Patent application number | Description | Published |
20090144804 | METHOD AND APPARATUS TO SUPPORT PRIVILEGES AT MULTIPLE LEVELS OF AUTHENTICATION USING A CONSTRAINING ACL - Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege. | 06-04-2009 |
20100281060 | TYPE SYSTEM FOR ACCESS CONTROL LISTS - A method and storage media for performing access resolution using ACL types is provided. Under an AND semantic, an intersection set formed from the types of multiple ACLs protecting a resource may be utilized to efficiently determine whether a request for a privilege to access the resource is granted or denied. If the privilege is not a member of the intersection set, the privilege cannot be granted. A union set may be used for an OR semantic. A global ACL type may represent all privileges system-wide or application-wide. A global ACL may represent a system-wide or application-wide access policy. A conjunction of a global ACL and a regular ACL may be stored in a cache. The union set, intersection set, or access resolution may also be cached for subsequent request processing. | 11-04-2010 |
20100306268 | SYSTEM AND METHOD FOR IMPLEMENTING EFFECTIVE DATE CONSTRAINTS IN A ROLE HIERARCHY - A system providing a method for implementing effective date constraints in a role hierarchy is described. In one embodiment, for example, the method comprises the steps of: storing data that represents a first effective date constraint on a role of a role hierarchy, the first effective date constraint having a start date and an end date; storing data in a database that represents a second effective date constraint on a grant of the role to a grantee, the second effective date constraint having a start date and an end date; storing data in a database that represents a third effective date constraint on the grantee, the third effective date constraint having a start date and an end date; and computing a net effective date constraint for the role by computing the intersection of the first effective date constraint, the second effective date constraint, and the third effective date constraint. | 12-02-2010 |
20110023082 | TECHNIQUES FOR ENFORCING APPLICATION ENVIRONMENT BASED SECURITY POLICIES USING ROLE BASED ACCESS CONTROL - An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user. Further, such activations may occur in the context of establishing or maintaining a user session for a user of an application. | 01-27-2011 |
20110055918 | ACCESS CONTROL MODEL OF FUNCTION PRIVILEGES FOR ENTERPRISE-WIDE APPLICATIONS - Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource. | 03-03-2011 |
20130325841 | SQL TRANSFORMATION-BASED OPTIMIZATION TECHNIQUES FOR ENFORCEMENT OF DATA ACCESS CONTROL - Techniques are provided for a database server to identify a query that comprises an access check operator specifying a data access control policy, and if so, to re-write the query to produce an optimized query execution plan. A first technique rewrites a query comprising an access check operator based on the privileges associated with the database principal requesting the query. The rewritten query exposes the access predicates relevant to the requesting principal to subsequent database optimization processes. A second technique rewrites a query comprising an access check operator that specifies a data security policy that does not include a denied privilege. A third technique rewrites a query that comprises an access check operator specifying one or more database table columns that store row-specific access control lists. The rewritten queries are used to generate a query execution plan that provides for several query execution optimizations. | 12-05-2013 |