WO2011097670A1 - Database access licence management - Google Patents
Database access licence management Download PDFInfo
- Publication number
- WO2011097670A1 WO2011097670A1 PCT/AU2011/000127 AU2011000127W WO2011097670A1 WO 2011097670 A1 WO2011097670 A1 WO 2011097670A1 AU 2011000127 W AU2011000127 W AU 2011000127W WO 2011097670 A1 WO2011097670 A1 WO 2011097670A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- database
- user
- procedure
- licence
- access
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/217—Database tuning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/283—Multi-dimensional databases or data warehouses, e.g. MOLAP or ROLAP
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Abstract
A computer executable method of managing access to an OLAP cube in which the database management system is modified by one or more of: Incorporating a licence check procedure as a stored procedure in the database; Using a connection event to trigger a licence verification of the user; Using connection strings to bind access to the database to a particular application; Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user.
Description
DATABASE ACCESS LICENCE MANAGEMENT
This invention relates to Database Management Systems (DBMS) to provide the necessary scaffolding to license access to the database itself.
Background to the invention
Often significant IP is invested in the creation of databases that facilitates report writing that is relevant to a business. This is particularly acute in the case of OLAP databases where knowledge of the business and the reporting requirements is essential to an effective reporting system.
Most database vendors do not provide a way for 3rd parties to capture the value they create with the design and knowledge that goes into producing these databases and the reports they build on top of them.
USA patent 6506786 discloses a method of controlling access where a service monitors the Analysis services for connections and if a licence limit is reached the data base is taken off line.
USA patent application 6904523 discloses the use of a licensing attribute certificate in enforcing access to a computer resource.
USA patent application 20090287704 discloses a security system for a data cube that operates on a per user basis at the cell level and includes in addition to dimension level tables cell security tables that include a cell permission and a cell qualifier table.
It is an object of this invention to provide a means of controlling access to databases and verifying a user's licence status.
Brief description of the invention
The present invention presents a range of mechanisms for providing the ability for database creators to license access to these valuable databases they have created on a per user basis (typically referred to as a client access licensing or CAL licensing) even though there is no explicit mechanism for doing so in database management system (DBMS).
A database management system (DBMS), sometimes just called a database manager, is a program that lets one or more computer users create and access data in a database. The DBMS manages user requests (and requests from other programs) so that users and other programs are free from having to understand where the data is physically located on storage media and, in a multi-user system, who else may also be accessing the data. In handling user requests, the DBMS ensures the integrity of the data (that is, making sure it continues to be accessible and is consistently organized as intended) and security (making sure only those with access privileges can access the data).
To this end the present invention provides a method of managing access to a database in which the database management system is modified by one or more of a) Incorporating a licence check procedure as a stored procedure in the
database
b) Using a connection event to trigger a licence verification of the user c) Using connection strings to bind access to the database to a particular
application
d) Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user. This invention utilizes one or more of the following aspects of a data base management system, the preferred system being the Microsoft SQL Server DBMS and an OLAP cube database, to effect licensing.
Stored Procedures ' Most database systems allow you to create custom queries that can be
parameterized and saved for later use called stored procedures. These procedures can then be called from other queries. Rather than performing standard query operations, the invention uses a custom stored procedure to perform license checks.
Connection Events
SQL Server 2008 allows you to trigger custom behaviours in response to new connections being established. The invention can respond to these events by performing a license check and refusing the connection by throwing an exception if the license check does not pass.
Connection Strings
In some instances it might be desirable to bind access to the database to a particular application. Tokens can be inserted into the connection string by the application which can then be checked by another method inside the DBMS.
Cell Calculations
Normally used to modify numerical results from a database query, the invention creates a "root" cell calculation that applies to all cells (data) in a cube. Rather than performing an arithmetical operation, the cell calculation calls out to a custom stored procedure to perform a license check. If the check succeeds, it returns the cell values unchanged. If it fails, it returns an error message, rather than the data itself.
Detailed description of the invention
In this invention the method performs a license check by hooking into connection request events and calling a custom stored procedure. If the check fails, the connection is refused.
This procedure is illustrated in Figure 1
The license itself is stored in an encrypted annotation in the database.
Detailed Example
The preferred embodiment is described with reference to the Microsoft SQL Server 2008 DBMS.
The Cube Wizard tool which creates the OLAP databases inserts special codes and structures necessary to perform the licensing checks. These include:
restriction in the cube license restrictions to enforce
information
AS Asserhbly An assembly on the Performs license checks and creates
Analysis'i-Services Server calculations for the MDX script to use
A .NET assembly which contains special stored procedures is registered with Analysis Services server that uses the Personalization Extensions feature of
SQL2008 to handle log in and log out events. A stored procedure in the assembly reads the encrypted license information from the cube and verifies all the specified restrictions are complied with. These restriction types typically include:
Number of concurrent sessions per user A count is kept against each user, which (used to stop a single user being used on is incremented when they log in and behalf of many users) decremented when they log out. This is
Restricting Cube Access and Communicating With Users and through
Generated Results
One of the key innovations of the present invention is the manner in which it utilizes existing mechanisms of the underlying databases themselves or their host DBMS in order to restrict access or communicate with the end user, regardless of the reporting application they are using.
Calculated Members
If there are any license errors, a calculated member with the error message is created just for this user. This results in their view of the data in whatever application they are using to display the message, without affecting other users. So rather than seeing the data they were expecting, each table cell entry will contain the desired message from the licensing system.
On the other hand, if the license check was successful, then a special success calculated member is created for that user.
Cell Calculations
The SQL Server OLAP cube is created with a special script that applies to all cells (elements of data returned). Through this hook, we can perform the license checks and modify the results returned to the user. It references the calculated members just created by our stored procedure above in the following logic:
IF success calculation exists THEN
display data
ELSE IF error calculation exists THEN
display error calculation
ELSE
display licensing installation error
END IF
Counter-Hack
For a licensing system to be effective, it is important that it not be trivial to circumvent. The special scripts and modifications made by the OLAP database generation tool could be manually removed at a later date provided the person trying to circumvent the system knew what to look for.
The cube has a hidden MDX script which will generate an error if the required stored procedures are not installed on the server.
If these mechanisms are removed, the data will quickly become stale again, and it will be necessary to run the Cube creation Wizard again. This process ensures all licensing components exist on every run. Therefore the circumvention process would need to be repeated every time this occurs, which is usually at least daily. The labour involved here acts as an obvious deterrent to unauthorised access.
Another method is illustrated in figure 2
Not all DBMS provide a hook for connection events. In these cases (e.g. Microsoft SQL Server 2005), another approach is required.
A third approach restricts access to the database indirectly by restricting access to the database to a specific application, and the licensing of that application in turn decides which users can access the database.
It uses both the connection strings used to connect to the cubes, and cell calculations used inside the cube.
From the above those skilled in the art will realise that this invention provides a unique way of allowing a third party created cube or database to be licensed without having to alter the application that runs the query. Those skilled in the art will also realise that this invention niay be implemented in embodiments other than those described.
Claims
1. A computer executable method of managing access to a database in which the database management system is modified by one or more of
a) Incorporating a licence check procedure as a stored procedure in the
database
b) Using a connection event to trigger a licence verification of the user c) Using connection strings to bind access to the database to a particular
application
d) Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user.
2. A computer executable method as claimed in claim 1 in which the database is a multidimensioned database and the program which creates the database deploys licence verification routines as stored procedures into the database and a connection event triggers the database to run the stored procedure to verify the user.
3. A computer executable method as claimed in claim 1 in which the database is a multidimensioned database and the program which creates the database deploys licence verification routines as stored procedures into the database and modifies a cell calculation to trigger a stored procedure and the application that is used to request data includes a routine that verifies that the user is licensed and generates a token which is incorporated into the connection string and when the request is made the cell calculation verifies the token in the connection string.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2010900507A AU2010900507A0 (en) | 2010-02-09 | Database Access Licence Management | |
AU2010900507 | 2010-02-09 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011097670A1 true WO2011097670A1 (en) | 2011-08-18 |
Family
ID=44367051
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/AU2011/000127 WO2011097670A1 (en) | 2010-02-09 | 2011-02-08 | Database access licence management |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2011097670A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110740122A (en) * | 2019-09-11 | 2020-01-31 | 苏宁云计算有限公司 | method and device for improving data warehouse security |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010011253A1 (en) * | 1998-08-04 | 2001-08-02 | Christopher D. Coley | Automated system for management of licensed software |
US20050086213A1 (en) * | 2003-10-16 | 2005-04-21 | Fuji Xerox Co., Ltd. | Server apparatus, information providing method and program product therefor |
US6898707B1 (en) * | 1999-11-30 | 2005-05-24 | Accela, Inc. | Integrating a digital signature service into a database |
US20060064387A1 (en) * | 2004-09-22 | 2006-03-23 | Siemens Information And Communication Networks, Inc. | Systems and methods for software licensing |
US20060224522A1 (en) * | 2005-04-01 | 2006-10-05 | Schlumberger Technology Corporation | Method and system for database licensing |
CA2674332A1 (en) * | 2008-08-01 | 2010-02-01 | Simba Technologies Inc. | Method and system for using queries for multidimensional databases with databases of other types |
-
2011
- 2011-02-08 WO PCT/AU2011/000127 patent/WO2011097670A1/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010011253A1 (en) * | 1998-08-04 | 2001-08-02 | Christopher D. Coley | Automated system for management of licensed software |
US6898707B1 (en) * | 1999-11-30 | 2005-05-24 | Accela, Inc. | Integrating a digital signature service into a database |
US20050086213A1 (en) * | 2003-10-16 | 2005-04-21 | Fuji Xerox Co., Ltd. | Server apparatus, information providing method and program product therefor |
US20060064387A1 (en) * | 2004-09-22 | 2006-03-23 | Siemens Information And Communication Networks, Inc. | Systems and methods for software licensing |
US20060224522A1 (en) * | 2005-04-01 | 2006-10-05 | Schlumberger Technology Corporation | Method and system for database licensing |
CA2674332A1 (en) * | 2008-08-01 | 2010-02-01 | Simba Technologies Inc. | Method and system for using queries for multidimensional databases with databases of other types |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110740122A (en) * | 2019-09-11 | 2020-01-31 | 苏宁云计算有限公司 | method and device for improving data warehouse security |
CN110740122B (en) * | 2019-09-11 | 2022-06-07 | 苏宁云计算有限公司 | Method and device for improving safety of data warehouse |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Schultz et al. | IFDB: decentralized information flow control for databases | |
Ulusoy et al. | GuardMR: Fine-grained security policy enforcement for MapReduce systems | |
US8386448B2 (en) | Methods, systems, and computer program products for providing a generic database security application using virtual private database functionality with a common security policy function | |
Xie et al. | Information flow control for stream processing in clouds | |
CN105827645B (en) | Method, equipment and system for access control | |
US10262159B2 (en) | Privileged user access monitoring in a computing environment | |
US11726896B2 (en) | Application monitoring using workload metadata | |
Grachev et al. | Data security mechanisms implemented in the database with universal model | |
Cao et al. | Acstream: Enforcing access control over data streams | |
CN114422197A (en) | Permission access control method and system based on policy management | |
US9330276B2 (en) | Conditional role activation in a database | |
WO2011097670A1 (en) | Database access licence management | |
WO2015005765A2 (en) | Security model switching for database management system | |
Fernández et al. | Patterns for content-dependent and context-enhanced authorization | |
WO2011097669A1 (en) | Database access management | |
CN111723401A (en) | Data access authority control method, device, system, storage medium and equipment | |
Pereira et al. | Role-based access control mechanisms | |
Eykholt et al. | Ensuring Authorized Updates in Multi-user {Database-Backed} Applications | |
Kamra et al. | Privilege states based access control for fine-grained intrusion response | |
US20220350900A1 (en) | Secure distribution of embedded policy | |
Le et al. | Customized Intrusion Detection Based on a Database Audit Log. | |
Pollack et al. | Permissions and Security | |
Kopach et al. | Security of relational database systems | |
Schraml | A review of technologies supporting dynamic fine-Ggained data access control in relational databases | |
CN116975893A (en) | Access request processing method and device, storage medium and computer equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11741745 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 11741745 Country of ref document: EP Kind code of ref document: A1 |