Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
2000-06-21
2003-06-17
Metjahic, Safet (Department: 2171)
Data processing: database and file management or data structures
Database design
Data structure types
C707S793000, C707S793000
Reexamination Certificate
active
06581060
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to methods and systems for allowing applications to directly access a relational database while protecting records in the database.
BACKGROUND OF THE INVENTION
Information management systems (IMS) typically use a relational database management system (RDBMS) to manage data records in a database. As an example, an IMS might manage document data, with the desire that some documents can be read by all users but only written to by a few. Many other high-level access rules can be enforced by the IMS. In any case, when a user wants to access the records of a document in the RDBMS, the user is routed through the IMS to first check for access control.
The documents themselves are broken down into records of various formats by the IMS and the records are stored in tabular form in the RDBMS, which can efficiently manage the records for querying using a language known as SQL. Only the IMS knows the high level access control rules. User applications must access the RDBMS indirectly, through the IMS, to ensure integrity and protection of data.
Unfortunately, as recognized herein requiring applications to access data indirectly, i.e., through the IMS, slows down performance. As stated above, however, with the current state of the art, applications cannot be permitted to access the RDBMS directly because this would bypass the access control functions of the IMS. Moreover, the present invention recognizes that RDBMS manage low level access protection for sets of homogeneously structured records, and not for individual entities. The IMS must enforce access protection rules at the entity (document) level.
As also recognized herein, some new applications, such as e-commerce applications, require heretofore unusual rules in the database context, namely, distribution rules (as opposed to access rules) that are related to content licensing. These licensing rules can and do change over time, so that a data system's protection rules advantageously should be extensible. The present invention recognizes that it would be desirable to allow a user to access an RDBMS directly, without first going through an IMS, while maintaining IMS access control and without requiring reengineering of the RDBMS to account for extensions of access control.
SUMMARY OF THE INVENTION
The invention is a general purpose computer programmed according to the inventive steps herein. The invention can also be embodied as an article of manufacture—a machine component—that is used by a digital processing apparatus and which tangibly embodies a program of instructions that are executable by the digital processing apparatus to undertake the present invention. This invention is realized in a critical machine component that causes a digital processing apparatus to perform the inventive method steps herein. The invention is also a computer-implemented method for undertaking the acts disclosed below.
Accordingly, a computer program product includes computer usable code means programmed with logic for enforcing high level access control rules of an information management system (IMS) for an application directly communicating with a relational database management system (RDBMS) associated with the IMS. The program product includes computer readable code means for binding at least one RDBMS table using one or more access control list (ACL) codes representing the high level access control rules. Also, the logic includes computer readable code means for issuing a query from the application against an RDBMS view, and computer readable code means return the result of the query against the view.
In another aspect, a data system includes a server computer programmed to undertake method acts for responding to user queries for data from a database controlled by the server computer. The method acts undertaken by the server computer include receiving a query, and receiving an access control output from at least one algorithm. In response to the query and the access control output, the computer populates a view for presentation thereof to the user. Thus, the view encapsulates the access control rules.
The system can include a database management system (DBMS), and the application directly communicates with the DBMS. In a particularly preferred embodiment, the method executed by the computer includes defining at least one view on at least one table in the database, and executing a query against the view using at least the access control output. The results of the query against the view are then returned.
As set forth in detail below, the access control output preferably is represented by at least one Access Authorization table (AAT), and the view is defined as a join between the AAT and the information table. The tables are joined using a join key, and the join key is at least one access control code binding the information table to the AAT. With this system, multiple rows of the information table can be bound to respective multiple access control rules, or all rows of the information table can be bound to a single set of access control rules.
In another aspect, a method is disclosed for enforcing at least one access control rule in a data system including at least one application accessing at least one information management system (IMS) associated with a database management system (DBMS). The method includes receiving a specification for IMS data schema and generating a DBMS view in response to the specification, with the view encapsulating the IMS access control rule. The view is then presented to a user via a direct communication path to the DBMS.
In still another aspect, a system includes at least one information management system (IMS), at least one application communicating with the IMS, and at least one relational database management system (RDBMS) communicating with the IMS. The application communicates directly with the RDBMS via at least one direct communication path that does not include the IMS.
In yet another aspect, a method is disclosed for enforcing high level access control rules of an information management system (IMS) for an application directly communicating with a relational database management system (RDBMS) that is associated with the IMS. The method includes providing at least one access authorization table (AAT). The AAT contains data representing high level access control rules. Also, the method includes providing at least one information table in the RDBMS, and in response to a query for data from the application, the AAT is joined with at least one information table to return a result in accordance with at least one of the high level access control rules.
In another aspect, a data system includes a server computer programmed to undertake method acts for responding to user queries for data from a database controlled by the server computer. The method acts undertaken by the server computer include storing the database in a second system, such as but not limited to a DBMS and more particularly a RDBMS, and maintaining access control specifications that restrict access to data. The methods acts also include allowing a user to access data directly through the second system, and in response to the direct access by the user, causing the second system to enforce the access control specifications without intervention from the data system.
In a preferred implementation of this aspect, the user is an application. In one preferred embodiment the data system supports a data model that is different from a data model supported by the second system, whereby the access control specifications are not directly enforceable by a native access control capability of the second system.
As set forth in further detail below, the access control specifications preferably are stored in at least a first table in the RDBMS, and a RDBMS view is generated by joining a data table with the first table. The view can be used by the user for directly accessing data. Preferably, the view includes at least one UDF on the first table, with the UDF implementing the data system's access control model.
International Business Machines - Corporation
Metjahic Safet
Nguyen Cam-Linh
Rogitz John L.
LandOfFree
System and method for RDBMS to protect records in accordance... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for RDBMS to protect records in accordance..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for RDBMS to protect records in accordance... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3105057