| 发明名称 | Method and apparatus to support privileges at multiple levels of authentication using a constraining ACL | ||
| 摘要 | Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege. | ||
| 申请公布号 | US9471801(B2) | 申请公布日期 | 2016.10.18 |
| 申请号 | US200711947235 | 申请日期 | 2007.11.29 |
| 申请人 | ORACLE INTERNATIONAL CORPORATION | 发明人 | Idicula Sam;Keefe Thomas;Rafiq Mohammed Irfan;Ahmed Tanvir;Pesati Vikram;Agarwal Nipun |
| 分类号 | G06F21/62 | 主分类号 | G06F21/62 |
| 代理机构 | Park, Vaughan, Fleming & Dowler LLP | 代理人 | Yao Shun;Park, Vaughan, Fleming & Dowler LLP |
| 主权项 | 1. A method for using ACLs (access control lists) to determine user privileges in a database, the method comprising: authenticating, by a computer, a user using an authentication method selected from a plurality of authentication methods corresponding to a plurality of authentication levels; determining an authentication level of the selected authentication method, wherein the authentication level indicates a security strength of the selected authentication method, and wherein the authentication level corresponds to a user role associated with the user; identifying an entry in a constraining ACL based on the determined authentication level, wherein the entry in the constraining ACL specifies a global security policy that is specific to the determined authentication level and applies to all applications interacting with the database; receiving a request from the user to perform an operation on data; identifying a child ACL, which specifies the user's privileges; establishing a constraining inheritance relationship between the child ACL and the constraining ACL, which involves requiring a check of the constraining ACL whenever the child ACL is checked; and performing, by the computer, the operation on the data in response to determining that the operation is permitted based on the user role, the child ACL and the constraining ACL. | ||
| 地址 | Redwood Shores CA US | ||