JP2001075854A - Method and system for data management, and storage medium with data management program stored therein - Google Patents

Abstract

PROBLEM TO BE SOLVED: To facilitate the access control for every user in a record unit in a data management system where a plurality of users share a database. SOLUTION: This data management system 105 managing a database 102 has record attribute information being information on each record stored in the database other than the column value of the column of a record defined by a user. The record attribute information includes, for instance, a user identifier showing the owner of the record corresponding to the record attribute information, an access right showing what action is allowed to be performed about the record by a user being the owner of the record and an access right showing what action is allowed to be performed about the record by a user being different from the owner of the record. The record attribute information is referred to about an inquiry from an application program, the approval/denial of the access for the user to the record is judged, and consequently, the access control of a record unit for every user is performed.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] The present invention relates to a data management method,
The present invention relates to a data management system and a storage medium storing programs and data related to the system, and more particularly to a data management method for performing access control for each user on a record basis.

[0002]

2. Description of the Related Art SQL, which is a standard for a query language for databases, uses GRANT as an access control for each user.
The statement stipulates that access control such as reference, update, and delete is performed in table units.

On the other hand, in a database system, as a method of performing access control for each user on a record-by-record basis, a program that uses a database by setting a value for identifying a user to a column value constituting a record stored in the database is used. There is a method of controlling access by a value for identifying the user. As such an example, there is a method disclosed in, for example, Japanese Patent Application Laid-Open No. Hei 10-124491, "Document Sharing and Organizing System, Shared Document Management Device and Document Accessing Device".

As a method of controlling access for each user on a record-by-record basis, there is a method disclosed in JP-A-6-348575, "Database Controller". This method uses an access right management table that sets the correspondence between column value conditions and access rights for each user. If the column value satisfies a certain condition according to the settings in the access right management table, the corresponding user By controlling the access for each record, it is possible to realize complicated access right control on a record basis.

[0005]

In the above prior art,
In the database management system that manages the database, no consideration is given to controlling database processing based on information other than the column values of user-defined columns that constitute records, and therefore, access control decisions are not taken into account. All of the underlying values must be expressed as column values, included in the records and stored in the database, and access control must be performed based on the column values in the program that uses the database. There was a problem of being big.

For example, in order to control access so that a plurality of users register records in one table of one schema and a certain user can refer to only records created by the user from the table, a program using a database is used. It is necessary to perform the following access control in the application program that is.

First, in the definition of a table, a column for holding a user identifier indicating the user who created each record must be prepared. Then, in the record registration, the application program generates a user identifier and stores the user identifier in a column defined to hold the user identifier.

In the search, access control is performed by the following two methods.

One method is to query a database (search request to a database management system) to search only records in which a user ID of a user who executes a search is stored in the column holding the user ID. In this method, the conditions of the query are set as described above, and records are selected by narrowing down by general conditions in the database management system.

Another method is that the application program selects only records in which the user identifier of the user who has executed the search is stored in the column holding the user identifier among the records obtained by searching the database. Is the way.

As described above, according to the prior art, all access control for each user must be implemented by an application program.

The application program must ensure that the user identifiers are unified to indicate the same user, and that consistency is maintained in order to identify users in a plurality of tables.

Further, the user identifier registered in the database is a value independently created by the application program outside the management of the database management system, and the database management system determines that it is a value for identifying the user. not recognize. In the database management system, the column that holds the user identifier is not treated as a special column for identifying the user separately from other columns.
The user is not recognized based on the column holding the user identifier. Therefore, access control cannot be performed for a user who directly refers to the database through the database management system without using an application program for performing access control, or for a user who intentionally changes the user identifier.

In addition, since access control is performed by an application program independently of user management in a database management system that supports user management specified by SQL, access control performed by the database management system and access control performed by an application are performed. Controls must be adjusted to match.

In addition, a table having the same name cannot be defined in one schema. When one table is shared by a plurality of users, if the table is specified as UNIQUE, different users cannot register the same record. Therefore, it is not possible for a plurality of users to share the same table and to refer to the record for each user individually.

The prior art does not disclose a method or system for solving the above problem.

An object of the present invention is to facilitate access control for each user in a record unit in a data management system in which a plurality of users share a database.

[0018]

In order to achieve the above object, the present invention relates to a data management method for managing access to data, which manages a data attribute holding a value relating to access control associated with data. When a data processing request is input, whether the data processing request is accessible to data is determined based on the data attribute associated with the data, and if the result of the determination indicates that the data is accessible, On the other hand, data processing based on the data processing request is performed.

Further, when the value of the data attribute is unspecified, a value designated in advance is regarded as the value of the data attribute. Further, according to the present invention, a user identifier for identifying a user who makes a data processing request and an access right indicating whether or not the user can access the data are assigned to the data attribute associated with the data. Is included.

According to the present invention, in a data management system for managing access to data, a user recognizing means for recognizing a user who has made a data processing request, and analyzing the data processing request and recognizing a requested action. Request analysis means for determining whether or not a user can perform an action on data in the data attribute, and determining whether or not access to data is possible based on the data attribute It is characterized by having.

Further, the present invention is a storage medium storing a data management program in a data management system for managing access to data, wherein the data management program holds a value relating to access control associated with data. When the data attribute is managed and a data processing request is input, it is determined whether the data processing request is accessible to the data based on the data attribute associated with the data, and as a result of the determination, the data is accessible. In this case, data processing is performed on the data based on the data processing request.

[0022]

Embodiments of the present invention will be described below in detail with reference to the drawings. First, a database system according to an embodiment of the present invention will be described, and the principle of the present invention will be described.

FIG. 1 is a conceptual diagram showing an outline of a database system according to an embodiment of the present invention. The database system 101 stores the user 10
3 is a system for managing access from the third party.

As shown in FIG. 1, the database system 101 of the present embodiment includes an application program (AP) 104 and a database management system 105.

The AP 104 sends a database connection request 106
Is transmitted to the database management system 105 to establish a connection with the database management system 105 and the user 10
3 is a program that transmits a query 107 representing a request from the third server to the database management system 105 and receives a query processing result 108 which is a result of database processing corresponding to the request.

The database management system 105 is a program that manages the database 102, performs database processing corresponding to the inquiry from the AP 104, and returns an inquiry processing result 108 including result data 109 as the processing result to the AP 104.

The database management system 105 includes an execution control unit 110, a request analysis unit 111, and a user authentication unit 1.
12, the data search unit 113, and the access permission determination unit 1
Consists of fourteen.

The execution control unit 110 controls the execution of the processing performed in the database management system 105. That is, the execution control unit 110 executes the database management system 1
05 is executed by the request analysis unit 111
, The user authentication unit 112, the data search unit 113, and the access determination unit 114. The request analysis unit 111 analyzes a request from the AP 104. The user authentication unit 112, based on the specification for identifying the user included in the database connection request 106 from the AP 104,
The user 103 is authenticated. The data search unit 113 searches for a record in the table 115 stored in the database 102. The access permission / non-permission determining unit 114 refers to the information indicating the access right included in the record attribute information 116 and determines whether or not the access to the record is possible in the database processing corresponding to the inquiry 107 of the AP 104.

The database 102 comprises a table 115 for holding records and record attribute information 116 for holding attribute information on each record. FIG.
Here, the records of the table 115 and the attribute information related to the records are shown in correspondence so as to be on the same line.

Next, an outline of a data search process in the database system 101 will be described. First, the AP 104 makes a database connection request. This connection request is described in the database language SQL statement as follows.

CONNECT TO dbserver USER 'usr1' ... 106

As described above, the database management system 1
Name to identify 05 as the database server dbserver
Is specified, and the database management system 105
Designate a user identifier usr1 used to identify 03.

The database management system 105 authenticates the user by the user authentication unit 112 in accordance with the database connection request 106, creates execution user information 117, and establishes a connection between the AP 104 and the database management system 105.

Next, the AP 104 transmits a search query to the database management system 105. This query
Describe in the database language SQL statement as follows.

SELECT clm1 FROM tbl1 WHERE clm2 <200… 107

This is a query for searching the table tbl1 for the value of the column clm1 of the record in which the value of the column clm2 is smaller than 200.

The database management system 105 performs the following processing under the control of the execution control unit 110. First, the request analysis unit 111 analyzes the inquiry 107. As a result of the analysis, a request action 118 indicating that the type of the requested action is a search is created. Next, the data search unit 113 acquires a record satisfying the query condition from the table 115 stored in the database 102. Next, the access permission / non-permission determining unit 114 acquires the record attribute information 116 corresponding to the record acquired by the data retrieval unit 113, and executes a search as a requested action by referring to the access right included in the record attribute information. Determine whether it is possible.

In the example of FIG. 1, since the execution user information is usr1, the owner access right of the record attribute information 116 is assigned to the record whose owner is usr1, and the record is assigned to the record whose owner is not usr1. Attribute information 1
Reference is made to the other person's access right out of 16, and the search is executed only for the record whose access right includes the search execution right. Next, the data search unit 113 extracts the value of the column clm1 specified in the SELECT clause only for the record that can be searched, creates the result data 109,
The search result is returned to the AP 104 as an inquiry result 108, and the search processing is terminated.

As shown in this example, the present embodiment has the following effects. The access permission / non-permission determining unit 114 determines access permission based on the execution user information 117 with reference to the access right included in the record attribute information 116 different from the record column value. The AP 104
Therefore, it is possible to easily perform access control in units of records for each user without performing complicated access control.

FIG. 2 is a diagram showing an example of a hardware configuration in the embodiment of FIG. A program shown as an embodiment of the present invention operates on the data processing device shown in FIG.

Data processing devices 201-1 and 201-2
Are central processing units (CPU) 202-1, 202, respectively.
-2, main storage devices (memory) 203-1 and 203-2,
It comprises input / output (I / O) controllers 204-1 and 204-2, communication controllers 205-1 and 205-2, and system buses 206-1 and 206-2 connecting these. Also, the I / O controllers 204-1 and 204-
2 includes data input / output devices 207-1 and 207-2 such as a keyboard, a mouse, and a display, and a data storage device 208- such as a magnetic disk device.
1, 208-2 and the like are connected.

Data processing devices 201-1 and 201-2
Is LA by the communication controllers 205-1 and 205-2.
It is connected to a network 209 such as an N (Local Area Network) and communicates with other data processing devices connected to the network 209.

The data processing shown in FIG.
The CPUs 202-1 and 202-2 store the memories 203-1 and 20-20.
This is realized by executing the program stored in 3-2. AP104 and database management system 1
The programs that implement the functions of
03-1, 203-2, and the CPU 202-1,
202-2. Note that the AP 104 and the database management system 105 are logical functional units of software, respectively, and may each operate on physically different data processing devices 201-1 and 201-2. A program for these functions may operate on the processing device. Further, the database 102 and the like include the data storage devices 208-1 and 20
This is realized by storing data in 8-2.

Next, the database system of the embodiment shown in FIG. 1 will be described in more detail.

FIG. 3 is a configuration diagram showing a detailed configuration of the database system of the embodiment of FIG. The basic configuration is the same as the configuration of the system shown in FIG. 1, but the embodiment is embodied to use an index for performing the access control described in FIG. That is, the database management system 105 uses the index 305, and the database management system 105
1, a data registration unit 302, a data deletion unit 303, and a data update unit 304.

The index management unit 301 supports an index function in a general database management system, and uses a column value of a record in the table 115 as a key and a set of an identifier for identifying the record in the database as a value in the index record 306. It is stored and stored in the index 305. The index management unit 301 acquires a record identifier of a record that satisfies the condition of the key column value.

FIG. 4 is a diagram showing the structure of the table 115 and the record attribute information 116.

The table 115 has two columns clm1, clm
Shows a table with m2 and identified by tbl1.

The table 115 includes records 401 and 40
2, 403, 404, and 405 are held. Record 40
1 is the column value aa for each of the columns clm1 and clm2
a, consisting of 200. Record 402 has columns clm1, clm2
Consists of the column values bbb and 100 for each of. The record 403 includes column values ccc and 100 for the columns clm1 and clm2, respectively. Record 404 has column clm
1, column values ddd and 210 for clm2 respectively. The record 405 includes column values eee and 150 for the columns clm1 and clm2, respectively.

The record attribute information 116 is stored in the table 11
5 records 401, 402, 403, 404, 405
Attribute information 406, 407, 40 corresponding to each of
8, 409 and 410 are held.

This attribute information includes an owner, an owner access right, and another person access right. The owner of the record attribute information 406 of the record 401, the owner access right,
And the other person's access rights are usr1, "search / update / delete", and no setting, respectively, which indicate the following: The owner of the record 401 is the user identified by usr1. The database processing actions that the owner usr1 of the record 401 can perform on the record 401 are search, update, and delete. There is no database processing action that can be performed on the record 401 by anyone other than the owner usr1 of the record 401.

Similarly, the record attribute information 407 corresponding to the record 402 indicates the following. Record 40
Owner 2 is the user identified by usr1. The database processing actions that the owner usr1 of the record 402 can perform on the record 402 are search, update, and delete. Record 4 other than owner usr1 of record 402
The action of database processing that can be performed on 02 is search.

The record attribute information 408 corresponding to the record 403 indicates the following. The owner of the record 403 is the user identified by usr2. The database processing action that can be performed on the record 403 by the owner usr2 of the record 403 is deletion. A database processing action that can be performed on the record 403 by a person other than the owner usr2 of the record 403 is search.

The record attribute information 409 corresponding to the record 404 indicates the following. The owner of the record 404 is the user identified by usr3. The database processing actions that the owner usr3 of the record 404 can perform on the record 404 are search and delete. No database processing action can be performed on the record 404 by anyone other than the owner usr3 of the record 404.

The record attribute information 410 corresponding to the record 405 indicates the following. The owner of the record 405 is the user identified by usr2. The database processing actions that the owner usr2 of the record 405 can perform on the record 405 are search, update, and delete.
The database processing actions that can be performed on the record 405 by a person other than the owner usr2 of the record 405 are search, update, and delete.

With such a configuration of the table 115 and the record attribute information 116, information indicating an access right for each user in a record unit is held.

In this example, the table 115 and the record attribute information 116 are configured separately. However, a database is provided separately from the column defined by the user so that the contents of the record attribute information 116 are stored in the columns of the table 115. It may be created and configured by the management system 105.

FIG. 5 is a diagram showing the structure of the index record 306 held in the index 305 of FIG. The index 305 in FIG. 3 is an index set using the column clm2 as a key for the table 115 identified by tbl1 described in FIG.

As shown in FIG. 5, the index record 306 includes a key value 501, a record identifier 502, and record attribute information 503. The record attribute information 503 includes a user identifier 504, an owner access right 505, and another person access right 506. The index record 306 illustrated in FIG. 5 is an index record corresponding to the record 401 of the table 115, and the key value 501 is 200 and the record identifier 502 is record 4
01 is a record identifier rcdid1 that identifies 01. The record attribute information 503 indicates that the owner of the record 401 is the user usr1, the owner access right of the record 401 is search, update, and delete, and the record 402 has no other access right. Show.

With such a configuration, the index record 306 indicates an access right for each user in a record unit.

FIG. 6 shows the database system 10 described above.
3 is a flowchart showing the flow of a database connection process in the first embodiment;

First, the AP 104 requests a database connection to the database management system 105 (60).
1). That is, a database connection request 106 is transmitted to the database management system 105. Next, the user authentication unit 112 analyzes the database connection request 106,
The user is authenticated (602). Generally, user authentication performed in a database management system may be used. Next, the database management system 105 creates execution user information 117 based on the information on the user authenticated in step 602 (603). Next, the database management system 105 establishes a connection with the AP 104 (604). Generally, connection establishment processing performed by a database management system may be used. Thus, the database connection process ends.

With this processing, the database management system 105 obtains the execution user information 117 for determining which user is required to perform the database processing according to the inquiry 107 of the AP 104, which is performed thereafter.

FIG. 7 is a flowchart showing the flow of basic database processing in the database system 101.

First, the AP 104 sends an inquiry 107 to the database management system 105 (70).
1). Next, the request analysis unit 111 of the database management system 105 analyzes the inquiry 107 (702). An inquiry analysis result 705 is output as the analysis result. In addition, a request action 118 indicating a database processing action such as search, update, or deletion requested by the query is output.

Next, the database management system 105 performs a database process corresponding to the inquiry 107 (70
3). That is, in response to a request for search, update, deletion, etc. indicated in the request action 118,
17, the database processing is performed while the access permission / inhibition determination unit 114 determines whether or not the action can be executed. The details will be described later with reference to FIG. 8, FIG. 14, FIG. 16, and FIG. As a result of database processing,
The query processing result 108 is output.

The database management system 105 returns the query processing result 108 to the AP 104 (704), and ends the database processing.

Next, details of the search processing in the database system 101 will be described. The search request of the AP 104 is the same as the query 107 shown in FIG. Also,
The overall database processing flow is as shown in FIG. 7, and the details of the search processing will be described as the processing flow in the database management system 105 in step 703 in FIG.

FIG. 8 shows the database management system 105.
3 is a flowchart of a search process in the embodiment.

First, the database management system 105
Acquires the search condition 805 based on the query analysis result 705 (801). For example, the query 107 shown in FIG.
Then, the search condition of clm2 <200 is obtained.

Next, the data search unit 113 creates result data 806 from the record of the database 102 (802). Specifically, the data search unit 113 determines whether the access permission / inhibition unit 114 is executable based on the request action 118 indicating that it is a search action and the execution user information 117 indicating that the requesting user is usr1. Search processing is performed on the record for which the determination is made as the processing target. The result data 806 is output as a search processing result. Details will be described later with reference to FIG.

Next, the database management system 105
Determines whether the result data 806 has been obtained in step 802 (803). If there is the result data 806, the result data is set as the query processing result 108 (804), and the process returns to step 802 to repeat the process to create the next search result data. If there is no result data in the determination in step 803 (when all the corresponding records in the database have been processed), this processing ends.

FIG. 9 is a flowchart showing a process (step 802 in FIG. 8) for creating a search result in the data search unit 113.

First, the data search unit 113 determines whether or not an index has been set as a search processing target (9).
01).

If an index has been set, the index management unit 301 acquires a record identifier 905 of a record that satisfies the query condition and is accessible (9).
02) (details of this processing will be described later with reference to FIG. 10), and then, based on the record identifier 905, the data search unit 113 acquires a record from the database 102 and creates result data 806 (903). , This search process ends.

If the index has not been set in step 901, the data search unit 113 acquires a record that satisfies the query condition and is accessible from the database 102, and creates the result data 806 (90).
4) (Details of this processing will be described later with reference to FIG. 12), and this search processing ends.

FIG. 10 is a flowchart of the search process (step 902 in FIG. 9) in the index management unit 301.

First, based on the search condition 805, the index management unit 301
006 is obtained (1001).

Next, the access permission / non-permission determining unit 114 determines whether or not the requested action can be executed based on the record attribute information corresponding to the index record 1006 and the request action 118 indicating that the request is a search request (1002). . The process of determining whether or not execution is permitted by the access determination unit 114 will be described with reference to FIG.

Next, it is determined whether or not the result of the determination by the access permission / non-permission determining unit 114 is executable (1003). If executable, the record identifier 905 included in the index record 1006 is output (1004), and this processing ends. If it is not executable in the determination of step 1003, it is determined that there is no applicable record (1005), and this processing ends.

According to the above processing, the database management system 105 determines a database processing request from a user on a record basis for each execution user based on the execution user information and the access right information of the record attribute information included in the index. Access control can be performed.

FIG. 11 is a flowchart of the process (step 1002 in FIG. 10) of determining whether the requested action can be performed by the access determination unit 114.

First, the access determination unit 114 determines whether or not the execution user is the owner of the record based on the execution user information 117 and the record attribute information 1107 which are inputs of this processing (1101). . If the executing user is the owner of the record, information indicating the access right of the owner is obtained from the record attribute information 1107 in the access right information 11.
08 (1102), and proceeds to step 1104. If the executing user is different from the owner of the record in step 1101, information indicating the access right of another person is acquired from the record attribute information 1107 as access right information 1108 (1103), and the process proceeds to step 1104.

Next, in step 1104, step 1
Access right information 110 obtained in 102 or 1103
8 and a request action 1109 which is an input of this processing, it is determined whether or not the execution right of the request action exists. For example, when the requested action is a search and the access right information includes the search, it is determined that the execution right exists. If it is determined in step 1104 that there is an execution right, it is determined that execution is possible (1
105), this process ends. If it is determined in step 1104 that there is no execution right, execution is disabled (1106),
This processing ends.

According to the above processing, the database management system 105 can access the database processing request from the user on a record-by-record basis for each execution user based on the execution user information and the access right information included in the record attribute information. Control can be performed.

FIG. 12 is a flowchart of a search process in the data search unit 113. This processing shows the details of the processing of step 904 in FIG.

First, the data search unit 113 searches the database 102 for a record that satisfies the query condition 805 (1201). The record attribute information 1208 corresponding to the record obtained by the search is acquired.

Next, it is determined whether or not a record satisfying the condition is obtained in step 1201 (1202). If a record is obtained, the access permission / inhibition determination unit 11 is performed based on the request action 118 and the execution user information 117.
In step 4, it is determined whether the search request action is executable (1203). This determination process is performed by the process shown in FIG.

Subsequently, it is determined whether or not the result of the determination in step 1203 is executable (1204). If executable, the result data 806 is created based on the record obtained in step 1201 (1205), and this process ends. If it is not executable in step 1204, it is determined that there is no applicable result (1206), and this process ends.

If there is no record in step 1202, it is determined that there is no applicable result (1207), and this processing ends.

According to the above processing, the database management system 105 determines a database processing request from a user on a record basis for each execution user based on the execution user information and the access right information of the record attribute information included in the database. Access control can be performed.

Next, details of the data registration processing in the database system 101 of the present embodiment will be described.

FIG. 13 is a diagram showing the configuration of the database system 101 of the present embodiment. Basically, it has the same configuration as the database system 101 shown in FIG. 3, but shows a configuration focusing on the flow of data registration.
That is, the AP 104 issues an access right setting request 1301 that specifies how to make the access right in the database 102 to the data 1303 to be registered, and an inquiry 1302 of the data registration request;
In the database management system 105, it is shown that the request action 118 indicates “registration” and that the request action 118 has access right information 1304 in response to the access right setting request 1301.

This access right setting request 1301 SET INSERT_DATA_PERMISSION 'SUD ---' indicates that, for data to be registered thereafter, the owner's access right is “search / update / delete” and there is no other person's access right. Indicates that The request analysis unit 111 analyzes such an access right setting request 1301 and obtains access right information 1304.

A query 1302 of the registration request INSERT INTO tbl1 VALUES ('fff' 300) is stored in the table tbl1 as registration data 1303 (the value of which is ff
f, 300).

Next, details of the data registration processing in the database system 101 will be described. The overall flow of database processing is as shown in FIG. 7, and the details of the registration processing will be described as the flow of processing in the database management system 105 in step 703 in FIG.

FIG. 14 shows the database management system 10
6 is a flowchart of a registration process in No. 5.

First, the database management system 105
Based on the registration data 1303
A record to be stored in the file is created (1401). In the example of the registration data 1303 in FIG. 13, a record is created having column values of fff and 300 for the columns clm1 and clm2, respectively.

Next, the database management system 105
Is executed user information 117 and access right information 130
4 based on the record attribute information (140
2). User identifier us included in execution user information 117
Record attribute information is created based on r1, the owner access right “search / update / delete” of the access right information 1304, and the other person access right “none”.

Next, the data registration unit 302 stores the records created in steps 1401 and 1402 and the record attribute information in the database 102 in association with each other (1403). As a result of the storage, a record identifier 1406 for identifying the stored record is created.

Next, it is determined whether or not an index is set for the table 115 holding the registered records (1404). If an index has been set, the index management unit 301 performs index record registration processing (1405) (details of the index record registration processing will be described with reference to FIG. 15), and this processing ends. If no index has been set in step 1404, this process ends.

By such processing, the database management unit 105 sets the information necessary for access control in the record attribute information 116 even if the AP 104 does not specify the user information or the information related to the access right in the registration request inquiry. Therefore, access control can be performed without imposing a burden on the AP 104.

FIG. 15 is a flowchart of the index record registration process in the index management unit 301. This shows the details of the processing in step 1405 in FIG.

First, the index management unit 301
4, registration data 1303 specified by the registration request from
An index record 1504 to be registered in the index is created based on the record identifier (rcdid2 in this example) 1406 obtained in step 1403 (15).
01). In this example, an index record 1504 including the key value 300 of the column clm2 and the record identifier rcdid2 for identifying the record is created.

Next, record attribute information 1505 is created based on the execution user information 117 and the access right information 1304 (1502). In this example, record attribute information including the execution user usr1 and the access right information 'SUD ---' is created. Next, the index record 1504 and the record attribute information 1505 are registered in the index 305 in association with each other (1503), and this processing ends.

By such processing, the database management unit 105 makes the index record 30 of the index 305
Since information necessary for access control is set in the record attribute information No. 6, access control can be performed without imposing a load on the AP 104.

Next, the details of the data registration processing including the UNIQUE check when the database system 101 specifies UNIQUE so that the same record does not exist in the records held in the table 115 will be described. In addition,
In the UNIQUE check in this example, it is assumed that record identity is checked for each user. That is, when records owned by each user are unique and registered users are different (record owners are different), it is assumed that records having the same column values can exist in the same table.

The flow of the entire database processing is shown in FIG.
The details of this registration process are described in
The database management system 10 in step 703 of FIG.
5 will be described.

FIG. 16 shows the database management system 10.
9 is a flowchart of a data registration process including a UNIQUE check in No. 5; The basic processing flow is the same as that shown in FIG. Only different parts will be described.

First, after creating records to be registered and record attribute information in steps 1401 and 1402,
Before storing records in the database 102 in step 1403, a UNIQUE check is performed (1601). Details of the check processing will be described with reference to FIG.

Subsequently, as a result of the UNIQUE check, it is determined whether a record has already been registered (160).
2). If there is a record registration, a “registered” error is determined (1603), and this process ends. Step 16
If no record is registered in step 02, step 1
The processing as described in FIG. 14 after 403 is performed.

FIG. 17 shows the database management system 10.
5 UNIQUE check processing (step 160 in FIG. 16)
It is a flowchart of 1).

First, it is determined whether or not an index is set in the table 115 for registering data (170).
1). If an index is set, the index management unit 301 searches for a record that is identified with the registered data based on the registered data 1303 and the execution user information 117 (1702). For more information on this step,
This will be described with reference to FIG.

Subsequently, as a result of the search in step 1702, it is determined whether or not the index is registered (170).
3). If there is a registration, "Already registered" (1
704), this process ends. If you have not registered,
"No registration" is set (1705), and this process ends.

If the index is not set in step 1701, based on the registration data 1303 and the execution user information 117, the data search unit 113 searches the database 102 for a record that is identified with the registration data (1706). . Details of this step will be described with reference to FIG.

Subsequently, as a result of the search in step 1706, it is determined whether or not a record has already been registered in the database 102 (1707). If there is a registration, it is determined that "already registered" (1708), and this processing ends. If there is no registration, “No registration” (17
09), this process ends.

FIG. 18 is a flowchart of a process (step 1702 in FIG. 17) in which the index management unit 301 searches for a record identified with registered data.

First, in the index 305, an index record 1808 whose key matches the key of the registration data 1303 is searched (1801). Next, step 1
As a result of the search in 801, it is determined whether there is a matching index record (1802). As a result of the determination, if there is no index record, “No registration” is set (180
3), this process ends.

If there is an index record in step 1802, record attribute information 1809 corresponding to the index record 1808 is obtained (1804). Next, the execution user information 117 and the record attribute information 1809
It is determined whether the owner of the record matches the owner of the record based on the owner included in the record (1805). If the users match, it is determined that “already registered” (180
6), this process ends. If the users do not match, "no registration" is set (1807), and this process ends.

By such processing, the database management system 105 can perform a unique check of a record for each user using the index.

FIG. 19 is a flowchart of a process (step 1706 in FIG. 17) of searching the database 102 for a record identified with registered data by the data search unit 113.

First, the data search unit 113 searches the database 102 for a record that matches the registered data 1303 (1901). Next, it is determined whether there is a matching record as a result of the search in step 1901 (1902).

If there is a matching record, the record attribute information 1908 corresponding to the record is obtained (1903), and it is determined whether or not the execution user information 117 and the owner of the record attribute information 1908 match (step 1903). 19
04). If they match, it is determined that "already registered" (1
905), this process ends. If they do not match,
"No registration" is set (1906), and this process ends.

If there is no matching record in the database in step 1902, it is determined as "no registration" (190
6), this process ends.

By such processing, the database management system 105 can perform a unique check of a record for each user based on the record attribute information 116 held in the database 102.

In the above processing, the identity of the records is determined by including the attribute information on the records in addition to the column values constituting the records.

Next, the details of the data deletion processing of the database 102 in the database system 101 will be described. The overall flow of the database processing is as shown in FIG. 7, and the details of the deletion processing will be described as the processing flow in the database management system of step 703 in FIG.

FIG. 20 shows an inquiry 107 of the AP 104 for a data deletion request. SQL statement of this query 107

DELETE FROM tbl1 WHERE clm2 = 200 indicates that a record in which the value of the column clm2 is 200 is deleted from the table tbl1.

FIG. 21 shows the database management system 10
13 is a flowchart of a data deletion process in the fifth embodiment.

First, the inquiry request is analyzed, and the condition 2105 to be deleted is obtained (2101). For example, the request analysis unit 111 analyzes a deletion request as shown in FIG. 20, and obtains a condition “a record in which the value of the column clm2 of the table tbl1 is 200” from the query analysis result 705 that is the analysis result. I do.

Next, based on the request action 118 indicating deletion and the execution user information 117, the data search unit 11
In step 3, the user searches for a record in the database 102 that can be deleted by the user (2102). The details of this step are the same as those of the data search processing shown in FIG. 9, and the only difference is that the requested action 118 is “delete”.

Next, as a result of the search in step 2102,
It is determined whether there is a record (2103). If there is a record, the data deletion unit 303 deletes the record (2104), returns to step 2102, and repeats the process. If there is no record in step 2103 (all deletion targets have been deleted), this processing ends.

By such processing, even if the AP 104 does not make a complicated inquiry request, the database management system 1
05 can perform access control on a record basis for each user in the data deletion process.

FIG. 22 is a diagram showing an example of the structure of a record deleted by the processing shown in FIG. For example, FIG.
The deletion target condition of the query 107 shown in 0 is clm2 = 200
, The records 2201, 2202, 220
3 is searched from the database 102, and the access right of the execution user usr1 of this deletion is set to “delete” by the access permission / inhibition determination unit 114 in accordance with the record attribute information 116.
Is determined.

The record 2201 is to be deleted because the owner is usr1, which is the same as the executing user, and the owner access right includes deletion. The record 2202 is to be deleted because the owner is usr2 different from the execution user, and the access right of the other person includes deletion. The record 2203 is not usr3 whose owner is different from the execution user and is not deleted because the access right of the other party does not include deletion.

Next, an example in which the database system 101 deletes all data owned by a user at the same time as the user is deleted. The configuration of the database system in this example is the same as that shown in FIG.

FIG. 23 shows an example of a request in the AP 104 to delete all data owned by the user at the same time as the user is deleted. A setting statement SET DELETE_USER_DATA_AT_DROP_USER shown in 2301 sets the database management system 105 to delete all data owned by the user at the same time as the user is deleted. Subsequently, a user deletion request 2302 DROP USER usr1 is requested to delete the user usr1 from the database 102.

Upon receiving the user deletion request 2302, the database management system 105 deletes all the data of usr1 whose record attribute information is the owner of all the tables in the database 102 according to the setting of 2301. The deletion processing is almost the same as the processing shown in FIG. 21. However, if the owner is usr1, the record is deleted irrespective of the access right due to the privileges associated with the user deletion processing of the database management system 105. After deleting all records of the owner usr1, the registration of the user usr1 is deleted, and the user deletion process is completed.

Next, an example in which access is controlled for each role in the database system 101 will be described. A role represents a group of users with the same privileges in the database. The configuration of the database system 105 in this example is as follows.
This is the same as that shown in FIG. The difference is that the record attribute information 116 has the access right of the role to which the record belongs and the user who belongs to the role.

FIG. 24 shows an example of record attribute information 116 including a role. Reference numeral 2403 indicates that the role of the record 2401 is role1, and the access right from the user of the role role1 is search and update. Reference numeral 2404 indicates that the role of the record 2402 is role2, and the access right from the user of the role role2 is only search. According to the record attribute information 116, the above-described determination by the access permission / non-permission determining unit 114 is performed, and access control for each role can be performed.

Next, an example will be described in which a module for performing access control is configured as a module independent of the database management system 105 in the database system 101.

FIG. 25 shows a configuration diagram of a database management system in which modules for performing access control are made independent. The basic configuration of the database management system 105 in this example is the same as that shown in FIG. The difference is that the access permission / non-permission judgment unit 114 and the index management unit 301 are not embedded and fixedly provided in the database management system 105 itself, but are provided as independent modules.

The modules of the access permission / non-permission judgment unit 114 and the index management unit 301 provide a so-called plug-in to the database management system 105.
It shall be taken in by the mechanism of. For example, using the dynamic loading function of the operating system, the database management system 105
4 and a dynamic load library which is a substance of a module of the index management unit 301.

In this configuration, the table is stored in the following SQL
Defined by statement.

CREATE TABLE tbl1 (...) WITH OPTIONS (ACCESS CONTROL LIBRARY 'libactl1')

This definition statement specifies that access control is to be performed for the table tbl1, and indicates that access control is to be performed using a function provided by the library libactl1.

The execution control unit 110 of the database management system 105 loads the library at the timing when access control is required in the database processing and performs the processing according to the specification of this definition. For example, in step 1203 of FIG. 12, a function included in the library libactl1 to determine whether access is permitted is called (function name checkAcces
sPermission () function call).

An index is defined by the following SQL statement.

CREATE INDEX idx1 ON tbl1 (clm1) WITH OPTIONS (ACCESS CONTROL LIBRARY 'libactlidx
1 ')

This definition statement corresponds to column clm1 of table tbl1.
Specifies that access control is to be performed for the index idx1 set in Table 2, and indicates that access control is to be performed using the function provided by the library libactlidx1.

The execution control unit 110 of the database management system 105 performs processing by loading a library at the timing when access control is required by using an index in the database processing in accordance with the specification of this definition. For example, in step 1002 of FIG.
Call the function that determines whether access is included in libactlidx1 (function name checkAccessPermissionByIndexEntr
call the function of y ()).

A library for determining whether access is possible
libactl1 has a function of operating information on access rights (record attribute information 116). Each function (function in function) is registered when the database management system 105 registers and deletes records in the table 115.
sertPermissionRecord (), deletePermissionRecord ())
To set the record attribute information 116 in accordance with the registration and deletion of the record.

Library libactli for index management
dx1 has a function of operating information on the access right (record attribute information 503 of the index record 306), and the database management system 105
At the timing of registration 1405 and deletion of the record of each function, the respective functions (function insertPermissionIndexE
By calling ntry (), removePermissionIndexEntry ()), record attribute information 503 is set in accordance with registration and deletion of a record.

As described above, by making the module for performing access control independent of the database management system 105, it is possible to easily add or delete an access control function to the database management system 105. Further, in terms of security, even if the database management system 105 itself is analyzed in detail and an attack is possible, the access control part is unknown and the attack may not be possible, so that the security can be strengthened. .

In the above embodiment, access control can be performed not only in record units but also in column values by associating attribute information in column units.

Next, an example in which the database system 101 configures a module for performing access control in units of column values as a module independent of the database management system 105 will be described.

FIG. 26 is a configuration diagram of a database management system that incorporates a module for performing access control in units of column values. Database management system 10 of this example
The basic configuration of No. 5 is the same as that shown in FIG.
The difference is that the abstract data access management unit 2601, which is a module that performs access control in units of column values, is incorporated into the database management system 105 using an abstract data type defined in the international standardization organization ISO standard SQL99. It is. The database management system 105 also incorporates an abstract data index management unit 2602 that provides an index function for an abstract data type column.

Here, the abstract data type is defined by the following SQL statement.

CREATE TYPE adt1 (PRIVATE attr1 CHAR (200), PRIVATE permissions VARCHAR (100), PUBLIC FUNCTION getattr1 () RETURNS CHAR (200) LIBRARY 'libadt1' ...)

The implementation of the function getattr1 () is included in the library libadt1 of the abstract data access control unit 2601.

A table using the abstract data type adt1 as a column type is defined by the following SQL statement.

CREATE TABLE tbl1 (..., clm3 adt1, ...)

With such a definition, the value of the abstract data type is used as the column value.

FIG. 27 shows a data structure of an abstract data type column value for performing access control. Abstract data type value 2
Reference numeral 701 includes an attribute value 2702 and access right information 2703. The attribute value 2702 holds a 200-byte character array value in accordance with attr1 CHAR (200) in the definition statement of the above-described abstract data type adt1.

Access right information 2703 holds information on whether or not access to value 2701 of this abstract data type is possible. The access right information 2703 holds a variable-length character string value of up to 100 bytes in accordance with permissions VARCHAR (100) in the definition statement of the above-described abstract data type adt1. Details are the same as the record attribute information 116 of FIG.

In the function getattr1 (), the access right information 27
03, based on the execution user information 117, whether access is permitted or not is determined.
702 is returned, and when it is determined that the access is not permitted, “not applicable” is returned. The determination process may be similar to the process described with reference to FIG.

Reference to the column value of the abstract data type is requested by the following SQL statement.

SELECT clm3.getattr1 () FROM tbl1

By this SQL statement, column c of table tbl1
Get attribute value of attribute attr1 of abstract data type stored in lm3. As a result of the access permission determination of the function getattr (), only the attribute value of the value of the abstract data type indicated to be accessible by the access right information 2703 becomes a query result.

The abstract data index management unit 2602
For the column of the abstract data type, similarly to the index 305, an index is created using the column value of the abstract data type as a key. Then, similarly to the processing shown in FIGS. 10 and 15, index processing including access permission / non-permission determination is performed.
The functions createIndex (), searchEntry (), insertEnt included in the abstract data index management unit 2602 for each timing of database processing, index creation, entry search, entry registration, and entry deletion
ry () and removeEntry () are called, and processing related to access control is performed by the abstract data index management unit 2602.

With such a configuration, since access control can be implemented for each column value, an access control function can be easily added or deleted for each column. By implementing an abstract data type function for each column, fine-grained access control is possible. In addition, the abstract data index management unit 2602 can speed up query processing for an abstract data type column value including access control.

In the above embodiment, the tables are joined (Joi) based on the owner information of the record attribute information 116.
In n), records having the same owner can be combined. The use of the record attribute information 116 eliminates the need for the AP 104 to maintain the consistency of columns indicating users and user identifiers in a plurality of tables.

Further, when the records of the database 102 are encrypted and stored, the encryption method can be changed for each user according to the owner of the record attribute information 116. Security.

Further, by clustering the records stored in the database 102 for each user according to the owner of the record attribute information 116, the efficiency of reading records from the data storage device 208-2 is improved, and the database for each user is improved. The processing can be speeded up.

The management of the owner and the access right for each record is adapted to the user and access management of the operating system by the database management system 105, and the information of the user and access management is transferred to the application program. It is possible to perform unified access control for systems, databases, and application programs. This is particularly effective in data management systems that require consistent security.

As a method similar to the access control according to the present invention, there is an access control method based on file permissions in a general file system. In such a file system, the existence of a file is recognized by other users. While an error occurs when there is no permission at the time of access, the method of the present invention can prevent other users from even recognizing the existence of a record. Further, in the file system, the file name is used to identify the file, and even if the user is different, a file having the same name cannot be created. Records can be registered for each user even if they are the same. Thus, being able to prevent other users from recognizing their own records is effective in a data management system requiring security.

The processing of the above-described flowchart is as follows.
This can be realized by executing a program with a data processing device as shown in FIG. In addition, the program can be stored in a computer-readable and writable storage medium such as a hard disk device or a floppy disk, and the program can be accessed through a network.

[0179]

As described above, according to the present invention,
In a data management system that manages data of multiple users and accesses the data by multiple users, the database management system performs access control on a record-by-user basis for each user without being aware of application programs that use the database. Therefore, there is an effect that the application program can be simplified.

[Brief description of the drawings]

FIG. 1 is a conceptual diagram showing an outline of a data search process according to an embodiment of the present invention.

FIG. 2 is a configuration diagram of hardware according to an embodiment of the present invention.

FIG. 3 is a configuration diagram of a database system according to an embodiment of the present invention.

FIG. 4 is a configuration diagram of a database table;

FIG. 5 is a configuration diagram of an index record of a database.

FIG. 6 is a flowchart of a database connection process.

FIG. 7 is a flowchart of a database inquiry process;

FIG. 8 is a flowchart of a data search process in the database management system.

FIG. 9 is a flowchart of a data search processing result creation in the data search unit.

FIG. 10 is a flowchart of a data search process in an index management unit.

FIG. 11 is a flowchart of access permission / inhibition determination processing;

FIG. 12 is a flowchart of a data search process in a data search unit.

FIG. 13 is a configuration diagram of a database system according to an embodiment of the present invention.

FIG. 14 is a flowchart of a data registration process in the database management system.

FIG. 15 is a flowchart of an index record registration process in an index management unit.

FIG. 16 is a flowchart of a data registration process including a UNIQUE check in the database management system.

FIG. 17 is a flowchart of a UNIQUE check process in the database management system.

FIG. 18 is a flowchart of a UNIQUE check process in the index management unit.

FIG. 19 is a flowchart of a UNIQUE check process in the data search unit.

FIG. 20 is a configuration diagram of a data deletion request.

FIG. 21 is a flowchart of data deletion processing in the database management system.

FIG. 22 is a configuration diagram of a record to be deleted.

FIG. 23 is a configuration diagram of a request to delete data at the same time as user deletion.

FIG. 24 is a configuration diagram of a table including role information.

FIG. 25 is a configuration diagram of a database management system in which modules for performing access control are made independent.

FIG. 26 is a configuration diagram of a database management system using a module that performs access control on column values of an abstract data type.

FIG. 27 is a configuration diagram of a column value of an abstract data type

[Explanation of symbols]

 105: Database Management System 112: User Authentication Unit 114: Access Permission Judgment Unit 116: Record Attribute Information 117: Execution User Information 118: Request Action

 ────────────────────────────────────────────────── ─── Continuing on the front page (72) Inventor Masashi Tsuchida 890 Kashimada, Saiwai-ku, Kawasaki-shi, Kanagawa F-term in the System Development Division, Hitachi, Ltd. 5B017 AA01 BA06 BB06 CA16 5B082 EA07 EA11 GA11

Claims (5)

[Claims] In a data management method for managing access to data, a data attribute holding a value related to access control associated with data is managed, and when a data processing request is input, the data processing request is added to the data. Determining whether the data is accessible based on the data attribute associated with the data, and performing data processing based on the data processing request on the data when the result of the determination indicates that the data is accessible. Characteristic data management method. 2. The data management method according to claim 1, wherein when a value of the data attribute is not specified, a value designated in advance is regarded as the value of the data attribute. 3. The data management method according to claim 1, wherein a user identifier for identifying a user making a data processing request and an access right indicating whether or not the user can access the data are provided. A data management method, wherein the data attribute is included in the data attribute associated with data. 4. A data management system for managing access to data, a user recognizing means for recognizing a user who has made a data processing request, and a request analysis for analyzing the data processing request and recognizing a requested action. Means for storing access right indicating whether or not a user can perform an action on the data in the data attribute, and determining whether or not to access the data based on the data attribute. A data management system characterized by the following. 5. A storage medium storing a data management program in a data management system for managing access to data, wherein the data management program has a data attribute that holds a value related to access control associated with the data. When a data processing request is input, a determination is made based on the data attribute associated with the data whether the data processing request is accessible. If the result of the determination indicates that the data processing request is accessible, A storage medium for performing data processing on data based on the data processing request.