TAG” field 35a. and a " USER_NAME” field 35b.
- the "USER_TAG” field 35a holds one character data which will include the same characters as those held in the " USER_TAG” field 34b of the "SECURITY” table 34. This will permit the aforementioned mapping operation to be performed as will be described later.
- the "USER_NAME" field 35b holds the names of users of the system in the form of character strings.
- a flow chart of the system operation is shown in figure 7.
- a first step in the operation is initialisation, as represented by box 70.
- the terminals 3, 4 and 5 are switched on, as is the main computer 2, and readied for use.
- a second step, as represented by box 71, is to create the tables in memory 2b. This is done by the database engine 31 using a SQL command CREATE TABLE in the following way.
- the "SECURITY" table 34 is configured by use of the SQL CREATE TABLE command in the following way.
- the "USER" table 35 is configured, by the SQL CREATE COMMAND in the following way.
- a next step 72 the tables are populated with data. This is done by the network administrator utilising the database engine 31 and the SQL INSERT command in the following way.
- employee number 10 is called Fitchett
- CS customer services department
- Data is entered into the "SECURITY" table 34 in a similar way.
- the first seven rows of data may be entered in the following manner.
- the USER table is completed in a similar manner.
- the database engine 31 then awaits a request from one of the users for information from the database 32 as represented by box 73 of figure 7.
- the process request step 74 will now be described in more detail with reference to figure 9. It is this processing step that utilises the above mentioned mapping operation that implements the security policy governing the system 1.
- a first step is for the database engine 31 to identify the user making the request for access to information stored in the database 32, as represented by box 90 of figure 9.
- a next step is for the database engine 31 to utilise the "USER_TABLE” 35 to obtain a " USERJTAG” appropriate for the identified user, as represented by box 91.
- a further step, as represented by box 92, is for the database engine 31 to utilise the "SECURITY" table 34 to obtain a " ROWJTAG” appropriate for the "USERJTAG” identified in step 91.
- a final step, as represented by box 93, is for the database engine 31 to return from the "EMPLOY" table 33 a row or rows of data where a "ROWJTAG" associated with the row matches the " ROWJTAG" identified in the previous step, step 92,
- An example will now be used to illustrate the way in which the database engine 31 processes a request.
- a user having a USER_NAME SMITH has been assigned a USERJTAG A and this may be mapped via the "SECURITY" table 34 to ROWJTAGS U and V. This enables SMITH to gain access to rows of the EMPLOY table 33 which have been assigned ROWJTAGS U or V. Thus SMITH is mapped onto rows ROW1, ROW2 and ROW3 of table EMPLOY and can view the data of those rows.
- the database engine 31 attributes an argument to this command of SMITH to identify the user and then performs the following mapping operation where USER_NAME is "SMITH".
- the mapping operation being provided in the programme governing the operation of the database engine 31.
- the system caters for access by BROWN and JONES in a similar way with the user name argument attributed by the database engine being BROWN or JONES as appropriate.
- the SQL command INSERT INTO table is used thus: INSERT INTO SECURITY VALUES (' V , ' B' ); INSERT INTO SECURITY VALUES (' X' , ' B' );
- the database containe information about employees that is to say the database was a personnel database. Other types of information could be stored.
- Figure 10 shows a system 1 in accordance with the invention, being used in a network manager.
- the database includes information such as configuration management information on a telecommunications network 100 comprising a number of network elements 101 to 103 and their element managers 104 to 106. Users of the system 1, such as network managers concerned with the operation and control of the network 100, can then be provided with access to different parts of the database in the same way as earlier described.
Abstract
Description
Claims
Priority Applications (9)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1019960704507A KR970701387A (en) | 1994-02-16 | 1995-02-14 | A METHOD AND APPARATUS FOR CONTROLLING ACCESS TO A DATABASE |
EP95908317A EP0745238B1 (en) | 1994-02-16 | 1995-02-14 | A method and apparatus for controlling access to a database |
US08/693,293 US5787428A (en) | 1994-02-16 | 1995-02-14 | Control of database access using security/user tag correspondence table |
DE69502381T DE69502381T2 (en) | 1994-02-16 | 1995-02-14 | METHOD AND DEVICE FOR CONTROLLING ACCESS TO A DATABASE |
JP7521653A JPH09508995A (en) | 1994-02-16 | 1995-02-14 | Method and apparatus for controlling access to a database |
AU16680/95A AU676428B2 (en) | 1994-02-16 | 1995-02-14 | A method and apparatus for controlling access to a database |
DK95908317T DK0745238T3 (en) | 1994-02-16 | 1995-02-14 | Method and apparatus for controlling access to a database |
CA002182592A CA2182592C (en) | 1994-02-16 | 1995-02-14 | A method and apparatus for controlling access to a database |
HK98111821A HK1010802A1 (en) | 1994-02-16 | 1998-11-06 | A method and apparatus for controlling access to a database |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB9402935A GB9402935D0 (en) | 1994-02-16 | 1994-02-16 | A method for controlling access to a database |
GB9402935.2 | 1994-02-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO1995022792A1 true WO1995022792A1 (en) | 1995-08-24 |
Family
ID=10750431
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB1995/000305 WO1995022792A1 (en) | 1994-02-16 | 1995-02-14 | A method and apparatus for controlling access to a database |
Country Status (15)
Country | Link |
---|---|
US (1) | US5787428A (en) |
EP (1) | EP0745238B1 (en) |
JP (2) | JPH09508995A (en) |
KR (1) | KR970701387A (en) |
CN (1) | CN1141091A (en) |
AU (1) | AU676428B2 (en) |
CA (1) | CA2182592C (en) |
DE (1) | DE69502381T2 (en) |
DK (1) | DK0745238T3 (en) |
ES (1) | ES2117405T3 (en) |
GB (1) | GB9402935D0 (en) |
HK (1) | HK1010802A1 (en) |
NZ (1) | NZ279523A (en) |
SG (1) | SG47531A1 (en) |
WO (1) | WO1995022792A1 (en) |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2000004435A1 (en) * | 1998-07-17 | 2000-01-27 | Electronic Data Systems Corporation | System and method for selectively defining access to application features |
EP0990972A1 (en) * | 1998-10-02 | 2000-04-05 | Ncr International Inc. | System and method for managing data privacy in a database management system |
JP2000293421A (en) * | 1998-10-02 | 2000-10-20 | Ncr Internatl Inc | Device and method for data management with improved privacy protecting function |
EP1089196A2 (en) * | 1999-10-01 | 2001-04-04 | Ncr International Inc. | System and method for managing data privacy in a database management system including a dependently connected privacy data mart |
GB2355323A (en) * | 1999-10-05 | 2001-04-18 | Authoriszor Ltd | Information security profile and policy system |
GB2355324A (en) * | 1999-10-05 | 2001-04-18 | Authoriszor Ltd | Transmitting protected information using a temporary file |
US7155612B2 (en) | 2003-04-30 | 2006-12-26 | International Business Machines Corporation | Desktop database data administration tool with row level security |
US7464080B2 (en) | 2002-09-04 | 2008-12-09 | International Business Machines Corporation | Row-level security in a relational database management system |
US7594266B2 (en) | 2001-11-23 | 2009-09-22 | Protegrity Corporation | Data security and intrusion detection |
US8225106B2 (en) | 2008-04-02 | 2012-07-17 | Protegrity Corporation | Differential encryption utilizing trust modes |
US8402281B2 (en) | 1996-06-20 | 2013-03-19 | Protegrity Corporation | Data security system for a database |
US8443426B2 (en) | 2007-06-11 | 2013-05-14 | Protegrity Corporation | Method and system for preventing impersonation of a computer system user |
CN107133528A (en) * | 2017-05-02 | 2017-09-05 | 山东浪潮通软信息科技有限公司 | The level of confidentiality protection implementation method and device of a kind of database purchase |
CN116186767A (en) * | 2023-01-12 | 2023-05-30 | 北京万里开源软件有限公司 | Method and device for marking row level in database |
Families Citing this family (99)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6647510B1 (en) * | 1996-03-19 | 2003-11-11 | Oracle International Corporation | Method and apparatus for making available data that was locked by a dead transaction before rolling back the entire dead transaction |
US5920861A (en) * | 1997-02-25 | 1999-07-06 | Intertrust Technologies Corp. | Techniques for defining using and manipulating rights management data structures |
US6408336B1 (en) | 1997-03-10 | 2002-06-18 | David S. Schneider | Distributed administration of access to information |
US7821926B2 (en) * | 1997-03-10 | 2010-10-26 | Sonicwall, Inc. | Generalized policy server |
US7272625B1 (en) | 1997-03-10 | 2007-09-18 | Sonicwall, Inc. | Generalized policy server |
US7912856B2 (en) * | 1998-06-29 | 2011-03-22 | Sonicwall, Inc. | Adaptive encryption |
WO2000000879A2 (en) * | 1998-03-04 | 2000-01-06 | Internet Dynamics, Inc. | Generalized policy server |
US7580919B1 (en) | 1997-03-10 | 2009-08-25 | Sonicwall, Inc. | Query interface to policy server |
US8914410B2 (en) | 1999-02-16 | 2014-12-16 | Sonicwall, Inc. | Query interface to policy server |
US6247131B1 (en) * | 1997-03-14 | 2001-06-12 | Fujitsu Limited | Information management method and recording medium |
US6226745B1 (en) * | 1997-03-21 | 2001-05-01 | Gio Wiederhold | Information sharing system and method with requester dependent sharing and security rules |
JPH10271159A (en) * | 1997-03-26 | 1998-10-09 | Sharp Corp | Information acquiring method |
US6211627B1 (en) * | 1997-07-29 | 2001-04-03 | Michael Callahan | Lighting systems |
US20040212324A1 (en) * | 1997-07-29 | 2004-10-28 | Michael Callahan | Lighting systems |
US6085191A (en) * | 1997-10-31 | 2000-07-04 | Sun Microsystems, Inc. | System and method for providing database access control in a secure distributed network |
US6438544B1 (en) * | 1998-10-02 | 2002-08-20 | Ncr Corporation | Method and apparatus for dynamic discovery of data model allowing customization of consumer applications accessing privacy data |
US6813617B2 (en) | 1998-10-05 | 2004-11-02 | Oracle International Corporation | Dynamic generation of optimizer hints |
US7281003B2 (en) * | 1998-10-05 | 2007-10-09 | Oracle International Corporation | Database fine-grained access control |
US6578037B1 (en) * | 1998-10-05 | 2003-06-10 | Oracle Corporation | Partitioned access control to a database |
US6587854B1 (en) * | 1998-10-05 | 2003-07-01 | Oracle Corporation | Virtually partitioning user data in a database system |
US7228300B2 (en) | 1998-10-05 | 2007-06-05 | Oracle International Corporation | Caching the results of security policy functions |
US6487552B1 (en) | 1998-10-05 | 2002-11-26 | Oracle Corporation | Database fine-grained access control |
CA2256936C (en) * | 1998-12-23 | 2002-04-02 | Hamid Bacha | System for electronic repository of data enforcing access control on data search and retrieval |
US6643776B1 (en) | 1999-01-29 | 2003-11-04 | International Business Machines Corporation | System and method for dynamic macro placement of IP connection filters |
JP2001188699A (en) * | 1999-12-28 | 2001-07-10 | Ibm Japan Ltd | Data processing system with access control mechanism |
KR20000017933A (en) * | 1999-12-29 | 2000-04-06 | 서영호 | Method on access privilege setting of RDBMS based records |
US20010037379A1 (en) * | 2000-03-31 | 2001-11-01 | Noam Livnat | System and method for secure storage of information and grant of controlled access to same |
US6581060B1 (en) * | 2000-06-21 | 2003-06-17 | International Business Machines Corporation | System and method for RDBMS to protect records in accordance with non-RDBMS access control rules |
US6757680B1 (en) | 2000-07-03 | 2004-06-29 | International Business Machines Corporation | System and method for inheriting access control rules |
US7080085B1 (en) | 2000-07-12 | 2006-07-18 | International Business Machines Corporation | System and method for ensuring referential integrity for heterogeneously scoped references in an information management system |
JP4497691B2 (en) * | 2000-09-27 | 2010-07-07 | 株式会社日立製作所 | Database management method and management system |
US6606627B1 (en) * | 2001-05-08 | 2003-08-12 | Oracle Corporation | Techniques for managing resources for multiple exclusive groups |
US7546287B2 (en) * | 2001-06-18 | 2009-06-09 | Siebel Systems, Inc. | System and method to search a database for records matching user-selected search criteria and to maintain persistency of the matched records |
US7464072B1 (en) | 2001-06-18 | 2008-12-09 | Siebel Systems, Inc. | Method, apparatus, and system for searching based on search visibility rules |
US7213013B1 (en) * | 2001-06-18 | 2007-05-01 | Siebel Systems, Inc. | Method, apparatus, and system for remote client search indexing |
GB2377287B (en) * | 2001-07-06 | 2005-07-13 | Livedevices Ltd | Improvements relating to internet-connected devices |
US7130852B2 (en) * | 2001-07-27 | 2006-10-31 | Silicon Valley Bank | Internal security system for a relational database system |
CN100555157C (en) * | 2001-10-01 | 2009-10-28 | 雅斯拓股份有限公司 | The method of the database in smart card and the visit smart card |
US20050043964A1 (en) * | 2001-10-11 | 2005-02-24 | Christian Thielscher | Data processing system for patent data |
US8261095B1 (en) | 2001-11-01 | 2012-09-04 | Google Inc. | Methods and systems for using derived user accounts |
US7305392B1 (en) * | 2001-11-02 | 2007-12-04 | Apex Innovations, Inc. | Multi-organizational project management system |
US8316051B1 (en) * | 2001-11-30 | 2012-11-20 | Oralce International Corporation | Techniques for adding multiple security policies to a database system |
US20030126464A1 (en) * | 2001-12-04 | 2003-07-03 | Mcdaniel Patrick D. | Method and system for determining and enforcing security policy in a communication session |
JP3696836B2 (en) * | 2002-01-31 | 2005-09-21 | ネクストウェア株式会社 | Personal information management system |
FI20020367A0 (en) * | 2002-02-26 | 2002-02-26 | Nokia Corp | Manage shared network node configuration |
US7191469B2 (en) * | 2002-05-13 | 2007-03-13 | Green Border Technologies | Methods and systems for providing a secure application environment using derived user accounts |
WO2003104954A2 (en) | 2002-06-06 | 2003-12-18 | Green Border Technologies | Methods and systems for implementing a secure application execution environment using derived user accounts for internet content |
US7058630B2 (en) * | 2002-08-12 | 2006-06-06 | International Business Machines Corporation | System and method for dynamically controlling access to a database |
US7062566B2 (en) * | 2002-10-24 | 2006-06-13 | 3Com Corporation | System and method for using virtual local area network tags with a virtual private network |
US7257834B1 (en) * | 2002-10-31 | 2007-08-14 | Sprint Communications Company L.P. | Security framework data scheme |
KR100514139B1 (en) * | 2002-11-30 | 2005-09-08 | 삼성에스디에스 주식회사 | Querying method of applying security function to ODBC and apparatus thereof |
US20040139043A1 (en) * | 2003-01-13 | 2004-07-15 | Oracle International Corporation | Attribute relevant access control policies |
US7873660B1 (en) | 2003-02-27 | 2011-01-18 | Oracle International Corporation | Enforcing data privacy aggregations |
US7966663B2 (en) * | 2003-05-20 | 2011-06-21 | United States Postal Service | Methods and systems for determining privacy requirements for an information resource |
US8046819B2 (en) * | 2003-05-20 | 2011-10-25 | United States Postal Service | Methods and systems for determining security requirements for an information resource |
RU2358409C2 (en) * | 2003-07-02 | 2009-06-10 | Конинклейке Филипс Электроникс Н.В. | Linking records of interactive television with applications |
WO2005008458A1 (en) * | 2003-07-11 | 2005-01-27 | Computer Associates Think, Inc. | System and method for providing java server page security |
KR100657554B1 (en) * | 2003-07-15 | 2006-12-13 | 김용규 | method of administering access to database |
US7310647B2 (en) * | 2003-12-24 | 2007-12-18 | Oracle International Corporation | Column masking of tables |
US7661141B2 (en) * | 2004-02-11 | 2010-02-09 | Microsoft Corporation | Systems and methods that optimize row level database security |
US7711750B1 (en) * | 2004-02-11 | 2010-05-04 | Microsoft Corporation | Systems and methods that specify row level database security |
US8825702B2 (en) * | 2004-02-24 | 2014-09-02 | Oracle International Corporation | Sending control information with database statement |
JP4471715B2 (en) * | 2004-04-14 | 2010-06-02 | 富士通株式会社 | Information processing method and computer system |
US7676453B2 (en) | 2004-04-22 | 2010-03-09 | Oracle International Corporation | Partial query caching |
US7860875B2 (en) * | 2004-05-26 | 2010-12-28 | International Business Machines Corporation | Method for modifying a query by use of an external system for managing assignment of user and data classifications |
US20050289342A1 (en) * | 2004-06-28 | 2005-12-29 | Oracle International Corporation | Column relevant data security label |
US7657925B2 (en) * | 2004-10-14 | 2010-02-02 | Oracle International Corporation | Method and system for managing security policies for databases in a distributed system |
GB0425857D0 (en) * | 2004-11-25 | 2004-12-29 | Ibm | A method and apparatus for controlling data access |
US7562092B2 (en) * | 2004-12-22 | 2009-07-14 | Microsoft Corporation | Secured views for a CRM database |
US7676470B2 (en) * | 2005-07-26 | 2010-03-09 | International Business Machines Corporation | Self discovering adaptive security system and method |
KR100765036B1 (en) * | 2005-12-26 | 2007-10-09 | 주식회사 포스코 | Joining method of high carbon steel for endless hot rolling |
US7730032B2 (en) | 2006-01-12 | 2010-06-01 | Oracle International Corporation | Efficient queriability of version histories in a repository |
US9229967B2 (en) * | 2006-02-22 | 2016-01-05 | Oracle International Corporation | Efficient processing of path related operations on data organized hierarchically in an RDBMS |
US10318752B2 (en) * | 2006-05-26 | 2019-06-11 | Oracle International Corporation | Techniques for efficient access control in a database system |
US20080120309A1 (en) * | 2006-11-17 | 2008-05-22 | Microsoft Corporation | Storing, maintaining and locating information |
CN100498792C (en) * | 2007-06-08 | 2009-06-10 | 北京神舟航天软件技术有限公司 | Autonomous access control method for row-level data of database table |
US20090024570A1 (en) * | 2007-07-20 | 2009-01-22 | Oracle Internatonal Corporation | User defined query rewrite mechanism |
ES2614640T3 (en) * | 2007-09-21 | 2017-06-01 | Telefonaktiebolaget Lm Ericsson (Publ) | Systems and methods for partial matching searches of encrypted retained data |
US8078595B2 (en) * | 2007-10-09 | 2011-12-13 | Oracle International Corporation | Secure normal forms |
US20090106295A1 (en) * | 2007-10-18 | 2009-04-23 | Ulf Hagmann | Simplified system setup |
US8874545B2 (en) * | 2007-10-19 | 2014-10-28 | Oracle International Corporation | Data source-independent search system architecture |
JP5200721B2 (en) * | 2008-07-16 | 2013-06-05 | 富士通株式会社 | Control method, control device, and program |
US9805123B2 (en) * | 2008-11-18 | 2017-10-31 | Excalibur Ip, Llc | System and method for data privacy in URL based context queries |
US8239396B2 (en) * | 2009-03-20 | 2012-08-07 | Oracle International Corporation | View mechanism for data security, privacy and utilization |
US8510334B2 (en) * | 2009-11-05 | 2013-08-13 | Oracle International Corporation | Lock manager on disk |
US9009135B2 (en) * | 2010-01-29 | 2015-04-14 | Oracle International Corporation | Method and apparatus for satisfying a search request using multiple search engines |
US10156954B2 (en) * | 2010-01-29 | 2018-12-18 | Oracle International Corporation | Collapsible search results |
US20110191333A1 (en) * | 2010-01-29 | 2011-08-04 | Oracle International Corporation | Subsequent Search Results |
US20120246150A1 (en) * | 2011-03-23 | 2012-09-27 | Raytheon Company | System and Method for Storing Data and Providing Multi-Level Access Thereto |
JP5787640B2 (en) * | 2011-06-24 | 2015-09-30 | キヤノン株式会社 | Authentication system, authentication method and program |
JP5930847B2 (en) * | 2011-06-29 | 2016-06-08 | キヤノン株式会社 | Server system, control method and program |
US20130117313A1 (en) | 2011-11-08 | 2013-05-09 | Microsoft Corporation | Access control framework |
CN103678242B (en) * | 2013-12-09 | 2017-07-21 | 腾讯科技(深圳)有限公司 | Subscriber data sending method and device |
AU2016219264A1 (en) * | 2015-02-11 | 2017-07-27 | Visa International Service Association | Increasing search ability of private, encrypted data |
US9619210B2 (en) | 2015-05-14 | 2017-04-11 | Walleye Software, LLC | Parsing and compiling data system queries |
US10621370B2 (en) | 2016-05-27 | 2020-04-14 | Intel Corporation | Methods and apparatus to provide group-based row-level security for big data platforms |
US10198469B1 (en) | 2017-08-24 | 2019-02-05 | Deephaven Data Labs Llc | Computer data system data source refreshing using an update propagation graph having a merged join listener |
WO2021002485A1 (en) * | 2019-07-01 | 2021-01-07 | (주)엘리바이저 | Database security device based on user identification via web application server |
US11868349B2 (en) | 2020-05-05 | 2024-01-09 | International Business Machines Corporation | Row secure table plan generation |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0398645A2 (en) * | 1989-05-15 | 1990-11-22 | International Business Machines Corporation | System for controlling access privileges |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5191611A (en) * | 1989-04-03 | 1993-03-02 | Lang Gerald S | Method and apparatus for protecting material on storage media and for transferring material on storage media to various recipients |
GB9126779D0 (en) * | 1991-12-17 | 1992-02-12 | Int Computers Ltd | Security mechanism for a computer system |
US5421011A (en) * | 1991-12-20 | 1995-05-30 | International Business Machines Corporation | Method and system for access and accounting control in a data processing system by using a single resource account for a user or a group of users |
US5446903A (en) * | 1993-05-04 | 1995-08-29 | International Business Machines Corporation | Method and apparatus for controlling access to data elements in a data processing system based on status of an industrial process by mapping user's security categories and industrial process steps |
-
1994
- 1994-02-16 GB GB9402935A patent/GB9402935D0/en active Pending
-
1995
- 1995-02-14 KR KR1019960704507A patent/KR970701387A/en not_active Application Discontinuation
- 1995-02-14 CN CN95191658A patent/CN1141091A/en not_active Withdrawn
- 1995-02-14 DK DK95908317T patent/DK0745238T3/en active
- 1995-02-14 WO PCT/GB1995/000305 patent/WO1995022792A1/en active IP Right Grant
- 1995-02-14 ES ES95908317T patent/ES2117405T3/en not_active Expired - Lifetime
- 1995-02-14 SG SG1996002665A patent/SG47531A1/en unknown
- 1995-02-14 CA CA002182592A patent/CA2182592C/en not_active Expired - Fee Related
- 1995-02-14 AU AU16680/95A patent/AU676428B2/en not_active Ceased
- 1995-02-14 US US08/693,293 patent/US5787428A/en not_active Expired - Lifetime
- 1995-02-14 EP EP95908317A patent/EP0745238B1/en not_active Expired - Lifetime
- 1995-02-14 JP JP7521653A patent/JPH09508995A/en not_active Withdrawn
- 1995-02-14 DE DE69502381T patent/DE69502381T2/en not_active Expired - Lifetime
- 1995-02-14 NZ NZ279523A patent/NZ279523A/en unknown
-
1998
- 1998-11-06 HK HK98111821A patent/HK1010802A1/en not_active IP Right Cessation
-
2006
- 2006-04-18 JP JP2006114510A patent/JP4130684B2/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0398645A2 (en) * | 1989-05-15 | 1990-11-22 | International Business Machines Corporation | System for controlling access privileges |
Non-Patent Citations (2)
Title |
---|
S.T.VINTER: "Extended Discretionary Access Controls", IEEE SYMPOSIUM ON SECURITY AND PRIVACY, OAKLAND, US;, pages 39 * |
W-P.LU ET AL: "A Model for Multilevel Security in Computer Networks", IEEE CONFERENCE ON COMPUTER COMMUNICATIONS, NEW ORLEANS, US;, pages 1095 * |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8402281B2 (en) | 1996-06-20 | 2013-03-19 | Protegrity Corporation | Data security system for a database |
US6430549B1 (en) | 1998-07-17 | 2002-08-06 | Electronic Data Systems Corporation | System and method for selectivety defining access to application features |
WO2000004435A1 (en) * | 1998-07-17 | 2000-01-27 | Electronic Data Systems Corporation | System and method for selectively defining access to application features |
KR100712569B1 (en) * | 1998-07-17 | 2007-05-02 | 일렉트로닉 데이타 시스템즈 코포레이션 | System and method for selectively defining accesss to application features |
KR100628426B1 (en) * | 1998-07-17 | 2006-09-28 | 일렉트로닉 데이타 시스템즈 코포레이션 | System and method for selectively defining accesss to application features |
US6578029B2 (en) | 1998-07-17 | 2003-06-10 | Electronic Data Systems Corporation | System and method for selectively defining access to application features |
AU757061B2 (en) * | 1998-07-17 | 2003-01-30 | Electronic Data Systems Corporation | System and method for selectively defining access to application features |
JP4590048B2 (en) * | 1998-10-02 | 2010-12-01 | テラデータ ユーエス インク | Database system |
US6275824B1 (en) | 1998-10-02 | 2001-08-14 | Ncr Corporation | System and method for managing data privacy in a database management system |
EP0990972A1 (en) * | 1998-10-02 | 2000-04-05 | Ncr International Inc. | System and method for managing data privacy in a database management system |
JP2000112796A (en) * | 1998-10-02 | 2000-04-21 | Ncr Internatl Inc | Method and system for managing data privacy in database management system |
JP4588142B2 (en) * | 1998-10-02 | 2010-11-24 | エヌシーアール インターナショナル インコーポレイテッド | Data management apparatus and method with improved privacy protection function |
JP2000293421A (en) * | 1998-10-02 | 2000-10-20 | Ncr Internatl Inc | Device and method for data management with improved privacy protecting function |
EP1089196A3 (en) * | 1999-10-01 | 2004-07-21 | Ncr International Inc. | System and method for managing data privacy in a database management system including a dependently connected privacy data mart |
JP2001154917A (en) * | 1999-10-01 | 2001-06-08 | Ncr Internatl Inc | Data management system in data base management system |
EP1089196A2 (en) * | 1999-10-01 | 2001-04-04 | Ncr International Inc. | System and method for managing data privacy in a database management system including a dependently connected privacy data mart |
JP4507147B2 (en) * | 1999-10-01 | 2010-07-21 | テラデータ ユーエス インク | Data management system in database management system |
GB2355323A (en) * | 1999-10-05 | 2001-04-18 | Authoriszor Ltd | Information security profile and policy system |
GB2355324B (en) * | 1999-10-05 | 2002-03-27 | Authoriszor Ltd | System and method for a virtual page publication system |
GB2355324A (en) * | 1999-10-05 | 2001-04-18 | Authoriszor Ltd | Transmitting protected information using a temporary file |
US7594266B2 (en) | 2001-11-23 | 2009-09-22 | Protegrity Corporation | Data security and intrusion detection |
US9514328B2 (en) | 2002-09-04 | 2016-12-06 | International Business Machines Corporation | Row-level security in a relational database management system |
US7464080B2 (en) | 2002-09-04 | 2008-12-09 | International Business Machines Corporation | Row-level security in a relational database management system |
US8478713B2 (en) | 2002-09-04 | 2013-07-02 | International Business Machines Corporation | Row-level security in a relational database management system |
US7155612B2 (en) | 2003-04-30 | 2006-12-26 | International Business Machines Corporation | Desktop database data administration tool with row level security |
US8443426B2 (en) | 2007-06-11 | 2013-05-14 | Protegrity Corporation | Method and system for preventing impersonation of a computer system user |
US8225106B2 (en) | 2008-04-02 | 2012-07-17 | Protegrity Corporation | Differential encryption utilizing trust modes |
CN107133528A (en) * | 2017-05-02 | 2017-09-05 | 山东浪潮通软信息科技有限公司 | The level of confidentiality protection implementation method and device of a kind of database purchase |
CN116186767A (en) * | 2023-01-12 | 2023-05-30 | 北京万里开源软件有限公司 | Method and device for marking row level in database |
CN116186767B (en) * | 2023-01-12 | 2023-10-03 | 北京万里开源软件有限公司 | Method and device for marking row level in database |
Also Published As
Publication number | Publication date |
---|---|
AU1668095A (en) | 1995-09-04 |
DE69502381T2 (en) | 1998-09-03 |
KR970701387A (en) | 1997-03-17 |
EP0745238B1 (en) | 1998-05-06 |
DK0745238T3 (en) | 1999-02-15 |
JP4130684B2 (en) | 2008-08-06 |
ES2117405T3 (en) | 1998-08-01 |
HK1010802A1 (en) | 1999-06-25 |
SG47531A1 (en) | 1998-04-17 |
NZ279523A (en) | 1997-01-29 |
CN1141091A (en) | 1997-01-22 |
CA2182592C (en) | 2000-05-30 |
GB9402935D0 (en) | 1994-04-06 |
JP2006277756A (en) | 2006-10-12 |
AU676428B2 (en) | 1997-03-06 |
DE69502381D1 (en) | 1998-06-10 |
EP0745238A1 (en) | 1996-12-04 |
US5787428A (en) | 1998-07-28 |
JPH09508995A (en) | 1997-09-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP0745238B1 (en) | A method and apparatus for controlling access to a database | |
KR100628426B1 (en) | System and method for selectively defining accesss to application features | |
US5905984A (en) | Computer-implemented control of access to atomic data items | |
JP2634117B2 (en) | Method and system for determining user access privileges for database objects | |
US5504886A (en) | System and method for applying user supplied relation definitions to application files for a relational database | |
US5845289A (en) | Methodology for generating object structures for accessing conventional, non-object-oriented business applications | |
JP4398371B2 (en) | How to control access to a relational database | |
US5448726A (en) | Data base management system with data dictionary cache including a single loadable object descriptor | |
US20090024652A1 (en) | Object relational mapping layer | |
US20050262169A1 (en) | Method and apparatus for synchronizing dataset object properties with underlying database structures | |
US5349663A (en) | System for representing hierarchical structures | |
AU2003200813B2 (en) | System and method for selectively defining access to application features | |
US20050108201A1 (en) | Method to query an embedded database | |
JP2002049641A (en) | Plural profile management device, management method, plural profile management program recording medium and plural profile management program | |
CA1316610C (en) | Shared file management in a network environment | |
Pierre et al. | GESOP: A relational data base using generalized arrays and data-base primitives | |
MXPA01000614A (en) | System and method for selectively defining access to application features | |
Allen et al. | ADO. NET Fundamentals |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 95191658.0 Country of ref document: CN |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AU CA CN JP KR NZ US |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 279523 Country of ref document: NZ |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2182592 Country of ref document: CA |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1995908317 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 08693293 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 1995908317 Country of ref document: EP |
|
WWG | Wipo information: grant in national office |
Ref document number: 1995908317 Country of ref document: EP |