Computer relational database method and system having role based access control

摘要

A computer method, system and apparatus control access to secured data in a plurality of databases. A repository is coupled to the databases and has a security runtime subsystem. The repository intercepts a user query of a subject database in the plurality. The security runtime subsystem determines from the intercepted query a user and corresponding user role. Based on user role, the security runtime subsystem automatically modifies the user query to filter out secure data for which the identified user is unauthorized to access but are part of the user query.

主权项

1. A method of controlling access to secured data, comprising:
operatively coupling a repository to one or more databases storing secure data; storing, in a metamodel of the one or more databases, security information that qualifies which data objects are accessible by certain roles; employing the repository: intercepting a user query of one database of the one or more databases; automatically determining from the intercepted query, a user who generated the user query and a user role assigned to the user; parsing the intercepted query and identifying objects in the one database that are to be accessed as part of the user query; looking up security information of the identified objects in the metamodel and determine which identified objects to filter out of the user query; based on the determined user role and the identified objects to be filtered out of the user query, automatically building an expression tree to filter out secure data for which the user does not have access rights and modifying the user query by appending the expression tree to the user query to filter out secure data for which the user does not have access rights; and applying the modified query to the one database; using the repository to secure the security information in a database model; and enabling the security information to be dynamically adjustable at runtime.