| 发明名称 |
RECORD LEVEL DATA SECURITY |
| 摘要 |
A database security system protects a data table at both the column level and the individual data record level. Access to data records within the data table is governed by categories assigned to data records, by user roles assigned to users, and by a set of security access tables. A first access table maps data record identifiers to data record categories, data record protection schemes, and corresponding scheme keys. A second access table maps user roles to data record categories. A third access table maps column identifiers to column protection schemes and corresponding scheme keys. A fourth access table maps user roles to column identifiers. If a user requests access to a data record, the security access tables are queried using the data record identifier, the associated column identifier, and the user roles associated with the user to determine if the user can access the requested data record. |
| 申请公布号 |
US2016210470(A1) |
申请公布日期 |
2016.07.21 |
| 申请号 |
US201614993949 |
申请日期 |
2016.01.12 |
| 申请人 |
Protegrity Corporation |
发明人 |
Rozenberg Yigal;Williamson David Clyde |
| 分类号 |
G06F21/62;G06F17/30 |
主分类号 |
G06F21/62 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A database security system, comprising:
a database table comprising encoded data records organized into columns, each data record associated with a data record identifier, a column identifier, and one or more data record categories; a column identifier table mapping each column identifier to one or more column protection schemes used to encode the corresponding data column and to one or more corresponding keys used by the one or more column protection schemes; a column role table mapping user roles to one or more column identifiers; a record identifier table mapping each data record identifier to one or more data record categories, one or more data record protection schemes used to encode the corresponding data record, and one or more corresponding keys used by the data record protection schemes to encode the data record; a record role table mapping user roles to one or more data record categories; an input configured to receive a request from a user associated with one or more user roles for access to a data record; a data protection engine comprising one or more hardware processors and configured to:
in response to a determination that at least one of the one or more user roles are mapped by the column role table to the column identifier associated with the requested data record, query the column identifier table to access the column protection schemes and corresponding keys, and decode the requested data record using the accessed column protection schemes and corresponding keys to produce an intermediate encoded data record; andin response to a determination that each of the one or more data record categories mapped to the data record identifier associated with the requested data record by the record identifier table are also mapped to one of the one or more user roles, query the record identifier table to access the data record protection schemes and corresponding keys and decode the intermediate encoded data record using the accessed data record protection schemes and corresponding keys to produce a decoded data record; and an output configured to provide the decoded data record to the user. |
| 地址 |
Grand Cayman KY |
