US20090222449A1 - Controlling access to a database using database internal and external authorization information - Google Patents

Controlling access to a database using database internal and external authorization information Download PDF

Info

Publication number
US20090222449A1
US20090222449A1 US12/390,184 US39018409A US2009222449A1 US 20090222449 A1 US20090222449 A1 US 20090222449A1 US 39018409 A US39018409 A US 39018409A US 2009222449 A1 US2009222449 A1 US 2009222449A1
Authority
US
United States
Prior art keywords
database
external
access
account
internal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/390,184
Inventor
Erwin Hom
Clay Maeckel
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Apple Inc
Original Assignee
Apple Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Apple Inc filed Critical Apple Inc
Priority to US12/390,184 priority Critical patent/US20090222449A1/en
Publication of US20090222449A1 publication Critical patent/US20090222449A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present invention relates to databases and, more particularly, to controlling access to a database.
  • Databases are used to store data in a manner that facilitates subsequent use of the data.
  • a database typically includes several tables containing one or more records.
  • a record in a table stored in the database can hold information about a subject or item in its various fields.
  • Database programs have been developed.
  • Database programs often provide a user interface, which allows the user to conveniently interact with the database program in order to perform various operations on the data stored in the database.
  • the interface provided by the database program is typically a graphical user interface which allows the user to conveniently interact with the database program and, in turn, with the database.
  • the user may interact with the graphical user interface to, for example, view the data in various ways.
  • the visual representations provided to the user can include, for example, a browse mode. The browse mode allows records to be viewed, changed, sorted, deleted, or added.
  • a database program allows users to conveniently access data stored in a local database.
  • a database program (or product) could also be provided as database server (or host), which allows a client (or a guest) to access data in a database, which is stored in a remote location with respect to the client.
  • a first database program can, for example, be connected to a second database program over a computer network.
  • one database program can act as a “client” (or guest) and establish a connection to the other database program which acts as “server” (or host) to a database.
  • the client database program can, in turn, provide the end-user (e.g., a human, or application program) with access to data, which is stored remotely.
  • Conventional database server programs can be configured only to grant access to a database based on a set of database accounts, which are typically defined by a database administrator, or alternatively grant access based on a set of operating system accounts which are typically defined by a system administrator.
  • These operating system accounts are typically a set of general purpose accounts associated with different category of access privilege (e.g., “admin,” “manager,” “data-entry-only”).
  • access privileges are typically assigned to several different users. For example, several different individuals may be assigned the access level “manager.” This approach, however, does not allow a particular user to be identified when an external account is used, and thus may not adequately support a secure environment and/or allow monitoring (or logging) activities initiated using external accounts.
  • access privileges cannot be easily modified (or updated) when general categories of access privileges are used (because access privilege is not defined per individual users). For example, if a particular manager leaves, the “manager” access level should be changed to security reasons. As a result, several other managers may have to be assigned a new access-level.
  • conventional techniques do not allow configuring a server database product (or program) such that both database and operating system accounts can be used together to control access to a database.
  • conventional database server products control access to a database either entirely based on non-database accounts (e.g. operating system accounts), or entirely based on a set of identifiers (e.g., access keys), which are typically maintained and administered separately from the non-database accounts.
  • the invention pertains to techniques for controlling access to a database.
  • sets of database “internal” and “external” (or non-database) access-privileges are defined for a database.
  • An “external” database component can, for example, be any component that resides outside a database system, program, or product that is used as interface to access a database.
  • corporate accounts which are generally used in many corporate environments (e.g., operating system accounts) can be defined as database “external” accounts in accordance with one embodiment of the invention.
  • the database external access-privileges are used in conjunction with a set of complementary database “internal” access privileges defined for database internal accounts.
  • sets of database “internal” and “external” access-privileges are can be combined to generate an integrated access-privilege set which can be used as a single source to authorize access to a database regardless of whether database internal or external accounts are used to access the database.
  • the invention can be used to seamlessly integrate databases with various non-database entities (e.g., corporate computing systems).
  • non-database accounts may be authenticated externally, but access can be authorized using a database component (e.g., a server-side database component).
  • databases can be integrated with various non-database entities, while authentication of non-database accounts is still performed by database external entities that are generally more preferred to authenticate their own accounts.
  • the invention can be implemented to control access with respect to both database internal and external accounts, which can be used to seek access to the database.
  • access to the database can be controlled using the same authentication information (e.g., username and password of an operating system account) regardless of whether the database is internally or externally accessed.
  • This can be achieved by defining and using database “internal” and “external” access-privileges in a manner that allows combining them together and using them as an integrated access-privilege set arranged in accordance with assigned priority of authorized access.
  • database internal and external access privileges may be conveniently defined and maintained in a central location, by a single entity that does not have to be a database administrator (e.g., a system or server administrator).
  • a database administrator can still access the database using a database internal account regardless of which server or external (“non-database”) authenticator has been chosen by the non-database administrator (e.g., a system or server administrator) to authenticate database users.
  • the invention can be implemented in numerous ways, including as a method, an apparatus, a computer readable medium, and a database products, program, or system. Several embodiments of the invention are discussed below.
  • FIG. 1 depicts a computing environment in accordance with embodiment of the invention.
  • FIG. 2 depicts a server-side database component 108 in accordance with one embodiment of the invention.
  • FIG. 3 depicts an authorizing access method for authorizing access to a database in accordance with one embodiment of the invention.
  • FIG. 4 depicts an authorizing access method for authorizing access to a database in accordance with another embodiment of the invention.
  • FIG. 5 depicts a method for determining whether access to a database should be granted based on database external or internal authorization information in accordance with one embodiment of the invention.
  • FIG. 6 depicts a “Define Accounts and Privileges” panel in accordance with one embodiment of the invention.
  • FIG. 7 and FIG. 8 respectively depict “Edit Account” panels used to edit (or create) database external and internal authorization information.
  • sets of database “internal” and “external” (or non-database) access-privileges are defined for a database.
  • An “external” database component can, for example, be any component that resides outside a database system, program, or product that is used as interface to access a database.
  • corporate accounts which are generally used in many corporate environments (e.g., operating system accounts) can be defined as “external” database accounts in accordance with one embodiment of the invention.
  • the database external access-privileges are used in conjunction with a set of complementary database “internal” access privileges defined for database internal accounts.
  • sets of database “internal” and “external” access-privileges are can be combined to generate an integrated access-privilege set which can be used as a single source to authorize access to a database regardless of whether database internal or external accounts are used to access the database.
  • the invention can be used to seamlessly integrate databases with various non-database entities (e.g., corporate computing systems).
  • non-database accounts may be authenticated externally, but access can be authorized using a database component (e.g., a server-side database component).
  • databases can be integrated with various non-database entities, while authentication of non-database accounts is still performed by database external entities that are generally more preferred to authenticate their own accounts.
  • the invention can be implemented to control access with respect to both database internal and external accounts, which can be used to seek access to the database.
  • access to the database can be controlled using the same authentication information (e.g., username and password of an operating system account) regardless of whether the database is internally or externally accessed.
  • This can be achieved by defining and using database “internal” and “external” access-privileges in a manner that allows combining them together and using them as an integrated access-privilege set arranged in accordance with assigned priority of authorized access.
  • database internal and external access privileges may be conveniently defined and maintained in a central location, by a single entity that does not have to be a database administrator (e.g., a system or server administrator).
  • a database administrator can still access the database using an internal database account regardless of which server or external (“non-database”) authenticator has been chosen by the non-database administrator (e.g., a system or server administrator) to authenticate database users.
  • FIG. 1 depicts a computing environment 100 in accordance with embodiment of the invention.
  • a plurality of client computers 102 and 104 can communicate with a server computer 108 via a network 106 .
  • this communication may be established using a variety of existing wired or wireless communication protocols, hardware, and software components, which will not be discussed further.
  • the client computer 102 includes a client-side database component 110 that can be used to initiate communication with a server-side database component 112 operating in the server computer 108 .
  • the client-side database component 110 is used in order to access data stored in a database 114 .
  • a user (or application) 116 can initiate a request to access data using the client-side database component 110 .
  • This request may, for example, be initiated as a result of the user 116 requesting to list or open one or more database files stored in the database 114 .
  • the user 116 may, for example, use a monitor 110 or a wireless phone 142 to access the client computer 102 .
  • a request to access database 114 can be initiated by the client-side database component 102 , and transmitted via network 106 to the server-side database component 112 .
  • the server-side database component 112 can initiate an authentication process when it receives the request to access database 114 .
  • this authentication process authenticates the user 116 of the client computer 102 .
  • the user 116 may have used a [user-id and password] to login to the client computer 102 .
  • the server-side database component 112 initially authenticates the user 116 by sending the [user-id and password] to an external authenticator 118 for authentication before access to the database 114 is granted.
  • the external authenticator 118 can, for example, be an operating system account manager (e.g., Active Directory in Windows operating environment, Open Directory in MAC operating environment).
  • authentication information 150 can be made available as a block of data that is forwarded to the external authenticator 118 for authentication.
  • the external authenticator 118 can, for example, decode and/or decrypt the block of data in order to authenticate the user 116 .
  • the external authenticator 118 notifies the server-side database component 112 that the user 116 has been authenticated.
  • the external authenticator 118 can send authorization information 152 , for example, as one or more privilege-identifiers, which are associated with the authentication-information 150 (e.g., user-id and password) of the authenticated user.
  • a privilege-identifier may be a group-name that is also used in operating system accounts of corporate computing environments.
  • a privilege-identifier may associate a user with a group that has certain privileges with respect to data stored in a database (e.g. a group name used in Active Directory in Windows operating environment).
  • the server-side database component 112 can initiate an authorization process, which determines the privileges, which have been assigned to the user 116 with respect to database 112 (i.e., access-level privileges).
  • sets of database internal information 120 e.g., database account information
  • database external information 122 e.g., database external authentication information
  • the database internal information 120 is defined as a set of database internal accounts that include both authentication information (e.g., name and password) with associated authorization information (e.g., an access-privilege set), while the database external 122 information includes external authorization information (e.g., group-names with associated access-privileges).
  • the database external information 122 does not need to include external authentication information. As such, there is no need to store external authentication information in a database, and external authentication may be independently performed by a database external entity (e.g., an external authenticator). Moreover, the set of database internal and external information can combined to generate an integrated access-privilege set 180 which is used to control access to the database.
  • a database external entity e.g., an external authenticator
  • the server-side database component 112 can determine access-level privileges of user 116 even though the user may have been externally authenticated by the external authenticator 118 . More particularly, the server-side database component 112 can be configured to use the authorization information 152 sent by the external authenticator 118 and compare it with the generated integrated access-privilege set 160 in order to authorize the user 116 as a database internal or external account. Moreover, the server-side database component 112 can use the authentication information 152 in a manner that allows integration of external accounts (e.g. corporate accounts) used by various environments with database internal accounts. As will be discussed below, this integration allows authorized use of both database internal and external accounts, which attempt to access the database.
  • external accounts e.g. corporate accounts
  • an administrator-side database component e.g., an administrative tool
  • an administrator-side database component 160 may also be provided to allow an administrator 162 to administrate the database 114 via server-side database component 112 . Both users and administrators can be provided with authorized access in essentially the same manner. As such, authorization of user will be further discussed.
  • FIG. 2 depicts in greater detail the server-side database component 108 (shown in FIG. 1 ) in accordance with one embodiment of the invention.
  • the server-side database component 108 includes an authentication interface 202 which can communicate with the external authenticator 118 (also shown in FIG. 1 ).
  • a database engine 204 is connected to the authentication interface 202 and database 114 .
  • authentication information 150 is forwarded, by the authentication interface 202 , to the external authenticator 118 , which initiates an authentication process. If the authentication process successfully authenticates the user associated with the authentication information 150 , the external authenticator 118 determines authorization information 152 associated with the user and forwards it to the authentication interface 202 .
  • authentication information 150 may be in the form of a name and a password set (e.g., Bob and xx) which is forwarded by the authentication interface 202 to the external authenticator 118 .
  • the authentication information 150 e.g., Bob, xx
  • the authentication information 150 may be explicitly known, or may be forwarded as a block of data without the server-side database component 108 (or authentication interface 202 ) having explicit knowledge of its content.
  • the external authenticator 118 can initiate an authentication process, which if successful, may result in transmission of authorization information 152 to the authentication interface 202 .
  • the authorization information 152 includes database external privilege-identifiers associated with access privileges of the authenticated user. As such, authorization information 152 can provide access-level privileges that have been defined for the authenticated user for an operating system.
  • these access privileges for a database may also be defined in a similar manner as privileges defined in corporate accounts (e.g. operating system accounts) in accordance with one embodiment of the invention.
  • group-names may be defined and associated with various user names and passwords in a set of database external authorization information 122 , which is defined for the database 114 and can be stored in the database 114 .
  • group matches e.g., Software, Manager Level-3 group
  • group matches e.g., Software, Manager Level-3 group
  • group names may also be defined for the database 114 and provided in the set of database external authorization information 122 , which defines access privileges, assigned to each group-name.
  • group-names: “Software group” and “Manager Level-3” may respectively be associated with “read-only” and “Admin” access privileges.
  • a name and a password pair used to sign into a corporate computing system (e.g., operating system account) can effectively also be assigned privileges with respect to accessing a database.
  • the same name and password pair may be assigned access privileges and be stored in the database internal account 120 .
  • database internal authorization information may be defined, for example, to associate a name and a password pair (Bob, xx) with “read-only” access privilege.
  • both internal and external authorization information stored respectively in the database internal accounts 120 and database external authorization information 122 can be used together to determine access-privileges of a user with respect to the database 114 .
  • an order field 230 can be provided for both the database internal accounts 120 and database external authorization information 122 .
  • the order field may be used to determine whether a user account should be considered as an internal or external database account.
  • the authorization information 152 includes a name, password, and one or more associated group-names (e.g., Bob, xx, Software, and Manager Level-3 group names)
  • the internal and external authorization information 120 and 122 of the database 114 can be searched in accordance with the particular order indicated by the order field.
  • the order field could be used to effectively generate an integrated access-privilege set 180 , which, among other things, can be displayed, for a user to allow convenient creating and maintenance of an integrated access-privilege set.
  • authorization information 152 (Bob, xx), which is also associated with group names: Software and Manager Level-3, would be matched as an internal database account with “read-only” privilege (Order 2).
  • authorization information (Tom, yy), associated with Hardware and Engineering Level-1 groups, may be matched to an external database account with access privilege of: “read-only” (Order 5).
  • each of the external accounts may additionally be assigned a weight which is added to individual priority assigned to each account (e.g., an order) in order to determine which access levels should be used.
  • FIG. 3 depicts an authorizing access method 300 for authorizing access to a database in accordance with one embodiment of the invention.
  • a request to access the database is received ( 302 ). This request is typically received from a user on a local (or client) computer who is attempting to access a remote database via a server.
  • the request to access the database is received ( 302 )
  • integrated authorization information is obtained or received ( 306 ). Again, the authorization is typically associated with a user on a local computer who is attempting to access data stored on a server in a remote location.
  • authorization access method 300 determines whether authorization should be made as an internal account. If it is determined ( 310 ) that authorization should not be made as an internal account, error is output ( 306 ), and the authorizing access method 300 ends. However, if it is determined ( 310 ) that authorization should be made as an internal account, access privileges are determined based on authorization information stored as internal account information and the authorizing access method 300 ends. On the other hand, if it is determined ( 308 ) that authorization should be made as an external account, access privileges are determined ( 314 ) based on database external authorization information. The authorization access method 300 ends following operations ( 314 ) or ( 312 ). Determination ( 314 ) will be described in greater detail below. The determination of whether authorization should be made as an external account ( 308 ) or an internal account ( 312 ) will also be described below.
  • FIG. 4 depicts, in greater detail, an authorizing access method 400 for authorizing access to a database in accordance with another embodiment of the invention.
  • a user on a local computer explicitly requests or triggers access ( 402 ) to a remote database.
  • the remote database is typically accessed via a server.
  • authorization information associated with the users' account is obtained ( 404 ).
  • the authorization information can be a user name and a password.
  • the same user-name (or user-id) and password are used by the user to sign into a local computer.
  • the user name and password may, for example, correspond to an operating system account.
  • the authorization information when the authorization information is obtained ( 404 ), the authorization information, (e.g., user name and password) are forwarded ( 406 ) to an external authenticator.
  • the external authenticator is associated with the operating system or platform of the local computer that the user has signed into.
  • the authorizing access method 400 ends. However, if it is determined ( 408 ) that the external authentication was successful, it is determined ( 412 ) whether any group names have been assigned to the authentication information, (e.g., user name and password). If it is determined ( 412 ) that a group name has not been associated or assigned to the authentication information, a database internal account is used ( 414 ) in order to authorize access to the database. More particularly, a determination is made ( 414 ) as to which internal account matches the authentication information, (e.g., user name and password).
  • the authentication information e.g., user name and password
  • an internal account matches the authentication information. Accordingly, if it is determined ( 416 ) that an internal database account matches the authentication information, access privileges are granted ( 418 ) based on the matching authorization information in the database internal account, and the authorizing access method 400 ends. However, if it is determined ( 416 ) that a database internal account which matches the authorization information was not found, an error is output ( 410 ), and the authorizing access method 400 ends.
  • the authorization access method 400 ends following determination ( 422 ) of whether access privileges should be granted from an external account or an internal account. In other words, upon successful validation of authorization information, access may be granted based on either internal or external account information.
  • FIG. 5 depicts a method 422 for determining whether access to a database should be granted based on database external or internal authorization information in accordance with one embodiment of the invention.
  • authorization information is received ( 501 ).
  • the authorization information is associated with a user seeking access to a database, and may include both internal authorization information (e.g., [name, password]), and external authorization information (e.g., one or more group-names).
  • authorization information may include: a user name: Bob, password: XX, and matching group-names: software and manager level-3 (also shown in FIG. 2 ).
  • an ordered list of all internal and external authorization information which has been defined for the database, is initially obtained ( 502 ).
  • internal and external authorization information may, for example, be stored for each database that is made available to both local and remote users.
  • Each of the internal and external authorization information may, for example, be provided in a table that includes an order or priority assigned (e.g., internal account information 120 and external authorization information 122 shown in FIG. 2 ).
  • an ordered list of all internal and external authorization information e.g., an integrated access privilege set
  • the method 422 operates to compare the authentication information received ( 501 ) with this ordered list ( 502 ).
  • the first item in the ordered list (e.g., Sam, ZZ, order 1) is read ( 504 ).
  • the determination ( 506 ) may, for example, be made by providing an external or internal field or flag for each item in the ordered list. If it is determined ( 506 ) that the item is not associated with an external account (i.e., the item is associated with an internal account), it is determined ( 508 ) whether the item matches the portion of the authorization information that corresponds to an internal account.
  • the authorization information corresponding to an external account may also be arranged in order.
  • group-names may be arranged in accordance with an access-priority, and be considered in the order of access-priority.
  • access is granted ( 510 ) based on privileges defined in the item.
  • the next item in the ordered list can be read ( 520 , 522 ). If it is determined ( 530 , 532 ) that last item in the ordered list has been read, but no match has been found, access is denied ( 540 ), and the authorization method 422 ends.
  • FIGS. 6 , 7 and 8 depict representative screens, which are generated by a graphical user interface provided for accessing a server-side database product (or program) in accordance with one aspect of the invention. More particularly, the graphical user interface can be used to manage internal and external authorization information respectively for database internal and external accounts.
  • FIG. 6 depicts a “Define Accounts and Privileges” panel in accordance with one embodiment of the invention.
  • FIG. 6 shows several database internal accounts (labeled as FileMaker) and database external accounts (labeled as External Server) are displayed.
  • FileMaker database internal accounts
  • External Server database external accounts
  • both database internal and external accounts may be managed using the panel depicted in FIG. 6 .
  • authentication and/or authorization can occur based on the order, which appears in the panel, and so on.
  • FIG. 7 and FIG. 8 respectively depict “Edit Account” panels used to edit (or create) database external and internal authorization information.
  • an “Edit Account” panel may be used to define a group name and a privilege set when an external server is chosen for authentication.
  • the “Edit Account” panel may also be used to define a database internal account (i.e., FileMaker), which can be authenticated internally by the database server.
  • various privileges e.g., “Full Access, “Data Entry Only” may be defined for different database internal or external accounts.
  • One advantage is that the invention that database and non-database access-privileges can be integrated and used to control access to a database.
  • Another advantage of the invention is that is possible to externally authenticate non-database accounts by database external authenticator, while access to the database is authorized by a database component.
  • Yet another advantage of the invention is that it is possible to define database internal accounts that can be used to access the database regardless of which database external server or authenticator is used.
  • Still another advantage of the invention is that it is possible to use operating system account used in many existing corporate environments as external database accounts that are also authorized to access a database.

Abstract

Techniques for using both database internal and database external authorization information to control access to a database are disclosed. Corporate accounts which are generally used in many corporate environments (e.g., operating system accounts) can be defined as “external” database accounts with database external authorization information that define database external access privileges for a database. The database external access-privileges are used in conjunction with a set of complementary database “internal” access privileges defined for database internal accounts. An integrated access-privilege set is generated and used as a single source to authorize access to a database regardless of whether database internal or external accounts are used to access the database. As a result, databases can be integrated with various non-database entities (e.g., corporate computing systems).

Description

    CROSS REFERENCE TO RELATED APPLICATION
  • This application is a continuation of U.S. patent application Ser. No. 11/048,834, filed on Feb. 1, 2005, and entitled “CONTROLLING ACCESS TO A DATABASE USING DATABASE INTERNAL AND EXTERNAL AUTHORIZATION INFORMATION,” which is hereby incorporated herein by reference and from which priority under 35 U.S.C. § 120 is claimed.
    • BACKGROUND OF THE INVENTION
  • The present invention relates to databases and, more particularly, to controlling access to a database.
  • Databases are used to store data in a manner that facilitates subsequent use of the data. Typically, a database includes several tables containing one or more records. A record in a table stored in the database can hold information about a subject or item in its various fields.
  • To allow a user to more easily access and manage data stored in databases, database programs have been developed. Database programs, among other things, often provide a user interface, which allows the user to conveniently interact with the database program in order to perform various operations on the data stored in the database. The interface provided by the database program is typically a graphical user interface which allows the user to conveniently interact with the database program and, in turn, with the database. The user may interact with the graphical user interface to, for example, view the data in various ways. The visual representations provided to the user can include, for example, a browse mode. The browse mode allows records to be viewed, changed, sorted, deleted, or added.
  • As noted above, a database program allows users to conveniently access data stored in a local database. It should be noted that a database program (or product) could also be provided as database server (or host), which allows a client (or a guest) to access data in a database, which is stored in a remote location with respect to the client. Generally, a first database program can, for example, be connected to a second database program over a computer network. In any case, one database program can act as a “client” (or guest) and establish a connection to the other database program which acts as “server” (or host) to a database. The client database program can, in turn, provide the end-user (e.g., a human, or application program) with access to data, which is stored remotely.
  • Conventional database server programs (or products), however, can be configured only to grant access to a database based on a set of database accounts, which are typically defined by a database administrator, or alternatively grant access based on a set of operating system accounts which are typically defined by a system administrator. These operating system accounts are typically a set of general purpose accounts associated with different category of access privilege (e.g., “admin,” “manager,” “data-entry-only”).
  • These different categories of access privileges are typically assigned to several different users. For example, several different individuals may be assigned the access level “manager.” This approach, however, does not allow a particular user to be identified when an external account is used, and thus may not adequately support a secure environment and/or allow monitoring (or logging) activities initiated using external accounts. In addition, access privileges cannot be easily modified (or updated) when general categories of access privileges are used (because access privilege is not defined per individual users). For example, if a particular manager leaves, the “manager” access level should be changed to security reasons. As a result, several other managers may have to be assigned a new access-level.
  • Moreover, conventional techniques do not allow configuring a server database product (or program) such that both database and operating system accounts can be used together to control access to a database. In other words, conventional database server products control access to a database either entirely based on non-database accounts (e.g. operating system accounts), or entirely based on a set of identifiers (e.g., access keys), which are typically maintained and administered separately from the non-database accounts.
  • As database products are more commonly used to access databases in corporate environments, the need for integration of databases with corporate computing systems becomes more prevalent. Accordingly, improved techniques for controlling access to databases are needed.
    • SUMMARY OF THE INVENTION
  • Broadly speaking, the invention pertains to techniques for controlling access to a database.
  • In accordance with one aspect of the invention, sets of database “internal” and “external” (or non-database) access-privileges are defined for a database. An “external” database component can, for example, be any component that resides outside a database system, program, or product that is used as interface to access a database. It will be appreciated that corporate accounts which are generally used in many corporate environments (e.g., operating system accounts) can be defined as database “external” accounts in accordance with one embodiment of the invention. In general, the database external access-privileges are used in conjunction with a set of complementary database “internal” access privileges defined for database internal accounts. In addition, sets of database “internal” and “external” access-privileges are can be combined to generate an integrated access-privilege set which can be used as a single source to authorize access to a database regardless of whether database internal or external accounts are used to access the database. As such, the invention can be used to seamlessly integrate databases with various non-database entities (e.g., corporate computing systems). It should also be noted that non-database accounts may be authenticated externally, but access can be authorized using a database component (e.g., a server-side database component). Hence, databases can be integrated with various non-database entities, while authentication of non-database accounts is still performed by database external entities that are generally more preferred to authenticate their own accounts.
  • As will be described below, the invention can be implemented to control access with respect to both database internal and external accounts, which can be used to seek access to the database. Moreover, access to the database can be controlled using the same authentication information (e.g., username and password of an operating system account) regardless of whether the database is internally or externally accessed. This can be achieved by defining and using database “internal” and “external” access-privileges in a manner that allows combining them together and using them as an integrated access-privilege set arranged in accordance with assigned priority of authorized access. As a result, database internal and external access privileges may be conveniently defined and maintained in a central location, by a single entity that does not have to be a database administrator (e.g., a system or server administrator). Yet, a database administrator can still access the database using a database internal account regardless of which server or external (“non-database”) authenticator has been chosen by the non-database administrator (e.g., a system or server administrator) to authenticate database users.
  • The invention can be implemented in numerous ways, including as a method, an apparatus, a computer readable medium, and a database products, program, or system. Several embodiments of the invention are discussed below.
  • Other aspects and advantages of the invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, illustrating by way of example the principles of the invention.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention will be readily understood by the following detailed description in conjunction with the accompanying drawings, wherein like reference numerals designate like structural elements, and in which:
  • FIG. 1 depicts a computing environment in accordance with embodiment of the invention.
  • FIG. 2 depicts a server-side database component 108 in accordance with one embodiment of the invention.
  • FIG. 3 depicts an authorizing access method for authorizing access to a database in accordance with one embodiment of the invention.
  • FIG. 4 depicts an authorizing access method for authorizing access to a database in accordance with another embodiment of the invention.
  • FIG. 5 depicts a method for determining whether access to a database should be granted based on database external or internal authorization information in accordance with one embodiment of the invention.
  • FIG. 6 depicts a “Define Accounts and Privileges” panel in accordance with one embodiment of the invention.
  • FIG. 7 and FIG. 8 respectively depict “Edit Account” panels used to edit (or create) database external and internal authorization information.
    •  DETAILED DESCRIPTION OF THE INVENTION
  • As noted in the background section, the need for integration of databases with corporate computing systems has become more prevalent. Accordingly, improved techniques for controlling access to a database are disclosed.
  • In accordance with one aspect of the invention, sets of database “internal” and “external” (or non-database) access-privileges are defined for a database. An “external” database component can, for example, be any component that resides outside a database system, program, or product that is used as interface to access a database. It will be appreciated that corporate accounts which are generally used in many corporate environments (e.g., operating system accounts) can be defined as “external” database accounts in accordance with one embodiment of the invention. In general, the database external access-privileges are used in conjunction with a set of complementary database “internal” access privileges defined for database internal accounts. In addition, sets of database “internal” and “external” access-privileges are can be combined to generate an integrated access-privilege set which can be used as a single source to authorize access to a database regardless of whether database internal or external accounts are used to access the database. As such, the invention can be used to seamlessly integrate databases with various non-database entities (e.g., corporate computing systems). It should also be noted that non-database accounts may be authenticated externally, but access can be authorized using a database component (e.g., a server-side database component). Hence, databases can be integrated with various non-database entities, while authentication of non-database accounts is still performed by database external entities that are generally more preferred to authenticate their own accounts.
  • As will be described below, the invention can be implemented to control access with respect to both database internal and external accounts, which can be used to seek access to the database. Moreover, access to the database can be controlled using the same authentication information (e.g., username and password of an operating system account) regardless of whether the database is internally or externally accessed. This can be achieved by defining and using database “internal” and “external” access-privileges in a manner that allows combining them together and using them as an integrated access-privilege set arranged in accordance with assigned priority of authorized access. As a result, database internal and external access privileges may be conveniently defined and maintained in a central location, by a single entity that does not have to be a database administrator (e.g., a system or server administrator). Yet, a database administrator can still access the database using an internal database account regardless of which server or external (“non-database”) authenticator has been chosen by the non-database administrator (e.g., a system or server administrator) to authenticate database users.
  • Embodiments of these aspects of the invention are discussed below with reference to FIGS. 1-8. However, those skilled in the art will readily appreciate that the detailed description given herein with respect to these figures is for explanatory purposes as the invention extends beyond these limited embodiments.
  • FIG. 1 depicts a computing environment 100 in accordance with embodiment of the invention. As shown in FIG. 1, a plurality of client computers 102 and 104 can communicate with a server computer 108 via a network 106. As is known in the art, this communication may be established using a variety of existing wired or wireless communication protocols, hardware, and software components, which will not be discussed further. The client computer 102 includes a client-side database component 110 that can be used to initiate communication with a server-side database component 112 operating in the server computer 108. Typically, the client-side database component 110 is used in order to access data stored in a database 114. By way of example, a user (or application) 116 can initiate a request to access data using the client-side database component 110. This request may, for example, be initiated as a result of the user 116 requesting to list or open one or more database files stored in the database 114. The user 116 may, for example, use a monitor 110 or a wireless phone 142 to access the client computer 102.
  • In any case, a request to access database 114 can be initiated by the client-side database component 102, and transmitted via network 106 to the server-side database component 112. In response, the server-side database component 112 can initiate an authentication process when it receives the request to access database 114. Typically, this authentication process authenticates the user 116 of the client computer 102. By way of example, the user 116 may have used a [user-id and password] to login to the client computer 102. In such cases, the server-side database component 112 initially authenticates the user 116 by sending the [user-id and password] to an external authenticator 118 for authentication before access to the database 114 is granted. The external authenticator 118 can, for example, be an operating system account manager (e.g., Active Directory in Windows operating environment, Open Directory in MAC operating environment).
  • It should be noted that the actual [user-id and password] do not need to be known by the client-side database component 102. In general, authentication information 150 can be made available as a block of data that is forwarded to the external authenticator 118 for authentication. The external authenticator 118 can, for example, decode and/or decrypt the block of data in order to authenticate the user 116.
  • In any case, if the user 116 is authenticated, the external authenticator 118 notifies the server-side database component 112 that the user 116 has been authenticated. In addition, the external authenticator 118 can send authorization information 152, for example, as one or more privilege-identifiers, which are associated with the authentication-information 150 (e.g., user-id and password) of the authenticated user. By way of example, a privilege-identifier may be a group-name that is also used in operating system accounts of corporate computing environments. As such, a privilege-identifier may associate a user with a group that has certain privileges with respect to data stored in a database (e.g. a group name used in Active Directory in Windows operating environment).
  • After the authentication process, the server-side database component 112 can initiate an authorization process, which determines the privileges, which have been assigned to the user 116 with respect to database 112 (i.e., access-level privileges). As will be discussed below, sets of database internal information 120 (e.g., database account information) and database external information 122 (e.g., database external authentication information) can be defined for the database 114. In one embodiment described below, the database internal information 120 is defined as a set of database internal accounts that include both authentication information (e.g., name and password) with associated authorization information (e.g., an access-privilege set), while the database external 122 information includes external authorization information (e.g., group-names with associated access-privileges). In other words, the database external information 122 does not need to include external authentication information. As such, there is no need to store external authentication information in a database, and external authentication may be independently performed by a database external entity (e.g., an external authenticator). Moreover, the set of database internal and external information can combined to generate an integrated access-privilege set 180 which is used to control access to the database.
  • Hence, the server-side database component 112 can determine access-level privileges of user 116 even though the user may have been externally authenticated by the external authenticator 118. More particularly, the server-side database component 112 can be configured to use the authorization information 152 sent by the external authenticator 118 and compare it with the generated integrated access-privilege set 160 in order to authorize the user 116 as a database internal or external account. Moreover, the server-side database component 112 can use the authentication information 152 in a manner that allows integration of external accounts (e.g. corporate accounts) used by various environments with database internal accounts. As will be discussed below, this integration allows authorized use of both database internal and external accounts, which attempt to access the database.
  • It should also be noted that that an administrator-side database component (e.g., an administrative tool) 160 may also be provided to allow an administrator 162 to administrate the database 114 via server-side database component 112. Both users and administrators can be provided with authorized access in essentially the same manner. As such, authorization of user will be further discussed.
  • To further elaborate, FIG. 2 depicts in greater detail the server-side database component 108 (shown in FIG. 1) in accordance with one embodiment of the invention. As shown in FIG. 2, the server-side database component 108 includes an authentication interface 202 which can communicate with the external authenticator 118 (also shown in FIG. 1). In addition, a database engine 204 is connected to the authentication interface 202 and database 114.
  • When a request 220 to access the database 114 is received by the server-side database component 108, authentication information 150 is forwarded, by the authentication interface 202, to the external authenticator 118, which initiates an authentication process. If the authentication process successfully authenticates the user associated with the authentication information 150, the external authenticator 118 determines authorization information 152 associated with the user and forwards it to the authentication interface 202. By way of example, authentication information 150 may be in the form of a name and a password set (e.g., Bob and xx) which is forwarded by the authentication interface 202 to the external authenticator 118. Again, it should be noted that the authentication information 150 (e.g., Bob, xx) may be explicitly known, or may be forwarded as a block of data without the server-side database component 108 (or authentication interface 202) having explicit knowledge of its content.
  • In any case, upon receipt of the authentication information 150, the external authenticator 118 can initiate an authentication process, which if successful, may result in transmission of authorization information 152 to the authentication interface 202. Typically, the authorization information 152 includes database external privilege-identifiers associated with access privileges of the authenticated user. As such, authorization information 152 can provide access-level privileges that have been defined for the authenticated user for an operating system.
  • As will be appreciated, these access privileges for a database may also be defined in a similar manner as privileges defined in corporate accounts (e.g. operating system accounts) in accordance with one embodiment of the invention. By way of example, group-names may be defined and associated with various user names and passwords in a set of database external authorization information 122, which is defined for the database 114 and can be stored in the database 114. As such, after authentication of a user's authentication information 150 (e.g., Bob and xx), group matches (e.g., Software, Manager Level-3 group), which have been defined in the operating system accounts for the user, may be identified by the external authenticator 118, and forwarded back to the authentication interface 202. As will be appreciated, these group names may also be defined for the database 114 and provided in the set of database external authorization information 122, which defines access privileges, assigned to each group-name. By way of example, group-names: “Software group” and “Manager Level-3” may respectively be associated with “read-only” and “Admin” access privileges.
  • As a result, a name and a password pair (e.g., Bob and xx) used to sign into a corporate computing system (e.g., operating system account) can effectively also be assigned privileges with respect to accessing a database. Furthermore, the same name and password pair may be assigned access privileges and be stored in the database internal account 120. As shown in FIG. 2, database internal authorization information may be defined, for example, to associate a name and a password pair (Bob, xx) with “read-only” access privilege. Moreover, both internal and external authorization information stored respectively in the database internal accounts 120 and database external authorization information 122 can be used together to determine access-privileges of a user with respect to the database 114.
  • As shown in FIG. 2, an order field 230 can be provided for both the database internal accounts 120 and database external authorization information 122. The order field may be used to determine whether a user account should be considered as an internal or external database account. By way of example, when the authorization information 152 includes a name, password, and one or more associated group-names (e.g., Bob, xx, Software, and Manager Level-3 group names), the internal and external authorization information 120 and 122 of the database 114 can be searched in accordance with the particular order indicated by the order field. It should also be noted that the order field could be used to effectively generate an integrated access-privilege set 180, which, among other things, can be displayed, for a user to allow convenient creating and maintenance of an integrated access-privilege set.
  • In this example, authorization information 152 (Bob, xx), which is also associated with group names: Software and Manager Level-3, would be matched as an internal database account with “read-only” privilege (Order 2). However, authorization information (Tom, yy), associated with Hardware and Engineering Level-1 groups, may be matched to an external database account with access privilege of: “read-only” (Order 5).
  • Although not depicted in FIG. 2, it should be noted that a plurality of different external authenticator interfaces associated with various external authenticators might be used to integrate a plurality of different operating systems and platforms with a database. Furthermore, much more complex algorithms may be used to determine priority. For example, each of the external accounts may additionally be assigned a weight which is added to individual priority assigned to each account (e.g., an order) in order to determine which access levels should be used.
  • FIG. 3. depicts an authorizing access method 300 for authorizing access to a database in accordance with one embodiment of the invention. Initially, a request to access the database is received (302). This request is typically received from a user on a local (or client) computer who is attempting to access a remote database via a server. When the request to access the database is received (302), it is determined (304) whether the user can be authenticated (304). If it is determined (304) that the user cannot be authenticated, an error is output (306) and the authorizing access method 300 ends. However, if it is determined (304) that the user can be authenticated, integrated authorization information is obtained or received (306). Again, the authorization is typically associated with a user on a local computer who is attempting to access data stored on a server in a remote location. Next, it is determined (308) whether authorization should be made as an external database account.
  • If it is determined (308) that authorization should not be made an external account, it is determined (310) whether authorization should be made as an internal account. If it is determined (310) that authorization should not be made as an internal account, error is output (306), and the authorizing access method 300 ends. However, if it is determined (310) that authorization should be made as an internal account, access privileges are determined based on authorization information stored as internal account information and the authorizing access method 300 ends. On the other hand, if it is determined (308) that authorization should be made as an external account, access privileges are determined (314) based on database external authorization information. The authorization access method 300 ends following operations (314) or (312). Determination (314) will be described in greater detail below. The determination of whether authorization should be made as an external account (308) or an internal account (312) will also be described below.
  • FIG. 4 depicts, in greater detail, an authorizing access method 400 for authorizing access to a database in accordance with another embodiment of the invention. Initially, a user on a local computer explicitly requests or triggers access (402) to a remote database. The remote database is typically accessed via a server. Next, authorization information associated with the users' account is obtained (404). By way of example, the authorization information can be a user name and a password. Typically, the same user-name (or user-id) and password are used by the user to sign into a local computer. As such, the user name and password may, for example, correspond to an operating system account. In any case, when the authorization information is obtained (404), the authorization information, (e.g., user name and password) are forwarded (406) to an external authenticator. Typically, the external authenticator is associated with the operating system or platform of the local computer that the user has signed into.
  • Next, it is determined (408) whether the external authentication was successful. If it is determined (408) that the external authentication was not successful, error is output (410), and the authorizing access method 400 ends. However, if it is determined (408) that the external authentication was successful, it is determined (412) whether any group names have been assigned to the authentication information, (e.g., user name and password). If it is determined (412) that a group name has not been associated or assigned to the authentication information, a database internal account is used (414) in order to authorize access to the database. More particularly, a determination is made (414) as to which internal account matches the authentication information, (e.g., user name and password). As such, it is determined (416) whether an internal account matches the authentication information. Accordingly, if it is determined (416) that an internal database account matches the authentication information, access privileges are granted (418) based on the matching authorization information in the database internal account, and the authorizing access method 400 ends. However, if it is determined (416) that a database internal account which matches the authorization information was not found, an error is output (410), and the authorizing access method 400 ends.
  • On the other hand, if it is determined (412) that there is at least one group name associated with the authentication information, one or more group names associated with the authentication information is obtained (420), and forwarded (421). Thereafter, it is determined whether access privilege should be granted based on database external or internal authorization information. Determination (422) will be described in greater detail with respect to FIG. 5 in accordance with one embodiment of the invention. The authorization access method 400 ends following determination (422) of whether access privileges should be granted from an external account or an internal account. In other words, upon successful validation of authorization information, access may be granted based on either internal or external account information.
  • FIG. 5 depicts a method 422 for determining whether access to a database should be granted based on database external or internal authorization information in accordance with one embodiment of the invention. Initially, authorization information is received (501). Typically, the authorization information is associated with a user seeking access to a database, and may include both internal authorization information (e.g., [name, password]), and external authorization information (e.g., one or more group-names). By way of example, authorization information may include: a user name: Bob, password: XX, and matching group-names: software and manager level-3 (also shown in FIG. 2).
  • In addition, an ordered list of all internal and external authorization information, which has been defined for the database, is initially obtained (502). As noted above, internal and external authorization information may, for example, be stored for each database that is made available to both local and remote users. Each of the internal and external authorization information may, for example, be provided in a table that includes an order or priority assigned (e.g., internal account information 120 and external authorization information 122 shown in FIG. 2). In any case, an ordered list of all internal and external authorization information (e.g., an integrated access privilege set) is obtained (502). As will be described below, the method 422 operates to compare the authentication information received (501) with this ordered list (502).
  • More particularly, the first item in the ordered list (e.g., Sam, ZZ, order 1) is read (504). Generally, it is determined (506) whether an item, which has been read from the ordered list, is associated with an external account. The determination (506) may, for example, be made by providing an external or internal field or flag for each item in the ordered list. If it is determined (506) that the item is not associated with an external account (i.e., the item is associated with an internal account), it is determined (508) whether the item matches the portion of the authorization information that corresponds to an internal account. By way of example, it can be determined whether the [name, password] portion of the authorization information matches the [name, password] portion of the item obtained form the ordered list that corresponds to a database internal account.
  • If it is determined (506) that the portion of the authorization information the corresponds to a database internal account matches the authorization information, access can be granted (510) based on the privileges associated with the matching item, and the method 422 ends. However, if it is determined (506) that the item, which has been read (504) from the ordered list, is associated with a database external account, it is determined (512) whether the portion of the authorization information, corresponding to a database external account (e.g., one or more group-names), matches the authorization information received (501). As will be appreciated, the authorization information corresponding to an external account may also be arranged in order. By way of example, group-names may be arranged in accordance with an access-priority, and be considered in the order of access-priority. In any case, if it determined (512) that the portion of the authorization information, corresponding to database external accounts, matches the read item from the ordered list, access is granted (510) based on privileges defined in the item. On the other hand, if it is determined (508) that the internal authorization information does not match, or if it is determined (512) that the external authorization information does not match, the next item in the ordered list can be read (520, 522). If it is determined (530, 532) that last item in the ordered list has been read, but no match has been found, access is denied (540), and the authorization method 422 ends.
  • FIGS. 6, 7 and 8 depict representative screens, which are generated by a graphical user interface provided for accessing a server-side database product (or program) in accordance with one aspect of the invention. More particularly, the graphical user interface can be used to manage internal and external authorization information respectively for database internal and external accounts.
  • FIG. 6 depicts a “Define Accounts and Privileges” panel in accordance with one embodiment of the invention. As shown in FIG. 6, several database internal accounts (labeled as FileMaker) and database external accounts (labeled as External Server) are displayed. As will be appreciated, both database internal and external accounts may be managed using the panel depicted in FIG. 6. For example, authentication and/or authorization can occur based on the order, which appears in the panel, and so on.
  • FIG. 7 and FIG. 8 respectively depict “Edit Account” panels used to edit (or create) database external and internal authorization information. Referring to FIG. 7, an “Edit Account” panel may be used to define a group name and a privilege set when an external server is chosen for authentication. As depicted in FIG. 8, the “Edit Account” panel may also be used to define a database internal account (i.e., FileMaker), which can be authenticated internally by the database server. In any case, various privileges (e.g., “Full Access, “Data Entry Only”) may be defined for different database internal or external accounts.
  • The advantages of the invention are numerous. Different embodiments or implementations may yield one or more of the following advantages. One advantage is that the invention that database and non-database access-privileges can be integrated and used to control access to a database. Another advantage of the invention is that is possible to externally authenticate non-database accounts by database external authenticator, while access to the database is authorized by a database component. Yet another advantage of the invention is that it is possible to define database internal accounts that can be used to access the database regardless of which database external server or authenticator is used. Still another advantage of the invention is that it is possible to use operating system account used in many existing corporate environments as external database accounts that are also authorized to access a database.
  • The many features and advantages of the present invention are apparent from the written description, and thus, it is intended by the appended claims to cover all such features and advantages of the invention. Further, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the invention to the exact construction and operation as illustrated and described. Hence, all suitable modifications and equivalents may be resorted to as falling within the scope of the invention.

Claims (20)

1. A computer-implemented method of controlling access to data stored in a computer readable storage medium of a database system that includes a computing system, wherein said computer-implemented method comprises:
obtaining, by said computing system, external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system;
obtaining, by said computing system, authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account;
obtaining, by said computing system and based on said authorization data, an integrated access privilege set that includes both: (a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; and
determining, by said computing system and based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database.
2. The computer-implemented method of claim 1, wherein said authentication information is and/or includes a password.
3. The computer-implemented method of claim 1, wherein said external system is located in a remote entity with respect to said database system.
4. The computer-implemented method of claim 1, wherein said external system is owned and/or operated by an entity that does not own or operate said database system.
5. The computer-implemented method of claim 1,
wherein said integrated set includes an ordered list, and
wherein said determining of whether to allow access is determined based on said ordered list.
6. A computer system operable to access data stored in a computer readable storage medium of a database system, wherein said computing system is further operable to:
obtaining external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system;
obtaining authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account;
obtaining, based on said authorization data, an integrated access privilege set that includes both: (a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; and
determining, based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database.
7. A computer readable storage medium storing at least executable computer code embodied in a tangible form for controlling access to data stored in a database system that includes a computing system, wherein said computer readable storage medium includes:
executable computer program code operable to obtain external authentication data indicative of an external authentication identifier, wherein said external authentication identifier is associated with a database external account defined for an external system external with respect to said database system;
executable computer program code operable to obtain authorization data associated with said authentication data and stored on a computer readable storage medium of said database, wherein said authorization data includes group matching data indicative of one or more group identifiers defined for database external accounts including said database external account;
executable computer program code operable to obtain based on said authorization data, an integrated access privilege set that includes both: (a) database external authorization information and (b) database internal authorization information, wherein said database external authorization information (a) includes a plurality of group identifiers each of which are associated with one or more defined access-privileges for accessing said database by said database external accounts, and wherein said database internal authorization information (b) includes a plurality of database internal authentication identifiers that are each associated with one or more defined access-privileges for accessing said database; and
executable computer program code operable to determine based on said integrated access privilege set, whether to allow access by effectively using said one or more group identifiers or by effectively using said one or more database internal authentication identifier, thereby effectively allowing access with appropriate access privileges as a database external account based one or more matching group identifiers defined for database external accounts or as a database internal account with one or more database internal authentication identifiers defined for database internal accounts of said database.
8. The computer readable storage medium of claim 7, wherein said authentication information is and/or includes a password.
9. The computer readable storage medium of claim 7, wherein said external system is located in a remote entity with respect to said database system.
10. A database system that includes a computing system operable to control access to a database, wherein said database system is configured and/or operable for:
receiving a request, from a remote database client component, to access said database, wherein said authentication information is for at least one database external account defined for an external system external to said database;
sending authentication information associated with said request to an external authenticator for authentication;
determining whether said external authenticator has authenticated said authentication information;
obtaining, from said database, integrated authorization data that has been stored on said database for said authentication information when said external authenticator has authenticated said authentication information, wherein said integrated authorization data includes one or more first authorization identifiers for at least one database internal account and one or more second authorization identifiers for said at least one database external account defined for an external system that is external to said database, and wherein said first one or more authorization identifiers are different than said second one or more identifiers;
searching, based on said integrated authorization data, an integrated access-privilege set associated with said integrated authorization data, wherein said integrated access-privilege set has also been stored on said database and includes first authorization information for at least one database internal account and second authorization information for said at least one database external account, wherein said first and second authorization information define different access-privileges for accessing said database;
determining, based on said searching of said integrated access-privilege set, whether access to said database should be granted as said database internal account which has been defined for said database, or whether access to said database should be granted based on database external authorization information of said external account defined for said external system, wherein said external authorization information effectively defines at least one database external account for said database corresponding to said external account defined for said external system, thereby allowing said external account to be effectively used to access said database based on said external authorization information defined by said external system;
authorizing access to said database based on access privilege information defined for a database internal account when said determines that access to said database should be granted as a database internal account defined for said database; and
authorizing access to said database based on said external authorization information defined for said database external account when said determines that access to said database should be granted based on database external authorization information.
11. A database system as recited in claim 10, wherein said database system further comprises:
an authentication interface that is capable of communicating with said external authenticator, wherein said external authenticator is operate to:
authenticate said authentication information; and
forward database external authorization information to said authentication interface of said database server component.
12. A database system as recited in claim 11,
wherein said database external authorization information includes one or more group names defined for said database system, and
one or more access-privileges have been associated with each one of said one or more groups and stored as database external authentication information for said database.
13. A database system as recited in claim 11, wherein said integrated access-privilege set is an ordered list of access-privileges associated with both of said at least one database internal account and at least one database external account.
14. A database system as recited in claim 10, wherein said authentication information includes a username and a password, and
wherein said external authenticator is associated with an operating system.
15. A database system as recited in claim 10,
wherein said database external privilege-identifiers are one or more group names defined for said database system, and
wherein one or more access-privileges are associated with each one of said one or more groups and stored as database external authentication information for said database.
16. A computer readable medium including at least executable computer program code embodied in a tangible form for controlling access to a database, comprising:
executable computer program code for receiving a request, from a database client component, to access said database, wherein said authentication information is for at least one database external account defined for an external system external to said database;
executable computer program code for sending authentication information associated with said request to an external authenticator for authentication;
executable computer program code for determining whether said external authenticator has authenticated said authentication information;
executable computer program code for obtaining from said database integrated authorization data that has been stored on said database for said authentication information when said external authenticator has authenticated said authentication information, wherein said integrated authorization data includes one or more first authorization identifiers for said at least one database internal account and one or more second authorization identifiers for said at least one database external account, and wherein said first one or more authorization identifiers are different than said second one or more identifiers;
executable computer program code for searching, based on said integrated authorization data, an integrated access-privilege set associated with said integrated authorization data, wherein said integrated access-privilege set has also been stored on said database and includes first authorization information for said at least one database internal account and second authorization information for said at least one database external account, wherein said first and second authorization information define different access-privileges for accessing said database;
executable computer program code for determining, based on said searching of said integrated access-privilege set, whether access to said database should be granted as said database internal account which has been defined for said database, or whether access to said database should be granted based on database external authorization information of said external account defined for said external system, wherein said external authorization information effectively defines at least one database external account for said database corresponding to said external account defined for said external system, thereby allowing said external account to be effectively used to access said database based on said external authorization information defined by said external system;
executable computer program code for authorizing access to said database based on access privilege information defined for a database internal account when said determines that access to said database should be granted as a database internal account which has been defined for said database; and
executable computer program code for authorizing access to said database based on said external authorization information defined for said database external account when said determines that access to said database should be granted based on database external authorization information.
17. A computer readable medium as recited in claim 16, wherein said integrated access-privilege set is an ordered list of access-privileges associated with both of said at least one database internal account and at least one database external account.
18. A computer readable medium as recited in claim 16, wherein said authentication information is and/or includes a password.
19. A computer readable medium as recited in claim 16, wherein said external system is located in a remote entity with respect to said database system.
20. A computer readable medium as recited in claim 16, wherein said external system is owned and/or operated by an entity that does not own or operate said database system.
US12/390,184 2005-02-01 2009-02-20 Controlling access to a database using database internal and external authorization information Abandoned US20090222449A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/390,184 US20090222449A1 (en) 2005-02-01 2009-02-20 Controlling access to a database using database internal and external authorization information

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/048,834 US7516134B2 (en) 2005-02-01 2005-02-01 Controlling access to a database using database internal and external authorization information
US12/390,184 US20090222449A1 (en) 2005-02-01 2009-02-20 Controlling access to a database using database internal and external authorization information

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/048,834 Continuation US7516134B2 (en) 2005-02-01 2005-02-01 Controlling access to a database using database internal and external authorization information

Publications (1)

Publication Number Publication Date
US20090222449A1 true US20090222449A1 (en) 2009-09-03

Family

ID=36757842

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/048,834 Expired - Fee Related US7516134B2 (en) 2005-02-01 2005-02-01 Controlling access to a database using database internal and external authorization information
US12/390,184 Abandoned US20090222449A1 (en) 2005-02-01 2009-02-20 Controlling access to a database using database internal and external authorization information

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/048,834 Expired - Fee Related US7516134B2 (en) 2005-02-01 2005-02-01 Controlling access to a database using database internal and external authorization information

Country Status (1)

Country Link
US (2) US7516134B2 (en)

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130110922A1 (en) * 2011-10-31 2013-05-02 Hearsay Labs, Inc. Enterprise social media management platform with single sign-on
US20130312068A1 (en) * 2012-05-21 2013-11-21 Salesforce.Com, Inc. Systems and methods for administrating access in an on-demand computing environment
US20150326580A1 (en) * 2008-06-26 2015-11-12 Experian Marketing Solutions, Inc. Systems and methods for providing an integrated identifier
US9972048B1 (en) 2011-10-13 2018-05-15 Consumerinfo.Com, Inc. Debt services candidate locator
US10025842B1 (en) 2013-11-20 2018-07-17 Consumerinfo.Com, Inc. Systems and user interfaces for dynamic access of multiple remote databases and synchronization of data based on user rules
US10043214B1 (en) 2013-03-14 2018-08-07 Consumerinfo.Com, Inc. System and methods for credit dispute processing, resolution, and reporting
US10102570B1 (en) 2013-03-14 2018-10-16 Consumerinfo.Com, Inc. Account vulnerability alerts
US10115079B1 (en) 2011-06-16 2018-10-30 Consumerinfo.Com, Inc. Authentication alerts
US10169761B1 (en) 2013-03-15 2019-01-01 ConsumerInfo.com Inc. Adjustment of knowledge-based authentication
US10176233B1 (en) 2011-07-08 2019-01-08 Consumerinfo.Com, Inc. Lifescore
US10262364B2 (en) 2007-12-14 2019-04-16 Consumerinfo.Com, Inc. Card registry systems and methods
US10262362B1 (en) 2014-02-14 2019-04-16 Experian Information Solutions, Inc. Automatic generation of code for attributes
US10277659B1 (en) 2012-11-12 2019-04-30 Consumerinfo.Com, Inc. Aggregating user web browsing data
US10325314B1 (en) 2013-11-15 2019-06-18 Consumerinfo.Com, Inc. Payment reporting systems
US10366450B1 (en) 2012-11-30 2019-07-30 Consumerinfo.Com, Inc. Credit data analysis
US10373240B1 (en) 2014-04-25 2019-08-06 Csidentity Corporation Systems, methods and computer-program products for eligibility verification
US10437895B2 (en) 2007-03-30 2019-10-08 Consumerinfo.Com, Inc. Systems and methods for data verification
US10453159B2 (en) 2013-05-23 2019-10-22 Consumerinfo.Com, Inc. Digital identity
US10482532B1 (en) 2014-04-16 2019-11-19 Consumerinfo.Com, Inc. Providing credit data in search results
US10580025B2 (en) 2013-11-15 2020-03-03 Experian Information Solutions, Inc. Micro-geographic aggregation system
US10621657B2 (en) 2008-11-05 2020-04-14 Consumerinfo.Com, Inc. Systems and methods of credit information reporting
US10642999B2 (en) 2011-09-16 2020-05-05 Consumerinfo.Com, Inc. Systems and methods of identity protection and management
US10664936B2 (en) 2013-03-15 2020-05-26 Csidentity Corporation Authentication systems and methods for on-demand products
US10671749B2 (en) 2018-09-05 2020-06-02 Consumerinfo.Com, Inc. Authenticated access and aggregation database platform
US10685398B1 (en) 2013-04-23 2020-06-16 Consumerinfo.Com, Inc. Presenting credit score information
US10911234B2 (en) 2018-06-22 2021-02-02 Experian Information Solutions, Inc. System and method for a token gateway environment
US10963434B1 (en) 2018-09-07 2021-03-30 Experian Information Solutions, Inc. Data architecture for supporting multiple search models
US11227001B2 (en) 2017-01-31 2022-01-18 Experian Information Solutions, Inc. Massive scale heterogeneous data ingestion and user resolution
US11238656B1 (en) 2019-02-22 2022-02-01 Consumerinfo.Com, Inc. System and method for an augmented reality experience via an artificial intelligence bot
US11315179B1 (en) 2018-11-16 2022-04-26 Consumerinfo.Com, Inc. Methods and apparatuses for customized card recommendations
US11356430B1 (en) 2012-05-07 2022-06-07 Consumerinfo.Com, Inc. Storage and maintenance of personal data
US11880377B1 (en) 2021-03-26 2024-01-23 Experian Information Solutions, Inc. Systems and methods for entity resolution
US11941065B1 (en) 2019-09-13 2024-03-26 Experian Information Solutions, Inc. Single identifier platform for storing entity data

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4882671B2 (en) * 2006-11-01 2012-02-22 富士通株式会社 Access control method, access control system, and program
US8326872B2 (en) * 2008-02-22 2012-12-04 Microsoft Corporation Database sandbox
US20110040793A1 (en) * 2009-08-12 2011-02-17 Mark Davidson Administration Groups
US9060278B2 (en) * 2009-11-05 2015-06-16 At&T Intellectual Property I, L.P. Mobile subscriber device network access
US10146955B2 (en) * 2012-07-12 2018-12-04 Salesforce.Com, Inc. System and method for access control for data of heterogeneous origin
CN104272287A (en) * 2012-07-31 2015-01-07 惠普发展公司,有限责任合伙企业 Managing an interface between an application and a network
GB201517003D0 (en) * 2015-09-25 2015-11-11 Ibm Secure invocation of a stored procedures in a dbms
GB201517416D0 (en) 2015-10-02 2015-11-18 Ibm Task-execution in a DBMS using stored procedures
CN111079131A (en) * 2019-12-20 2020-04-28 金卡智能集团股份有限公司 Method and system for authorization and control of authority of cross-company service

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030087629A1 (en) * 2001-09-28 2003-05-08 Bluesocket, Inc. Method and system for managing data traffic in wireless networks
US20080172366A1 (en) * 1998-06-29 2008-07-17 Clifford Lee Hannel Query Interface to Policy Server
US7934257B1 (en) * 2005-01-07 2011-04-26 Symantec Corporation On-box active reconnaissance

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6292904B1 (en) * 1998-12-16 2001-09-18 International Business Machines Corporation Client account generation and authentication system for a network server
JP2002149468A (en) * 2000-11-06 2002-05-24 Hitachi Ltd Method for managing access right of multi-database integrated system
CA2428385A1 (en) * 2000-11-13 2002-05-16 Attachmate Corporation System and method for transaction access control
US7552222B2 (en) * 2001-10-18 2009-06-23 Bea Systems, Inc. Single system user identity
US7051036B2 (en) * 2001-12-03 2006-05-23 Kraft Foods Holdings, Inc. Computer-implemented system and method for project development
US7120785B1 (en) * 2002-11-25 2006-10-10 Apple Computer, Inc. Method and apparatus rendering user accounts portable

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080172366A1 (en) * 1998-06-29 2008-07-17 Clifford Lee Hannel Query Interface to Policy Server
US20030087629A1 (en) * 2001-09-28 2003-05-08 Bluesocket, Inc. Method and system for managing data traffic in wireless networks
US7934257B1 (en) * 2005-01-07 2011-04-26 Symantec Corporation On-box active reconnaissance

Cited By (83)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10437895B2 (en) 2007-03-30 2019-10-08 Consumerinfo.Com, Inc. Systems and methods for data verification
US11308170B2 (en) 2007-03-30 2022-04-19 Consumerinfo.Com, Inc. Systems and methods for data verification
US10262364B2 (en) 2007-12-14 2019-04-16 Consumerinfo.Com, Inc. Card registry systems and methods
US10878499B2 (en) 2007-12-14 2020-12-29 Consumerinfo.Com, Inc. Card registry systems and methods
US10614519B2 (en) 2007-12-14 2020-04-07 Consumerinfo.Com, Inc. Card registry systems and methods
US11379916B1 (en) 2007-12-14 2022-07-05 Consumerinfo.Com, Inc. Card registry systems and methods
US10075446B2 (en) * 2008-06-26 2018-09-11 Experian Marketing Solutions, Inc. Systems and methods for providing an integrated identifier
US20220027853A1 (en) * 2008-06-26 2022-01-27 Experian Marketing Solutions, Llc Systems and methods for providing an integrated identifier
US20180343265A1 (en) * 2008-06-26 2018-11-29 Experian Marketing Solutions, Inc. Systems and methods for providing an integrated identifier
US11769112B2 (en) * 2008-06-26 2023-09-26 Experian Marketing Solutions, Llc Systems and methods for providing an integrated identifier
US11157872B2 (en) * 2008-06-26 2021-10-26 Experian Marketing Solutions, Llc Systems and methods for providing an integrated identifier
US20150326580A1 (en) * 2008-06-26 2015-11-12 Experian Marketing Solutions, Inc. Systems and methods for providing an integrated identifier
US10621657B2 (en) 2008-11-05 2020-04-14 Consumerinfo.Com, Inc. Systems and methods of credit information reporting
US10719873B1 (en) 2011-06-16 2020-07-21 Consumerinfo.Com, Inc. Providing credit inquiry alerts
US10685336B1 (en) 2011-06-16 2020-06-16 Consumerinfo.Com, Inc. Authentication alerts
US10115079B1 (en) 2011-06-16 2018-10-30 Consumerinfo.Com, Inc. Authentication alerts
US11954655B1 (en) 2011-06-16 2024-04-09 Consumerinfo.Com, Inc. Authentication alerts
US11232413B1 (en) 2011-06-16 2022-01-25 Consumerinfo.Com, Inc. Authentication alerts
US10176233B1 (en) 2011-07-08 2019-01-08 Consumerinfo.Com, Inc. Lifescore
US11665253B1 (en) 2011-07-08 2023-05-30 Consumerinfo.Com, Inc. LifeScore
US10798197B2 (en) 2011-07-08 2020-10-06 Consumerinfo.Com, Inc. Lifescore
US11087022B2 (en) 2011-09-16 2021-08-10 Consumerinfo.Com, Inc. Systems and methods of identity protection and management
US10642999B2 (en) 2011-09-16 2020-05-05 Consumerinfo.Com, Inc. Systems and methods of identity protection and management
US11790112B1 (en) 2011-09-16 2023-10-17 Consumerinfo.Com, Inc. Systems and methods of identity protection and management
US9972048B1 (en) 2011-10-13 2018-05-15 Consumerinfo.Com, Inc. Debt services candidate locator
US11200620B2 (en) 2011-10-13 2021-12-14 Consumerinfo.Com, Inc. Debt services candidate locator
US9311679B2 (en) * 2011-10-31 2016-04-12 Hearsay Social, Inc. Enterprise social media management platform with single sign-on
US20130110922A1 (en) * 2011-10-31 2013-05-02 Hearsay Labs, Inc. Enterprise social media management platform with single sign-on
US11356430B1 (en) 2012-05-07 2022-06-07 Consumerinfo.Com, Inc. Storage and maintenance of personal data
US9237156B2 (en) * 2012-05-21 2016-01-12 Salesforce.Com, Inc. Systems and methods for administrating access in an on-demand computing environment
US20130312068A1 (en) * 2012-05-21 2013-11-21 Salesforce.Com, Inc. Systems and methods for administrating access in an on-demand computing environment
US10277659B1 (en) 2012-11-12 2019-04-30 Consumerinfo.Com, Inc. Aggregating user web browsing data
US11863310B1 (en) 2012-11-12 2024-01-02 Consumerinfo.Com, Inc. Aggregating user web browsing data
US11012491B1 (en) 2012-11-12 2021-05-18 ConsumerInfor.com, Inc. Aggregating user web browsing data
US10963959B2 (en) 2012-11-30 2021-03-30 Consumerinfo. Com, Inc. Presentation of credit score factors
US11651426B1 (en) 2012-11-30 2023-05-16 Consumerlnfo.com, Inc. Credit score goals and alerts systems and methods
US10366450B1 (en) 2012-11-30 2019-07-30 Consumerinfo.Com, Inc. Credit data analysis
US11308551B1 (en) 2012-11-30 2022-04-19 Consumerinfo.Com, Inc. Credit data analysis
US11132742B1 (en) 2012-11-30 2021-09-28 Consumerlnfo.com, Inc. Credit score goals and alerts systems and methods
US11113759B1 (en) 2013-03-14 2021-09-07 Consumerinfo.Com, Inc. Account vulnerability alerts
US10043214B1 (en) 2013-03-14 2018-08-07 Consumerinfo.Com, Inc. System and methods for credit dispute processing, resolution, and reporting
US10102570B1 (en) 2013-03-14 2018-10-16 Consumerinfo.Com, Inc. Account vulnerability alerts
US10929925B1 (en) 2013-03-14 2021-02-23 Consumerlnfo.com, Inc. System and methods for credit dispute processing, resolution, and reporting
US11769200B1 (en) 2013-03-14 2023-09-26 Consumerinfo.Com, Inc. Account vulnerability alerts
US11514519B1 (en) 2013-03-14 2022-11-29 Consumerinfo.Com, Inc. System and methods for credit dispute processing, resolution, and reporting
US10169761B1 (en) 2013-03-15 2019-01-01 ConsumerInfo.com Inc. Adjustment of knowledge-based authentication
US11790473B2 (en) 2013-03-15 2023-10-17 Csidentity Corporation Systems and methods of delayed authentication and billing for on-demand products
US10740762B2 (en) 2013-03-15 2020-08-11 Consumerinfo.Com, Inc. Adjustment of knowledge-based authentication
US11775979B1 (en) 2013-03-15 2023-10-03 Consumerinfo.Com, Inc. Adjustment of knowledge-based authentication
US11164271B2 (en) 2013-03-15 2021-11-02 Csidentity Corporation Systems and methods of delayed authentication and billing for on-demand products
US10664936B2 (en) 2013-03-15 2020-05-26 Csidentity Corporation Authentication systems and methods for on-demand products
US11288677B1 (en) 2013-03-15 2022-03-29 Consumerlnfo.com, Inc. Adjustment of knowledge-based authentication
US10685398B1 (en) 2013-04-23 2020-06-16 Consumerinfo.Com, Inc. Presenting credit score information
US11803929B1 (en) 2013-05-23 2023-10-31 Consumerinfo.Com, Inc. Digital identity
US11120519B2 (en) 2013-05-23 2021-09-14 Consumerinfo.Com, Inc. Digital identity
US10453159B2 (en) 2013-05-23 2019-10-22 Consumerinfo.Com, Inc. Digital identity
US10325314B1 (en) 2013-11-15 2019-06-18 Consumerinfo.Com, Inc. Payment reporting systems
US10580025B2 (en) 2013-11-15 2020-03-03 Experian Information Solutions, Inc. Micro-geographic aggregation system
US11461364B1 (en) 2013-11-20 2022-10-04 Consumerinfo.Com, Inc. Systems and user interfaces for dynamic access of multiple remote databases and synchronization of data based on user rules
US10628448B1 (en) 2013-11-20 2020-04-21 Consumerinfo.Com, Inc. Systems and user interfaces for dynamic access of multiple remote databases and synchronization of data based on user rules
US10025842B1 (en) 2013-11-20 2018-07-17 Consumerinfo.Com, Inc. Systems and user interfaces for dynamic access of multiple remote databases and synchronization of data based on user rules
US11107158B1 (en) 2014-02-14 2021-08-31 Experian Information Solutions, Inc. Automatic generation of code for attributes
US11847693B1 (en) 2014-02-14 2023-12-19 Experian Information Solutions, Inc. Automatic generation of code for attributes
US10262362B1 (en) 2014-02-14 2019-04-16 Experian Information Solutions, Inc. Automatic generation of code for attributes
US10482532B1 (en) 2014-04-16 2019-11-19 Consumerinfo.Com, Inc. Providing credit data in search results
US11074641B1 (en) 2014-04-25 2021-07-27 Csidentity Corporation Systems, methods and computer-program products for eligibility verification
US10373240B1 (en) 2014-04-25 2019-08-06 Csidentity Corporation Systems, methods and computer-program products for eligibility verification
US11587150B1 (en) 2014-04-25 2023-02-21 Csidentity Corporation Systems and methods for eligibility verification
US11227001B2 (en) 2017-01-31 2022-01-18 Experian Information Solutions, Inc. Massive scale heterogeneous data ingestion and user resolution
US11681733B2 (en) 2017-01-31 2023-06-20 Experian Information Solutions, Inc. Massive scale heterogeneous data ingestion and user resolution
US11588639B2 (en) 2018-06-22 2023-02-21 Experian Information Solutions, Inc. System and method for a token gateway environment
US10911234B2 (en) 2018-06-22 2021-02-02 Experian Information Solutions, Inc. System and method for a token gateway environment
US11265324B2 (en) 2018-09-05 2022-03-01 Consumerinfo.Com, Inc. User permissions for access to secure data at third-party
US10671749B2 (en) 2018-09-05 2020-06-02 Consumerinfo.Com, Inc. Authenticated access and aggregation database platform
US11399029B2 (en) 2018-09-05 2022-07-26 Consumerinfo.Com, Inc. Database platform for realtime updating of user data from third party sources
US10880313B2 (en) 2018-09-05 2020-12-29 Consumerinfo.Com, Inc. Database platform for realtime updating of user data from third party sources
US10963434B1 (en) 2018-09-07 2021-03-30 Experian Information Solutions, Inc. Data architecture for supporting multiple search models
US11734234B1 (en) 2018-09-07 2023-08-22 Experian Information Solutions, Inc. Data architecture for supporting multiple search models
US11315179B1 (en) 2018-11-16 2022-04-26 Consumerinfo.Com, Inc. Methods and apparatuses for customized card recommendations
US11842454B1 (en) 2019-02-22 2023-12-12 Consumerinfo.Com, Inc. System and method for an augmented reality experience via an artificial intelligence bot
US11238656B1 (en) 2019-02-22 2022-02-01 Consumerinfo.Com, Inc. System and method for an augmented reality experience via an artificial intelligence bot
US11941065B1 (en) 2019-09-13 2024-03-26 Experian Information Solutions, Inc. Single identifier platform for storing entity data
US11880377B1 (en) 2021-03-26 2024-01-23 Experian Information Solutions, Inc. Systems and methods for entity resolution

Also Published As

Publication number Publication date
US20060173810A1 (en) 2006-08-03
US7516134B2 (en) 2009-04-07

Similar Documents

Publication Publication Date Title
US7516134B2 (en) Controlling access to a database using database internal and external authorization information
US7613794B2 (en) Identifying dynamic groups
US8959613B2 (en) System and method for managing access to a plurality of servers in an organization
US9477832B2 (en) Digital identity management
KR100986568B1 (en) Persistent authorization context based on external authentication
US7512585B2 (en) Support for multiple mechanisms for accessing data stores
US7660880B2 (en) System and method for automated login
US8839456B2 (en) System and method for data and request filtering
US6851113B2 (en) Secure shell protocol access control
US7353542B2 (en) Storage system, computer system, and method of authorizing an initiator in the storage system or the computer system
US20050027713A1 (en) Administrative reset of multiple passwords
US20110214165A1 (en) Processor Implemented Systems And Methods For Using Identity Maps And Authentication To Provide Restricted Access To Backend Server Processor or Data
US20040024764A1 (en) Assignment and management of authentication & authorization
US20060036868A1 (en) User authentication without prior user enrollment
US8051168B1 (en) Method and system for security and user account integration by reporting systems with remote repositories
US7647628B2 (en) Authentication to a second application using credentials authenticated to a first application
JP2002539538A (en) System, method and computer program product for enabling access to corporate resources using a biometric device
US8104076B1 (en) Application access control system
US7428748B2 (en) Method and system for authentication in a business intelligence system
US7801967B1 (en) Method and system for implementing database connection mapping for reporting systems
US8631319B2 (en) Document databases managed by first and second authentication methods
JP2005107984A (en) User authentication system
US11057389B2 (en) Systems and methods for authorizing access to computing resources
US11954195B2 (en) Multi-level authentication for shared device
US7702787B1 (en) Configurable user management

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION