CN100351791C - Techniques for supporting application-specific access controls with a separate server - Google Patents
Techniques for supporting application-specific access controls with a separate server Download PDFInfo
- Publication number
- CN100351791C CN100351791C CNB2003801044295A CN200380104429A CN100351791C CN 100351791 C CN100351791 C CN 100351791C CN B2003801044295 A CNB2003801044295 A CN B2003801044295A CN 200380104429 A CN200380104429 A CN 200380104429A CN 100351791 C CN100351791 C CN 100351791C
- Authority
- CN
- China
- Prior art keywords
- privilege
- data
- application program
- user
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000000034 method Methods 0.000 title claims abstract description 75
- 230000004044 response Effects 0.000 claims abstract description 27
- 230000008569 process Effects 0.000 claims description 38
- 230000015654 memory Effects 0.000 claims description 19
- 230000005540 biological transmission Effects 0.000 claims description 13
- 230000006854 communication Effects 0.000 description 17
- 230000014509 gene expression Effects 0.000 description 17
- 238000004891 communication Methods 0.000 description 16
- 230000000875 corresponding effect Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 9
- 238000007726 management method Methods 0.000 description 9
- 239000000463 material Substances 0.000 description 8
- 230000018109 developmental process Effects 0.000 description 7
- 238000011161 development Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 230000005055 memory storage Effects 0.000 description 4
- 239000000725 suspension Substances 0.000 description 4
- 230000007812 deficiency Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000000926 separation method Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- RYGMFSIKBFXOCR-UHFFFAOYSA-N Copper Chemical compound [Cu] RYGMFSIKBFXOCR-UHFFFAOYSA-N 0.000 description 1
- 241000984642 Cura Species 0.000 description 1
- 240000004859 Gamochaeta purpurea Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 239000002775 capsule Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 229910052802 copper Inorganic materials 0.000 description 1
- 239000010949 copper Substances 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000000899 pressurised-fluid extraction Methods 0.000 description 1
- 238000004080 punching Methods 0.000 description 1
Images
Abstract
Techniques for supporting access controls on application-specific operations performed by an application include receiving first data at a server distinct from the application. The first data describes a first set of privileges for performing a first set of application-specific operations. Second data is also received at the server. The second data associates a first user of the application with a privilege in the first set of privileges. In response to receiving a request at the server from the application, it is determined whether a particular user may have the application perform a particular application-specific operation based on the first data and the second data. The request indicates the particular user and the particular application-specific operation. A response is sent to the application. The response indicates whether the particular user may have the application perform the particular application-specific operation.
Description
Technical field
The present invention relates to control the access of user's application programs operation, relate in particular to access with the operation of the server controls user's application programs that is different from application program.
Background technology
The mutual client-server pattern of computer processes is widely used.According to the client-server pattern, client process will comprise that the message of request is sent to server processes, and server processes are made response by service is provided.Server processes also can be back to client process with the message with response.Client process is gone up through the different computer equipment of being everlasting (so-called main frame) with server processes and is carried out, and uses one or more network communication protocols to communicate by network.
Term " server " is commonly referred to as the process that service is provided, or moves the principal computer of this process thereon.Similarly, term " client " is commonly referred to as the process of the request of making, or moves the principal computer of this process thereon.Unless explanation is arranged in context in addition, used hereinto term " client " and " server " refer to process rather than principal computer.
In response to the request from database client, database server provides database service.For example, the database server data that will receive in request are written in by the one or more data capsules in the certain database of database server governs; Perhaps, those containers of the condition of appointment are fetched data from one or more satisfied requests; Perhaps, both have entirely.In many cases, database client is the mid-tier application that is different from database server, and this application program is carried out other service of serving such as accounting to one or more application users.Application program itself can be arranged to the client-server operation, and application user is made the application client of application requests to apps server thus.
Not that all users of database server are authorized to be accessed in all data by in all database objects of database server governs.Therefore, database server is carried out the access control of user to the access of the data in the database of controlling database usually.Known have a multiple access control mechanism: for example, the unified access control mechanism of describing in Murthy provides the access control to the data content, this data content is similar will to be organized in database user in the level of storage container, the perhaps similar database user that will be organized in the Relational database with the form that limits row, perhaps both all have.
Often as the privilege of carrying out database manipulation, it has one group for the specific data item in a plurality of data item in database or each user-dependent one or more privilege group and database in access control.For example, limit basic privilege and be used to carry out basic database operations, such as reading, insert, delete the operation that can reside in such as the data of the data item in the database object of form, or the operation of establishment, modification or delete database object self.
The privilege of carrying out basic database operations is relevant with the certain layer of the several layers (level) of database.Database the layer comprise, for example, the parent node layer of the node layer of the level of the database object layer of data item layer, plurality of data item, plurality of data storehouse object and some derived nodes of database object.When privilege was relevant with certain layer, privilege can be applied to all items at this layer.
In some data base management system (DBMS)s, can limit the level of privilege, each node in level represents to carry out the privilege of the particular combinations of the basic operation on one or more database layers.In order to support the privilege of this level, database server in some data base management system (DBMS)s provides basic structure to describe privilege, make user and data item relevant, and effectively store and fetch in the high-speed memory buffering information and whether can carry out at the data item of asking or the database manipulation of the request on the database object with quick specified data storehouse user about privilege with privilege.
Under the granularity of database manipulation, provide access control to the basic structure of the access control of database according to the privilege support of carrying out database manipulation.Yet when needs during according to the operation control access that limits in the application of using database, it is not particularly useful providing the ability of access control at the database manipulation layer of granularity.Such operation is called as " special-purpose (application-specific) " operation hereinto.
For example, in the application program of the buying order of management enterprise, dedicated operations comprises: create new buying order, the approval buying order, the distribution buying order makes invoice relevant with specific buying order to buy, acknowledge receipt of the buying order that has sent, and remove buying order by the relevant invoice of payment.If give the application-specific user carrying out some in these dedicated operations with privilege, rather than other, must provide access control at the dedicated operations layer of granularity subsequently.Because this layer of the granularity of access control does not provide by database server, the developer of each application program of the privilege of use dedicated operations must design and carry out the access control softwares that management is used for the different privileges of different user.
Exist some for the deficiency of each application development access control software aspect.A deficiency is to be consumed the software of carrying out access control to produce owing to exploit natural resources, and the cost of developing application increases.Access control is complicated more, and cost of development is high more.On the contrary, the cost in the exploitation access control is few more, and the access control of execution is simple more.Another deficiency is to be not so good as effective through the access control of having developed that is used for for many years on some systems and the server usually for new application development access control.For example, some database servers develop with the access control of using minimal computational resources, and it comprises effective high-speed cache of the data of using the indication user privilege.
In addition, the keeper of a plurality of application programs with access control mechanism of stand-alone development may have to tackle and is used to represent the level of privilege and the distinct interface that expression has the relation of those franchise application users and data item.Obtain same access control basic structure if can stride across a plurality of application programs, the keeper of those a plurality of application programs can more easily enter the information relevant with data item with the associated user with privilege, has low concentration and less mistake.
According to foregoing description, significant need may be used on the valid memory access controlling mechanism of the database server of database application.Normally, the complicated and effective access control mechanism of carrying out in the server that separates be may be used in the Any Application.
Can continue the method described in this section, but not be to be contemplated and the method for necessity of continuing.Therefore, unless at this explanation is arranged in addition, the method for in this part, describing can not be only because in this background technology part, these methods occur, just think the prior art in the application's the claim.
Description of drawings
The present invention is illustrated in the mode of giving an example rather than limit in the accompanying drawings, and Reference numeral identical in the accompanying drawing refers to components identical, wherein:
Fig. 1 is the block diagram that the example hierarchy of the privilege of carrying out dedicated operations is shown;
Fig. 2 illustrates to be used to support block diagram with the system of the access control of database server on dedicated operations that separates according to embodiment;
Fig. 3 illustrates to be used to support process flow diagram with the embodiment of the method for the access control of server on dedicated operations that separates according to embodiment; And
Fig. 4 illustrates the block diagram that can carry out the computer system of the embodiment of the invention thereon.
Embodiment
The invention describes a kind of method and apparatus that is used to support to use the access control of database server on dedicated operations that separates.In the following description, for illustrative purposes, many concrete details are illustrated so that thorough understanding of the present invention to be provided.Yet apparent, the present invention can implement under the situation of these details not having.In other example, known construction and device illustrates with the form of block diagram, to avoid that the present invention is caused unnecessary obscuring.
At database server with hereinafter will describe specific embodiment as the application program of database client.In context, application program use database server is not only stored and is used for application's data, and supports the access control of operation, and this operation is not a database manipulation, but the specific operation of application programs.Embodiments of the invention are not limited to this paper, but can comprise that the server that relies on any separation is to be supported in the Any Application of the access control on the dedicated operations.Although application program and server are independent processes, both can carry out on same main frame in certain embodiments.
According to an embodiment, the application program that the data of first level of the privilege of the access control of dedicated operations by using description to carry out first group of dedicated operations send to server realizes.This application program also will make first user of application program send to server with relevant data of privilege in first level of privilege.In order to determine whether the specific user is allowed to carry out particular application-specific operation, and this application program sends to server with request.This request indication specific user and particular application-specific operation.In response to receiving request, according to the data that before received from application program, server determines whether the specific user can make application program carry out particular application-specific operation.Response is sent to application.Whether this response indication specific user can make application program carry out particular application-specific operation.
In some embodiment of these technology, send to data in server by application program and make first user of application program relevant with the privilege that is used in first level of the specific type of data item that server stores.In certain embodiments, application program can provide some different users or some different pieces of information items or both privilege information to server.
Access control can be expressed as the privilege hierarchy of executable operations usually.Level is well-known mathematic(al) structure.Normally, level is made up of the node in multilayer.Be in each layer node each be connected with one or more nodes at different layers.Is the child node of one or more parent nodes of last layer at top layer with each node of lower floor.In tree hierarchy, each child node only has a parent node, but parent node can have a plurality of child nodes.In tree hierarchy, the node that is not attached thereto the parent node that connects is a root node, and the node that is not attached thereto the child node that connects is a leaf node.Tree hierarchy typically has single root node.Tree hierarchy can be used for describing the parental generation privilege that comprises one or more son privileges.
In the level of privilege, its access of each leaf node and execution is franchise corresponding with controlled dedicated operations.Execution more than the privilege of a dedicated operations with corresponding to corresponding more than the ancestor node in the level of the leaf node of a dedicated operations.
Fig. 1 is the block diagram of example hierarchy 100 of privilege that the dedicated operations of the application program of carrying out the buying order (PO) be used for management enterprise is shown.In example hierarchy 100, each node 110 is corresponding to the privilege of carrying out the one or more dedicated operations relevant with buying order (PO).If have, the additional node of additional privilege is represented in suspension points 111 expressions.In other embodiments, Te Quan level can have more or less node at more or less layer.
Each leaf node in level 100 is corresponding with each privilege of one in the controlled dedicated operations with its access of execution.In described embodiment, list the privilege and the corresponding leaf node that are used for single dedicated operations in the form 1.Through the keeper's of application program judgement, any of these privilege can be given the user of Any Application.
The example hierarchy of table 1. privilege
| Leaf node | The privilege title | The single dedicated operations that allows |
| 110b | Generate_PO | Establishment has the PO of seller name and address and tabulates from this seller's |
| 110g | Approve_Services | The mandate of the PO that is used to serve purchase is provided |
| 110h | Approve_Equipment | The mandate of the PO that is used for fixing equipment purchase is provided |
| 110i | Approve_Supplies | The mandate of the PO that is used for the goods and materials purchase is provided |
| 110d | Purchase | Realize ordering by the buying order that sends approval to the seller from the |
| 110j | Accept_Services | It is acceptable being illustrated in the service of sending among the |
| 110k | Accept_Equipment | It is acceptable being illustrated in the fixed equipment of sending among the PO |
| 110l | Accept_Supplies | It is acceptable being illustrated in the goods and materials of sending among the |
| 110f | Pay_under_PO | Be sent in the payment of accepting among the PO of sending to the seller |
Level 100 also comprises the parent node of expression more than the privilege of a dedicated operations.The privilege that is called Approve_PO at parent node 110c place is included in node 110g, 110h, the 110i place privilege of approve services, equipment and goods and materials respectively.The privilege that is called Accept_Delivery at parent node 110e place is included in the privilege that node 110j, 110k, 110l place accept service, equipment and the goods and materials sent respectively.Privilege at this parent node place can be given the cura specialis user such as department head's application program.Being included in node 110b, 110c, 110d, 110e, 110f place in the privilege of the node 110a PO_ALL of place produces PO, approval PO respectively, makes the privilege of sending and paying the bill for the purchase of sending that has the purchase of ratify PO, accepts to buy among the PO in PO.The privilege of PO_ALL comprises the privilege of execution about all dedicated operations of buying order.
Architectural overview
Fig. 2 illustrates to be used to support block diagram with the system 200 of the access control of database server on dedicated operations that separates according to embodiment.System 200 comprises application program 220, application client 210 and database server 230.In response to the one or more orders from one or more application client 210, application program 220 is carried out one or more dedicated operations.
Database server 230 management are used for the database of one or more database objects of application program 220.Database server 230 comprises permanent storage 240 and the quick of database server 230 but the high-speed cache 232 in the unsettled storer.It should be noted that database server 230 is processes.Permanent storage 240 and high-speed cache 232 are to distribute to the main frame permanent storage of database server process 230 and the part of mainframe memory.As a result, use the different piece of permanent storage of main frame and main frame storer different piece or use the same section of the storer of main frame at different time, application program 220 and database server 230 can be carried out on same host.In database server persistent storage 240, database server 230 stores one or more data structures 242,244 and the one or more data item in one or more database objects (not showing).Data structure 242 is preserved the data that expression is used for one or more privilege hierarchy of application program 220.Data structure 244 preserve with one or more users of application program 220 and one or more data item with represent in the data structure 242 that is used for application program 220 one or more privilege hierarchy in the relevant data of one or more privileges.Although two kinds of data structures shown in Figure 2, the data in the data structure 242,244 can be stored in the more or less data structure in other embodiments.
Functional overview
According to described embodiment, for the client, before application program 220 was carried out the controlled dedicated operations of its access, application program 220 sent to database server 230 to determine whether the user relevant with the client has the privilege that application program of making 220 is carried out the dedicated operations on specific data item with request.According to the request and the information that are stored in the data structure 242,244, database server 230 sends it back application program 220 with response.This response comprises whether the indication user has the data that make the privilege of using the dedicated operations of 220 execution on specific data item.
The keeper of application program 220 is provided at the information in the data structure 242,244.In an illustrated embodiment, the application administrator uses extend markup language (Extensible Markup Language, XML) data of document storage description level.XML is by w3c (World Wide Web Consortium, W3C) the well-known and widely used SGML that is used for the description scheme data of Ban Bu standard definition, and any tree hierarchy of permission data element.The application administrator carries out with the interface that is provided by database server 230 alternately subsequently.The XML document of each data item that this interface allows the application administrator to represent to describe to be applied to data item or the level of group, and allow to be illustrated in one or more privileges of each user who is applied to application program 220 in each level.
In certain embodiments, relevant for each of some privilege hierarchy of an application program with the respective type of the operated data item of dedicated operations.For example, privilege hierarchy 100 is relevant with the data item of expression enterprise buying order, but the data item with the personnel record who represents same enterprise is not relevant.Be different from the privilege of personnel record operation in second privilege hierarchy (not showing) of privilege hierarchy 100 and representing.In this embodiment, the data in the data structure 242 make the operated one or more categorical data items of each privilege hierarchy and the operation that is allowed by those privileges relevant.
Be used to support the method for the access control on the dedicated operations
In order to describe this method, typical embodiment is described.In exemplary embodiments, the application administrator generates extend markup language (XML) document of describing the privilege hierarchy that is used for the dedicated operations on purchase order objects.In other embodiments, other structured data formats can be used for representing the level of privilege.
In typical embodiment, each XML element is corresponding to the node of the privilege of representative in privilege hierarchy.Form 2 illustrates the typical XML document part of the example hierarchy 100 that is described in shown in Fig. 1.
Table 2. is described the XML document part of the example hierarchy of privilege
| Capable number | XML is capable |
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | ... <PO_ALL> <Generate_PO/> <Approve_PO> <Approve_Services/> <Approve_Equipment/> <Approve_Supplies/> </Approve_PO> <Purchase/> <Accept_Delivery> <Accept_Services/> <Accept_Equipment/> <Accept_Supplies/> </Accept_Delivery> <Pav_under_PO/> </PO_ALL> ... |
For convenience, the XML document of supposing to have the row of listing in form 2 is stored in the file of POprivileges.xml by name on the principal computer of application program 220.Each XML element has a title.The beginning of XML element is by the symbol of the title of XML element being drawn together together "<" "〉" expression.The end of XML element is by the title of XML element being drawn together together symbol "</" "〉" expression.All daughter elements of parent element all are included between the symbol of expression beginning of parent element and end.When element does not have daughter element, alternatively, can represent by the element term of drawing together together by symbol "<" "/〉 ".
Be illustrated at the 1st row of table 2 and the suspension points of the 17th line description that to be prior to or subsequent to the 2nd XML that walks in the 16th capable XML document capable.The capable 2-16 of XML represents the XML element corresponding to " PO_ALL " by name of PO_ALL privilege.The PO_ALL element comprises five daughter elements: the Generate_PO in the 3rd row; Approve_PO in 4-8 is capable; Purchase in the 9th row; Accept_Delivery in 10-14 is capable; With the Pay_under_PO in the 15th row.Approve_PO in 4-8 is capable comprises three daughter elements: the Approve_Services in the 5th row; Approve_Equipment in the 6th row; With the Approve_Supplies in the 7th row.Accept_Delivery in 10-14 is capable comprises three daughter elements: the Accept_Services in the 11st row; Accept_Equipment in the 12nd row; With the Accept_Supplies in the 13rd row.Thus, the XML document that has in table 2 part of describing is described in the privilege hierarchy 110 of the purchase order operations described in Fig. 1.
Fig. 3 illustrates to be used to support process flow diagram with the embodiment of the method 300 of the access control of server on dedicated operations that separates according to embodiment.Although the certain order of step shown in Figure 3, in other embodiments, step can be carried out or can be overlapping in time by different order.For example step 310 and 320 can be overlapping in time.
In step 310, server receives the data that expression is used to carry out the privilege hierarchy of the dedicated operations on the polytype data item.Can use any method that is used to receive privilege hierarchy.For example, in step 310, the application administrator forms has the XML document of the row shown in the form 2, document is stored among the file POprivileges.xml, and utilizes database server access control interface to represent and control by the dedicated access that database server uses the level of the privilege in file POprivileges.xml to support.In certain embodiments, database server access control interface is such as (the HyperText Markup Language of well-known Hypertext Markup Language in the technical field, HTML) Ye graphical user interface, its prompting user imports specific dedicated access control.In certain embodiments, database server access control interface is (the Application Programming Interface of well-known application programming interface in technical field, API), it comprises the title and the type of program and parameter, calls this program and parameter to carry out the database server accessing control function.In other embodiments, use other interfaces of server.
In certain embodiments, receive more than a privilege hierarchy for same application domain.For example, if application program is a business system, this application program can not only comprise the privilege hierarchy that is used for purchase order system, and comprises the privilege hierarchy of making other system of tracker and wholesale sales system such as human resources system, equipment management system, product.The level that is applied to different system is commonly referred to as in database by the dedicated operations on the different types of data item of application program storage.For example, privilege hierarchy shown in Figure 1 refers to the operation of listing of operating on the buying order database object in database in form 1, and the privilege hierarchy of human resources refers to the operation on the individual database object in database.
In some embodiment that have more than a privilege hierarchy, in step 310, each privilege hierarchy is relevant with the data item of a type, and the data item of the type also is considered to represent the data of privilege hierarchy.For example, by the level of the capable indication of XML in the table 2 be that buying order database object in the database of application program management is relevant by database server 230.In certain embodiments, be associated in the XML document and realize; In certain embodiments, the interface that is associated in the database server access control system is realized.In certain embodiments, the different levels of same application domain are distinguished by other method such as hierarchy name.
In step 320, the data of the data item in server reception each user of expression and a plurality of data item or the privilege of group.Can use any method that receives these data.For example, in step 320, the application administrator forms second XML document, and user identity (" userID ") is relevant with one or more privileges in privilege hierarchy 100, and adopts database server access control interface to represent that second XML document makes the user with franchise relevant.This interface can be such as HTML page or leaf, API or is used for providing to server the graphical user interface of other interface of data.In certain embodiments, XML document is specified the access control list (ACL) of the unified access control system that is used for Murthy, uses the XML shown in following form 3 capable.In table 3, the customer command application program is made caused and to ask the user of the thing of controlled dedicated operations to be known as " clientage "; Clientage has user ID " SCOTT " and another clientage has user ID " PETER ".In form 3, each ACL comprise one or more ACEs (Access ControlElements, ACE).Each ACE comprises clientage's parts and the privileges element for clientage's name.Privileges element comprises the one or more privileges of discerning by their titles of row in privilege hierarchy.Before suspension points in the 1st and 19 row is represented ACL and afterwards other XML capable.Suspension points in the 17th row represents to specify other XML of other ACE capable.
Table 3. is described the XML document part of each user's privilege
| Capable number | XML is capable |
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | ... <ACL> <ACE> <principal>SCOTT</principal> <privileges> <Generate_PO/> <Accept_Supplies/> </privileges> </ACE> <ACE> <principal>PETER</principal> <privileges> <Approve_PO/> <Pay_under_PO/> </privileges> </ACE> ... </ACL> ... |
As shown in the typical ACL of table 3, user SCOTT can produce PO and accept the transmission of goods and materials, and user PETER can ratify the PO of any kind of and authorize payment to the seller.
In having multi-level embodiment, in step 320, specify the user privilege in each level.For example, if use ACL, will there be one group in being applied to the buying order level of buying order data item, to specify the ACL of privilege to organize the ACL that specifies privilege in the human resources level that is being applied to the human resource data item with another.
In step 340, server receives the access control request from application program.This request comprises the data of expression specific user and particular application-specific operation and incites somebody to action the data item of executable operations thereon.In the embodiment that has only a level that is applied to all data item, this data item can be left in the basket.Having the multi-level embodiment that is used for an application, from data item, infer the privilege hierarchy that to be employed according to the data item of the type.One type data item is represented one or more data item or database object.In certain embodiments, the data of expression particular application-specific operation are the data of the particular privilege of the one or more dedicated operations of expression.
For illustrative purposes, suppose user SCOTT by client 210a operating application program 220, and user PETER is by client 210b operating application program 220.Suppose that also user SCOTT attempts the approval particular purchase order, be appointed as " PO12345 " hereinafter, user SCOTT has just produced this buying order and has been used to the goods and materials of handling official business.This causes application program 220 to produce comprising expression user SCOTT to attempt the access control request of data that execution needs the dedicated operations of Approve_Services privilege on buying order data item PO12345.Database server receives request in step 340.
In step 350, server determines according to the privilege relevant with the specific user of specific data item whether application program can carry out specific user's specific operation.For example, database server 230 is according to determining with the privilege that is used in that the SCOTT of the buying order data item of the level relevant with the buying order data item is correlated with whether application program 220 can carry out the operation of the Approve_Services privilege of needs SCOTT.
In step 350, server is determined suitable level.For example, database server 230 determines that according to the database metadata of being preserved by database server 230 PO12345 is the purchase order type database object.Subsequently, database server 230 determines that the privilege hierarchy (in the XML document that part rows goes out in form 2) that receives is suitable level in step 310.
In step 350, server determines whether the user has the privilege of representing in request.For example, the user SCOTT among the ACL that database server 230 is determined to list in form 3 appears at the capable ACE of place of the 3-9 that is used for the buying order data item, but franchise Approve_Services is not listed among the capable listed privilege of 5-8.Therefore, user SCOTT does not have the privilege of carrying out this dedicated operations.
In step 390, server sends it back application program with response.This response comprises whether the expression application program can carry out the data of specific user's specific operation.For example, database server 230 will represent that application program 220 should not carry out the response of the approve services operations of the user SCOTT relevant with client 210a and send it back application program 220.According to this response, application program is not carried out this operation.In certain embodiments, application program sends to user's client with message, and according to this response, the user does not allow to carry out dedicated operations.For example, according to this response, application program 220 sends to client 210a with message, the buying order that does not allow user SCOTT approval to be used to serve.
Show user privilege with bitmap
In step 350, as mentioned above, server determines whether the user has the privilege of representing in request.Effective client's of preservation operating application program user's privilege is favourable in the high-speed cache of high-speed memory.The user privilege that are stored in the high-speed cache are many more, and the request that server can respond the access control of supporting dedicated operations is fast more.User privilege are denotable tight more, and the user that can be stored in the high-speed cache is many more.According to embodiment, server uses bitmap to represent and each user-dependent privilege in high-speed cache.For example, database server 230 uses bitmap stored user privilege in high-speed cache 232.
In this embodiment, each leaf node that server will be in level is relevant with the bit position.Nine leaf nodes of the level of for example, listing in form 1 100 are relevant with bit position 1 to 9.When receiving expression, server licenses to specific user's the data of privilege when (comprise and from permanent storage, read these data), server will be arranged to " ON " value corresponding to the bit of the privilege of authorizing, for example " 1 ", and will be arranged to " OFF " value, for example " 0 " corresponding to the bit of undelegated privilege.When the privilege of corresponding parent node is authorized to, and be configured to the ON value for the corresponding bit of all leaf nodes of the branch of this parent node.For example, license to the XML that in form 3, lists capable in the privilege of user SCOTT and PETER represent that by the bitmap of in form 4, listing wherein calculate from right (least important bit) a to left side (most important) bit position.
Table 4. is illustrated in the typical bit of the privilege of authorizing in the level of Fig. 1
| User ID | Bitmap |
| SCOTT | 010000001 |
| PETER | 100001110 |
SCOTT is awarded the privilege that produces PO, and the first leaf node 110b is so ON value " 1 " is set in first (the rightest) bit.SCOTT also is awarded the privilege of the goods and materials of accepting transmission, and the 8th leaf node 110l is so ON value " 1 " is set at from the 8 bits that the right side begins.PETER is awarded the privilege of approval PO, and it be that the parent node of leaf node 110g, 110h, 110i is to distinguish approve services, equipment and goods and materials.Therefore, the bit of corresponding three leaf node 110g, 110h, 110i is arranged to ON value " 1 ".These bits are in second to the 4th position of the bitmap that begins from the right side.PETER also is awarded the privilege that payment is transmitted, the 9th leaf node 110f, so ON value " 1 " be set at from the 9th bit that the right side begins, promptly in the most left bit.
Have among the multi-level embodiment at some, the leaf node of all levels all is integrated in the single bitmap.In other embodiments, the leaf node of different levels is integrated in the different bitmaps.In certain embodiments, can determine the bit position with hash function according to the title of level and the title of privilege.
Use among the embodiment of bitmaps at some, in step 350, database server 230 is identified for specific user's the bitmap of specific data item whether in high-speed cache 232.If can eliminate from being stored in the operation of the data retrieval bitmap on the permanent storage 240.If not, from permanent storage 240, fetch user's bitmap and add in the high-speed cache 232.If there is not enough space to place the bitmap of fetching in high-speed cache 232, known arbitrary method discharges space in the high-speed cache 232 in the operation technique field so.For example, the storer of distributing to the most recently used bitmap can be used for specific user's bitmap.
Subsequent data storehouse server 230 is determined the relevant bit position of privilege represented in the access control request with the privilege of dedicated operations or reception in step 340.For example, use the level of expression in form 2, database server is determined the approve services operations relevant with the Approve_Services privilege and second leaf node is relevant and therefore second bit with bitmap is relevant.
In step 350, subsequent data storehouse server 230 determines whether the bit in that bit position is configured to the ON value.For example, database server determines that second bit is not configured to the ON value in the bitmap of the SCOTT that lists in form 4.Therefore, database server determines that SCOTT does not have the privilege of approve services.
If database server 230 receives request with approval PO12345 from PETER, in step 350, database server 230 determines that second bit is configured to the ON value in the bitmap of the PETER that lists in form 4.Therefore, database server determines that PETER has the privilege of approve services.
As said, be used for determining that the high-speed cache 232 of user privilege and the use of bitmap are effectively.Application developer can pass through should effectively franchisely to determine such as the server by utilizing of the separation of database or content management server, not need a large amount of software developments.The application administrator often uses the interface of having built for the server that separates, and the level of privilege and the user privilege of the server that separates once are provided simply.Development of new applications, or the existing application of change is to send to the access control request server of separation simply.Do not need to develop this application to determine effectively whether privilege can be used for dedicated operations.For example, do not need the bitmap of Application and Development with management of cache 232 or formation user privilege.
Ardware overview
Fig. 4 is a block diagram of describing the computer system 400 that can use embodiments of the invention.Computer system 400 comprises bus 402 or other communicator that is used to the information of transmitting, the processor 404 that is connected with bus 402 that is used for process information.Computer system 400 also comprises primary memory 406, and for example random-access memory (ram) or other dynamic storage device are connected with bus 402, are used for the instruction that store information and processor 404 will be carried out.Primary memory 406 also can be used for storing temporary variable or other intermediate informations in the processor 404 execution command processes.Computer system 400 also comprises ROM (read-only memory) (ROM) 408 or other static memories, is connected with bus 402, is used to store the instruction that will carry out of static information and processor 404.Memory storage 410 as disk or CD, is connected with store information and instruction with bus 402.
The present invention relates to be used to realize the use of the computer system 400 of technology described here.According to embodiments of the invention, carry out one or more sequences of the one or more instructions that in primary memory 406, comprise in response to processor 404, these technology are carried out by computer system 400.Such instruction can be read in primary memory 406 from another computer-readable medium such as memory device 410.Be included in instruction sequence in the primary memory 406 by execution, make processor 404 carry out treatment step described herein.In optional embodiment, hard-wired circuit (hard-wired circuitry) can replace software instruction or combine with software instruction implements this invention.Therefore, the embodiment among the present invention will be not limited to any particular combinations of hardware circuit and software.
Term used herein " computer-readable medium " is meant and participates in providing any medium of instruction to the processor 404 that is used to carry out.This medium can be taked a lot of forms, includes but not limited to non-volatile media, Volatile media and transmission medium.Non-volatile media comprises CD or disk for instance, as memory storage 410.Volatile media comprises dynamic storage, as primary memory 406.Transmission medium comprises concentric cable, copper cash and optical fiber, comprises the lead of being made up of bus 402.Transmission medium also can be taked the form of sound wave or light wave, for example those sound wave and light waves that produce in radiowave and infrared data communication process.
Common computer-readable medium comprises floppy disk, flexible disk, hard disk, tape for instance, perhaps any other magnetic medium, CD-ROM, any other light medium, punching paper, paper tape or any physical medium with holes, RAM, PROM, EPROM, FLASH-EPROM or other any storage chip or tape, carrier wave or computer-readable any other medium of mentioning below perhaps.
Various forms of computer-readable mediums can participate in transmitting one or more sequences of one or more instruction to the processor 404 that is used to carry out.For example, the instruction beginning can be carried in the disk of remote computer.The remote computation function in its dynamic storage, uses modulator-demodular unit to send information based on telephone wire this instruction load then.The modulator-demodular unit of computer system 400 this locality can receive the data on the telephone wire, uses infrared converter that data-switching is become infrared signal then.Infrared eye can receive the data that infrared signal is carried, and suitable circuit can be put into information on the bus 402.In primary memory 406, these instructions are fetched and carried out to processor 404 from primary memory 406 to bus 402 data transfer.Before or after processor 404 was carried out these instructions, the instruction that primary memory 406 receives can optionally be stored in the memory storage 410.
Network link 420 can provide data communication to other data set by one or more network usually.For example, network link 420 can be connected with main frame 424 by LAN (Local Area Network) 422, and perhaps (Internet Service Provider, ISP) data equipment of 426 operations connects with ISP.ISP 426 provides data communication services by the worldwide packet data communication network (World Wide Packet Data CommunicationNetwork) that is commonly referred to as " internet " 428 at present again.LAN (Local Area Network) 422 and internet 428 all use electric signal, electromagnetic signal or the optical signalling of carrying digital data stream.As signal by diverse network, signal on the network link 420, signal by communication interface 418 is the demonstration form of the carrier wave of transmission information, and these signals all transmit numerical data and give computer system 400 or send numerical data from computer system.
When code was received and/or is stored on the memory storage 410 or be used for carrying out subsequently on other nonvolatile memory, processor 404 can be carried out received code.In this manner, computer system 400 can obtain the application code of carrier format.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (18)
1. method that is used to control to the execution of the dedicated operations that limits by application program, bag
Draw together following steps:
Receive privilege information at the server processes place that is different from described application program,
Wherein said privilege information comprises first data of the privilege of describing the particular group be used to carry out a plurality of application-specific operations;
Make described server processes determine under one group of specified conditions, whether to allow particular application-specific operation according to described privilege information; And
Make described server processes organize the indication that whether allows described particular application-specific operation under the specified conditions and be sent to described application program at this.
2. method according to claim 1, wherein, the step of described reception privilege information also is included in described server processes place and receives second data that the user of described application program is associated with one or more privileges in the privilege of described particular group.
3. method according to claim 1, further comprising the steps of:
In response to receiving the request that is used to indicate specific user and particular application-specific operation from described application program, determine according to described privilege information whether described specific user can make described application program carry out described particular application-specific operation at described server processes place; And
Wherein, make described server processes that the step that indication sends described application program to is comprised that the response that whether can make described application program carry out described particular application-specific operation the described specific user of indication sends to the step of described application program.
4. method according to claim 3, wherein:
The step of described reception privilege information also comprises receiving makes first group of franchise first data that are associated with the primary sources item of carrying out described a plurality of dedicated operations thereon; And
The step of described reception described request comprises that also reception also indicates the request of specific data item; And
The described step of determining whether described specific user can make described application program carry out described particular application-specific operation also comprises determines that whether described specific data item is the member in the described primary sources item.
5. method according to claim 4, wherein:
Described method also is included in described server processes place and receives the 3rd data, and described the 3rd data are used to describe the second group of privilege that is used for being different from more than second dedicated operations of execution on the secondary sources item of described primary sources item; And
The step whether described described specific user of determining can make described application program carry out described particular application-specific operation partly is to carry out according to the described specific data item of particular type.
6. method according to claim 1, the step of described reception privilege information comprise the document that receives the extend markup language form.
7. method according to claim 3, the described step of determining whether described specific user can make described application program carry out described particular application-specific operation also comprises the step of management at the high-speed cache of the high-speed memory that is used for store information, and described information makes each user among one or more users be associated with one or more privileges in every group of one or more groups privilege.
8. method according to claim 7, the step of the described high-speed cache of described management also are included in the step that stores the data of indicating a class data item that is associated with each user in the described high-speed cache.
9. method according to claim 1, wherein, the privilege of described particular group forms first level two-layer or that multilayer is franchise.
10. method according to claim 7, the step of the described high-speed cache of described management also are included in the bitmap that stores each user in the described high-speed cache, wherein:
Every group of privilege forms a level of one or more layers privilege;
Each diverse location in described bitmap is corresponding to different leaf nodes in each level of described one or more groups privilege; And
Leaf node is the node with level of any child node.
11. a method that is used to control to the execution of the dedicated operations that limited by application program may further comprise the steps:
Privilege information is sent to the server processes that are different from described application program,
Described privilege information comprises first data of describing the first group of privilege that is used to carry out more than first application-specific operation;
To ask to send to described server processes, and make server processes determine under one group of specified conditions, whether to allow particular application-specific operation according to described privilege information from described application program;
Be received in the indication that whether allows described particular application-specific operation under these group specified conditions from described server processes; And
If described server processes indication allows described particular application-specific operation under these group specified conditions, then described application program only allows described particular application-specific operation.
12. method according to claim 11, wherein:
The step that privilege information is sent to server processes comprises:
Second data are sent to the server processes that are different from described application program,
Described second data are used for making first user of described application program to be associated with privilege in described first group of privilege.
13. method according to claim 12 is further comprising the steps of:
In the order of described application program place reception from the specific user, described order comprises makes described application program carry out particular application-specific operation;
The request of described specific user of indication and described particular application-specific operation is sent to described server processes;
Wherein, be received under the described group of specified conditions from described server processes and whether allow the step of the indication of particular application-specific operation to comprise: receive the described specific user of indication according to described first data and described second data from described server processes and whether can make described application program carry out the response of described particular application-specific operation; And
When having only described response to indicate described specific user can make described application program carry out described particular application-specific operation, carry out described particular application-specific operation.
14. method according to claim 13, wherein:
Described transmission comprises that the step of the described privilege information of described first data comprises that also transmission also makes described first group of first data that privilege is associated with the primary sources item of carrying out described a plurality of dedicated operations thereon; And
The step of described transmission described request comprises that also transmission also indicates the described request of specific data item; And
Also comprise also according to described specific data item whether being that member in the described primary sources item receives described response according to the step of described first data and the described response of described second Data Receiving.
15. method according to claim 14, wherein:
Described method also comprises the 3rd data sent to described server processes, and described the 3rd data are used to describe and are used for second group of different privileges of carrying out more than second dedicated operations on the secondary sources item of described primary sources item being different from; And
The step of described second data of described transmission also comprises second data that transmission also makes second user of described application program be associated with privilege in the privilege of described second level; And
According to the step of described first data and the described response of described second Data Receiving also comprise reception also according to the described specific data item of particular type whether with one group of response that particular privilege is associated of the specific a plurality of dedicated operations that are used to comprise described particular application-specific operation.
16. method according to claim 11, the step of described transmission privilege information also comprise the document that sends the extend markup language form.
17. method according to claim 12, wherein, application program is not managed the high-speed cache in the high-speed memory that is used for store information, and described information makes each user among one or more users be associated with one or more privileges in every group of one or more groups privilege that comprises described first group of privilege.
18. method according to claim 11, wherein, described first group of privilege forms first level two-layer or that multilayer is franchise.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US42454302P | 2002-11-06 | 2002-11-06 | |
| US60/424,543 | 2002-11-06 | ||
| US10/364,610 | 2003-02-10 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1717656A CN1717656A (en) | 2006-01-04 |
| CN100351791C true CN100351791C (en) | 2007-11-28 |
Family
ID=35707232
Family Applications (3)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003801071860A Expired - Lifetime CN100429654C (en) | 2002-11-06 | 2003-11-06 | Techniques for managing multiple hierarchies of data from a single interface |
| CNB2003801027567A Expired - Lifetime CN100432993C (en) | 2002-11-06 | 2003-11-06 | Scalably accessing data in an arbitrarily large document |
| CNB2003801044295A Expired - Lifetime CN100351791C (en) | 2002-11-06 | 2003-11-06 | Techniques for supporting application-specific access controls with a separate server |
Family Applications Before (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2003801071860A Expired - Lifetime CN100429654C (en) | 2002-11-06 | 2003-11-06 | Techniques for managing multiple hierarchies of data from a single interface |
| CNB2003801027567A Expired - Lifetime CN100432993C (en) | 2002-11-06 | 2003-11-06 | Scalably accessing data in an arbitrarily large document |
Country Status (1)
| Country | Link |
|---|---|
| CN (3) | CN100429654C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103186636A (en) * | 2011-12-31 | 2013-07-03 | 北大方正集团有限公司 | Method and system for loading readable file in mobile equipment |
| CN103207813B (en) * | 2012-01-11 | 2018-08-14 | 华为技术有限公司 | The method and apparatus for managing resource |
| CN103208136A (en) * | 2012-07-06 | 2013-07-17 | 北京中盈高科信息技术有限公司 | Three dimensional image processing method and electronic device |
| JP6645508B2 (en) * | 2015-11-04 | 2020-02-14 | 富士通株式会社 | Structure analysis method and structure analysis program |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1159234A (en) * | 1995-06-06 | 1997-09-10 | 美国电报电话Ipm公司 | System and method for database access control |
| US6192476B1 (en) * | 1997-12-11 | 2001-02-20 | Sun Microsystems, Inc. | Controlling access to a resource |
| CN1352429A (en) * | 2001-11-29 | 2002-06-05 | 上海复旦光华信息科技股份有限公司 | Centralized domain user authorization and management system |
| US6449652B1 (en) * | 1999-01-04 | 2002-09-10 | Emc Corporation | Method and apparatus for providing secure access to a computer system resource |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2319705B (en) * | 1996-11-21 | 2001-01-24 | Motorola Ltd | Arrangement for encryption/decryption of data and data carrier incorporating same |
| US6721727B2 (en) * | 1999-12-02 | 2004-04-13 | International Business Machines Corporation | XML documents stored as column data |
| US20020056025A1 (en) * | 2000-11-07 | 2002-05-09 | Qiu Chaoxin C. | Systems and methods for management of memory |
| US6542911B2 (en) * | 2001-03-01 | 2003-04-01 | Sun Microsystems, Inc. | Method and apparatus for freeing memory from an extensible markup language document object model tree active in an application cache |
-
2003
- 2003-11-06 CN CNB2003801071860A patent/CN100429654C/en not_active Expired - Lifetime
- 2003-11-06 CN CNB2003801027567A patent/CN100432993C/en not_active Expired - Lifetime
- 2003-11-06 CN CNB2003801044295A patent/CN100351791C/en not_active Expired - Lifetime
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1159234A (en) * | 1995-06-06 | 1997-09-10 | 美国电报电话Ipm公司 | System and method for database access control |
| US6192476B1 (en) * | 1997-12-11 | 2001-02-20 | Sun Microsystems, Inc. | Controlling access to a resource |
| US6449652B1 (en) * | 1999-01-04 | 2002-09-10 | Emc Corporation | Method and apparatus for providing secure access to a computer system resource |
| CN1352429A (en) * | 2001-11-29 | 2002-06-05 | 上海复旦光华信息科技股份有限公司 | Centralized domain user authorization and management system |
Non-Patent Citations (2)
| Title |
|---|
| 计算机工程与应用 万昌江 张树有,第161-163页,Intranet环境下企业资源的安全访问控制策略 2002 * |
| 计算机工程与应用 冯国臻,第26-28页,目录服务和统一认证研究 1999 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1729467A (en) | 2006-02-01 |
| CN1717656A (en) | 2006-01-04 |
| CN100432993C (en) | 2008-11-12 |
| CN1711534A (en) | 2005-12-21 |
| CN100429654C (en) | 2008-10-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4787617B2 (en) | Techniques for supporting application-specific access control using separate servers | |
| CN101663671B (en) | Authorization for access to web service resources | |
| JP6701241B2 (en) | Integrated Consumer Genome Service | |
| US11151264B2 (en) | Method and system for controlling access to a multi-tenant database system using a virtual portal | |
| CN1842785A (en) | System and method for hierarchical role-based entitlements | |
| CN1770169A (en) | Systems and methods of access control enabling ownership of access control lists to users or groups | |
| CN103348342B (en) | Personal content stream based on user's topic profile | |
| CN103907110B (en) | A kind of method and system for document collaboration | |
| US8868499B2 (en) | Method and system for pushing data to subscribers in an on-demand service | |
| US6587854B1 (en) | Virtually partitioning user data in a database system | |
| CN1954318A (en) | Methods, systems and programs for maintaining a namespace of filesets accessible to clients over a network | |
| US9633101B2 (en) | System, method and computer program product for portal user data access in a multi-tenant on-demand database system | |
| CN1763761A (en) | Role-based access control system, method and computer program product | |
| US20090006416A1 (en) | Methods and systems for providing Web applications | |
| US7366739B2 (en) | Data storage system | |
| CN1922622A (en) | System and method for processing audit records | |
| JP2007004785A (en) | System and method for integrating public and private data | |
| JP2006513499A (en) | Access control policies associated with attributes | |
| US7010518B1 (en) | System and method for user defined data object hierarchy | |
| JP2003505792A (en) | Content-based publishing and subscribing system integrated into a relational database system | |
| CN1794232A (en) | Secured views for a CRM database | |
| CN1561496A (en) | An efficient index structure to access hierarchical data in a relational database system | |
| US20060288009A1 (en) | Method and apparatus for restricting access to an electronic product release within an electronic software delivery system | |
| US20080104250A1 (en) | Identity migration system apparatus and method | |
| CN100361037C (en) | System and method for representing multiple security groups as a single data object |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20071128 |
|
| CX01 | Expiry of patent term |