公开(公告)号：US10235531B2

公开(公告)日：2019-03-19

申请号：US15202498

申请日：2016-07-05

Applicant: SAP SE

Inventor： Meinolf Block ,  Christoph Hohner ,  Martin Schindewolf ,  Sascha Zorn

IPC: G06F17/30 ,  G06F7/00 ,  G06F21/60 ,  G06F21/62 ,  G06F21/00

Abstract: Methods, systems, and apparatus, including computer program products, are provided for configuring access controls to a database. In one aspect there is provided a method. The method may include receiving, from a first user, a table declaration for creating a database table in a database; generating, based on the table declaration, the database table; receiving, from the first user, a specification of one or more access mechanisms that have a privilege to access the database table; receiving a designation of at least one column in the database table as a protected column and one or more users who have a privilege to access the content of the protected column; and providing control over access to the content of the protected column based at least in part on the specification of the one or more access mechanisms and the designation of the at least one column and the second user.

公开(公告)号：US20180131517A1

公开(公告)日：2018-05-10

申请号：US15347431

申请日：2016-11-09

Applicant: SAP SE

Inventor： Meinolf Block ,  Christoph Hohner ,  Martin Schindewolf ,  Sascha Zorn

IPC: H04L9/32 ,  H04L9/08 ,  H04L9/14 ,  G06F17/30

CPC classification number: H04L9/0894 ,  G06F21/6227 ,  H04L9/0891 ,  H04L9/3226 ,  H04L9/3236

Abstract: Embodiments manage access to cryptography keys for database data, within a secure key store of a local key server owned by a new (security) operating system (OS) user separate from an original default OS user. Existing principles governing distinct OS user access privileges engrained within the OS itself, are leveraged to preclude the default OS user from accessing files of the new security OS user. Embodiments thus segregate the right to read secure cryptography keys of a secure key store, from the right to administer database installation on the OS level. While the original default OS user retains access to the encrypted data, the new security OS user now owns the cryptography key necessary to decrypt that database data. Thus, the default OS user is denied enough information to unlock the database data, enhancing its security. Embodiments are particularly useful for promoting data security in cloud setups and multi-tenant databases.