公开(公告)号：US10303894B2

公开(公告)日：2019-05-28

申请号：US15253608

申请日：2016-08-31

Applicant: Oracle International Corporation

Inventor： Tanvir Ahmed ,  Yi Ru ,  Chao Liang ,  Vikram Reddy Pesati

IPC: G06F17/30 ,  G06F21/62 ,  H04L29/06

Abstract: Embodiments allow, within database security policies, the grant of data change operation-specific privileges to particular users to be applied within particular data realms in a given table. Furthermore, according to one or more embodiments, User Privilege column-level privileges are explicitly associated with one or more data access operations such that the grant of such a column-level privilege allows the user to perform only those data access operations that are explicitly associated with the column-level privilege. Enforcement of the data security policies includes prevention of data leakage via WHERE and RETURNING INTO clauses. According to one or more embodiments, a two-phase rewrite is used to optimize enforcement of column-level privileges. During the two-phase rewrite of a given query, the privileges checked during enforcement of the User Privilege data security policies are pruned to avoid unnecessary privilege checks given the columns that are accessed in the query.

公开(公告)号：US10102355B2

公开(公告)日：2018-10-16

申请号：US14313872

申请日：2014-06-24

Applicant: Oracle International Corporation

Inventor： Tanvir Ahmed ,  Yi Ru ,  Chao Liang ,  Vikram R. Pesati

IPC: G06F21/30 ,  G06F17/30 ,  G06F21/62

Abstract: Techniques for efficient cursor sharing to enforce fine-grained access control are provided. In one technique, the authorization context of a database statement is stored in (or in association with) a corresponding cursor. The authorization context indicates multiple authorization results, each of which indicates whether a user (or role) associated with the database statement is allowed to access a different data set of multiple data sets that the database statement targets. An authorization context of an incoming database statement may be compared to the authorization context of a cursor in a single comparison to determine whether the authorization contexts match. If so, then the cursor may be shared. In another technique, one or more normalizations are applied to a cursor predicate that is generated based on the authorization context of a database statement. The one or more normalizations may result in removing one or more predicates from the cursor predicate.

公开(公告)号：US20180060603A1

公开(公告)日：2018-03-01

申请号：US15253608

申请日：2016-08-31

Applicant: Oracle International Corporation

Inventor： Tanvir Ahmed ,  Yi Ru ,  Chao Liang ,  Vikram Reddy Pesati

IPC: G06F21/62 ,  G06F17/30 ,  H04L29/06

CPC classification number: G06F21/6227 ,  G06F17/30377 ,  G06F17/3056 ,  G06F17/30595 ,  H04L63/101

Abstract: Embodiments allow, within database security policies, the grant of data change operation-specific privileges to particular users to be applied within particular data realms in a given table. Furthermore, according to one or more embodiments, User Privilege column-level privileges are explicitly associated with one or more data access operations such that the grant of such a column-level privilege allows the user to perform only those data access operations that are explicitly associated with the column-level privilege. Enforcement of the data security policies includes prevention of data leakage via WHERE and RETURNING INTO clauses. According to one or more embodiments, a two-phase rewrite is used to optimize enforcement of column-level privileges. During the two-phase rewrite of a given query, the privileges checked during enforcement of the User Privilege data security policies are pruned to avoid unnecessary privilege checks given the columns that are accessed in the query.

公开(公告)号：US20150371018A1

公开(公告)日：2015-12-24

申请号：US14313872

申请日：2014-06-24

Applicant: Oracle International Corporation

Inventor： Tanvir Ahmed ,  Yi Ru ,  Chao Liang ,  Vikram R. Pesati

IPC: G06F21/30

CPC classification number: G06F21/30 ,  G06F17/30448 ,  G06F21/6218 ,  G06F21/6227 ,  G06F2221/2141

Abstract: Techniques for efficient cursor sharing to enforce fine-grained access control are provided. In one technique, the authorization context of a database statement is stored in (or in association with) a corresponding cursor. The authorization context indicates multiple authorization results, each of which indicates whether a user (or role) associated with the database statement is allowed to access a different data set of multiple data sets that the database statement targets. An authorization context of an incoming database statement may be compared to the authorization context of a cursor in a single comparison to determine whether the authorization contexts match. If so, then the cursor may be shared. In another technique, one or more normalizations are applied to a cursor predicate that is generated based on the authorization context of a database statement. The one or more normalizations may result in removing one or more predicates from the cursor predicate.

Abstract translation: 提供了有效的光标共享技术来执行细粒度访问控制。 在一种技术中，数据库语句的授权上下文存储在（或与其相关联）相应的游标。 授权上下文指示多个授权结果，每个授权结果指示是否允许与数据库语句相关联的用户（或角色）访问数据库语句所针对的多个数据集的不同数据集。 传入数据库语句的授权上下文可以与单个比较中的游标的授权上下文进行比较，以确定授权上下文是否匹配。 如果是，则可以共享光标。 在另一种技术中，一个或多个规范化应用于基于数据库语句的授权上下文生成的游标谓词。 一个或多个规范化可能导致从游标谓词中删除一个或多个谓词。

公开(公告)号：US11386221B2

公开(公告)日：2022-07-12

申请号：US16384283

申请日：2019-04-15

Applicant: Oracle International Corporation

Inventor： Tanvir Ahmed ,  Yi Ru ,  Chao Liang ,  Vikram Reddy Pesati

IPC: G06F16/00 ,  G06F21/62 ,  G06F16/25 ,  G06F16/28 ,  G06F16/23 ,  H04L9/40

Abstract: Embodiments allow, within database security policies, the grant of data change operation-specific privileges to particular users to be applied within particular data realms in a given table. Furthermore, according to one or more embodiments, User Privilege column-level privileges are explicitly associated with one or more data access operations such that the grant of such a column-level privilege allows the user to perform only those data access operations that are explicitly associated with the column-level privilege. Enforcement of the data security policies includes prevention of data leakage via WHERE and RETURNING INTO clauses. According to one or more embodiments, a two-phase rewrite is used to optimize enforcement of column-level privileges. During the two-phase rewrite of a given query, the privileges checked during enforcement of the User Privilege data security policies are pruned to avoid unnecessary privilege checks given the columns that are accessed in the query.

公开(公告)号：US20190243987A1

公开(公告)日：2019-08-08

申请号：US16384283

申请日：2019-04-15

Applicant: Oracle International Corporation

Inventor： Tanvir Ahmed ,  Yi Ru ,  Chao Liang ,  Vikram Reddy Pesati

IPC: G06F21/62 ,  G06F16/23 ,  H04L29/06 ,  G06F16/25 ,  G06F16/28

CPC classification number: G06F21/6227 ,  G06F16/2379 ,  G06F16/252 ,  G06F16/284 ,  H04L63/101

Abstract: Embodiments allow, within database security policies, the grant of data change operation-specific privileges to particular users to be applied within particular data realms in a given table. Furthermore, according to one or more embodiments, User Privilege column-level privileges are explicitly associated with one or more data access operations such that the grant of such a column-level privilege allows the user to perform only those data access operations that are explicitly associated with the column-level privilege. Enforcement of the data security policies includes prevention of data leakage via WHERE and RETURNING INTO clauses. According to one or more embodiments, a two-phase rewrite is used to optimize enforcement of column-level privileges. During the two-phase rewrite of a given query, the privileges checked during enforcement of the User Privilege data security policies are pruned to avoid unnecessary privilege checks given the columns that are accessed in the query.