Data processing: database and file management or data structures – Database design – Data structure types
Patent
1996-08-21
1998-07-28
Kulik, Paul
Data processing: database and file management or data structures
Database design
Data structure types
395186, G06F 1730
Patent
active
057874280
DESCRIPTION:
BRIEF SUMMARY
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to a method and apparatus for controlling access to a database.
2. Related Art
In database systems it is usual for a number of users to be able to interact with the system and to utilise the database. Such systems are thus called multi-user systems. A problem occurs in such systems, where the database contains information or data which is in some way sensitive, that is to say, it should only be available for a certain user or a member of a certain class of user. Where this is so, a security policy is implemented to restrict the data available to the class of user.
An example of a database management system which supports multiple users is ORACLE (registered trademark of Oracle Corporation). ORACLE is a relational database management system. In a relational database, only one type of data structure exists and this is the table which is a two dimensional structure of rows and columns of data. A query language called Structured Query Language (SQL) may be used to access data in a database in a non-procedural way.
There are a number of ways in which a security policy has been implemented on database management systems. For example, in one method each class of user is provided with its own copy of that part of the data held in the central database for which it is appropriate for that group to have access to. This method has been called the replication method because it results in the data being replicated since at least some of the data will exist in more than one copy. Clearly, such a method is very inefficient in terms of memory usage. Further, if one copy of the data is changed in some way by, for example, a user of a particular group updating a value, then a number of other copies of that data held by other groups will have to be updated. This will be time consuming and the way in which the system is administered will have to be very precise to ensure that data is maintained in a consistent state if, for example, the system crashes.
In EP-A-0 398 645 there is described a system for controlling access privileges to an object-oriented database. In this system, each user is assigned a user identity and a set of group identities. Each object has an access list which provides access permissions. Each access control list has seven user or group identities.
SUMMARY OF THE INVENTION
According to one aspect of the present invention, there is provided a method of controlling access by a user to a database which comprises a set of data divided into sub-sets of data, said method comprising the steps of: assigning a single security tag to each sub-set of data in at least some of said sub-sets of data, assigning a user tag to an identifier for each user in a user table, assigning at least one security tag to each user tag in a security table, utilising the user table to obtain the user tag for the user, utilising the security table to obtain at least one security tag corresponding to the user tag, and permitting the user to access any sub-set of data having said at least one security tag.
With the present invention, it is possible to change the security policy by modification of the value in the security table alone without any need to reconfigure the database or to change the user tag associated with the user identifiers. A security tag may be a number or a character or other data entry.
With the method of this invention, a database has to have one copy only of the data which is shared by the users. This avoids at least some of the problems associated with the known replication methods. It should be noted that not all of the database needs to be configured for the sake of security. Some parts may be public and thus open to all users.
According to another aspect of this invention, there is provided an apparatus for controlling access by a user to a database divided into sub-sets of data, said apparatus comprising means for assigning a single security tag to each sub-set of data in at least some of said sub-sets of data, means for assigning a
REFERENCES:
patent: 5191611 (1993-03-01), Lang
patent: 5283830 (1994-02-01), Hinsley et al.
patent: 5421011 (1995-05-01), Camillone et al.
patent: 5446903 (1995-08-01), Abraham et al.
Lu et al, "A Model For Multilevel Security in Computer Networks", IEEE Infocom '88, 1988, pp. 1095-1104.
Vinter, "Extended Discretionary Access Controls", 1988 IEEE Symposium on Security and Privacy, pp. 39-49.
British Telecommunications public limited company
Kulik Paul
LandOfFree
Control of database access using security/user tag correspondenc does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Control of database access using security/user tag correspondenc, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Control of database access using security/user tag correspondenc will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-34827