JP2002312220A - Cell level data access control using user definition function - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a flexible cell level access control based on an access means and execute an access means capable or reducing a system cost. SOLUTION: The cell level access control is provided by using a mask function 1222. An original inquiry 1102 is changed to include the mask function 1222 for a cell desired to be accessed. A filter function 1204 is included to delete a line according to the access means.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to database access, and more particularly, to controlled access to fields in a database.

[0002]

2. Description of the Related Art Today's information technology allows for seamless access to various types of data sources. Thanks to such technology, it is easier to get more and more information. However, data sources often include important information, such as medical records, financial records, and other similar personal information that should be protected from unauthorized access, and the access rights of those who want to access such information ( access privilege) is required. As database systems evolve, a set of data access control functions is provided using view definitions and authorization models.

[0003] A view is an information object that allows the data to be viewed in a different manner, but within a regular table. It is a functionally logically defined table that is part of a fixed table that makes up the database.
Views provide a way to look at data in basic tables without the need to combine the data.

[0004] Traditional views can control access to data in a database in a row and / or column level manner. Figure 1 shows hospital data INPT BASE100
An example of an inpatient information and MD And in-patient information collected and classified by ID.
Assume that each physician is authorized to view that data only to go to his patient's home visit. FIG.
Is an INPT for each doctor 3 shows a desired view in BASE 100. PT ID, VST,
P NM and MD The ID field is selectively made invisible to protect the privacy of each patient, so that the physician can only see the data for his patient. Thus, for the doctor with ID 2222, the view that should be available to him is view 202. For a doctor whose ID is 3333, the view becomes a view 204.

A view for an inpatient may be defined by a conventional view definition (or view creation). For example, FIG. 3 illustrates the views 202, 204, and 20 shown in FIG.
6 shows a view definition for creating the sixth view. (Note that in the case of the Oracle database system,
user id is the latest user expression to return to id,
That is, SYS CONTEXT ("userenv",
"Session user ”). However, executing the SQL statement in FIG.
When obtaining inpatient information categorized and collected by ID, each physician will obtain different results as shown in FIG. In order to obtain the desired aggregation result as shown in FIG. 2, the view shown in FIG. 6 can be defined. However, to allow special multidimensional analysis, all possible combinations of aggregated views must be defined. Such a physical force approach largely increases view maintenance costs significantly. For example, a doctor has a special DRG (relevant group to help diagnose)
If you want to see the statistics of DRG BETWEEN 120, 129, MD A view must be defined that aggregates a subset of the data categorized by ID. If each physician wants to see a different subset of data, it is almost impossible to prepare such a view in advance.

[0006]

In a recent system,
This problem has been solved by implementing access control means as part of application theory. However, there are many applications in a typical system. As a result, one access vehicle must be executed in each of the different applications, and the task significantly increases the maintenance costs of the access vehicle. If you continue to use legacy software, your efforts will be totally disrupted.

[0007] The database can be protected through various security measures, including flow, inference, and access control. Access control in information systems
According to the models and rules determined by the safeguards, it is responsible for assuring that any direct access to the system object occurs exclusively. Access control has been enhanced to the content-dependent access control model for database systems. In a conventional view definition based on the content-dependent access control model, the access rules are represented by the set of (s, o, t, p), which means that the access s to the occurrence of the object o to which the predicate p applies is subject s Has been specified. The model enhancement consists of six sets of (a, s, o, t, p, f), where a is the subject of the authority granting s the right (o, t, p);
And f, on the other hand, is a copy of the flag that describes the possibility that s will move (o, t, p) further to another object.

[0008] Many security models have been proposed in the prior art literature. Access Matrix (Acce
ss Matrix model, Take-Gran
t) Model, Action-Entit
y) Model and Wood et aol (Wood et a
t.) The model is any security model. The user inquiry is queried for permission. If it is authorized, the query accesses objects in a special access mode. Otherwise, the access is denied.

TF Lunt, D. Denning, RR Schell,
An article entitled "Seaview Security Model" by M. Heckman and WR Shckley, entitled "IEEE Gazette on Software, Volume 16, No. 6 (June 1990), pp. 593-607," includes Seaview.・
A security model known as a model, that is, Mandatory Access C
An ontrol (MAC) model and a Trusted Computing Base (TCB) model have been proposed to protect the security of relational database systems by using two layers. Seaview controls multi-level data access by generating instances of visual multi-level relationships from physical single-level relationships.

Other models include the Jajodia-Sandhu's model and the Smith-Winslett's model proposed as multi-level security models. In. The security measures of these models create examples of visual multi-level relationships. These models use alternative filters located between the database system and the application to enforce database security.

Processing a conventional view involves the following general steps. (1) Authentication (verify the eligibility to access information) (2) Apply the view definition, that is, revise the query according to the view definition. (3) Optimize the query. (4) Execute the inquiry. (5) Return the result.

In conventional views, access control rules are applied to queries before execution. The query cannot access columns that are not elements of the projection column. Furthermore, if the user defines a function to hide the column values as projection targets, the query cannot access the original values.

Information System Security Bulletin 2.1 (1)
In a paper entitled "Access Control Models and Criteria Based on Roles in the Corporate Intranet," pages 34-64, David F. Ferraiolo, John
F. Barkely and Richard D. Kuhn disclose role-based access control based on the concept of user roles.

The Oracle 8i system has fine-grained access using a virtual private database, such as Oracle Magazine (July 1999),
Mary A. Davidson entitled "Creating a Visual Private Database with Oracle 8i"
Is discussed in the official report. This feature allows a database designer to automatically add a selection condition means each time a user accesses a table. The condition means can be generated based on an arbitrary value, for example, a context value or a session value. However, a condition cannot mask (cover) a small set of columns within a row, because the condition removes rows that do not satisfy that value.

The security model is described in ACM Bulletin Database System 3.1 (March 1978), pp. 92-1.
Entitled "Security of Statistical Databases for Queries with Small Counts" on page 04;
In a paper by Y. Chin, proposed for a statistical database system that prevents statistical estimation. There are three techniques for putative protection: conceptual, constraint-based, and perturbation-based. For example, Addison Wesley Publishing Company (1994), Castano, Silvana, Fugin
i, G. Mariagrazia, Martella, Giancarlo, Samarat
i and "Database Security" by Pierangela, and ACM Computing Surveys, Volume 21, No. 4 (19
December 1989), pp. 515-556, entitled "Statistics Database: Comparative Study", by Adam, R. Nabil,
And a paper by John C. Worthmann. These techniques suppress statistical values or limit the combination of group ranges. However, that technique does not provide a function of suppressing the range value itself. Therefore,
They cannot define access means for the aggregation result as shown in FIG.

There is a need for a flexible cell level data access control technique based on the access means. There is a need to implement access means that can reduce system costs.

[0017]

SUMMARY OF THE INVENTION The present invention provides cell-level access control using a mask function for each access-controlled column. Each mask function is associated with one or more key parameters that determine access permissions. Depending on the access means embodied in the mask function, the mask function returns the value of the masked column or the value of the original column.

Another aspect of the present invention provides cell-level access control using a filter function for each row deletion means. Each filter function is associated with one or more key parameters. The filter function returns two category (eg, binary) values. Conditions for checking the return value of the filter function are as follows:
In addition to the query condition close, the row is deleted according to the row deletion means.

Still another aspect of the present invention is a reporting system that provides the above-described cell-level access control mechanism.

The teachings of the present invention can be readily understood by considering the following detailed description in conjunction with the accompanying drawings.

[0021]

DETAILED DESCRIPTION OF THE INVENTION With reference to FIG. 7, one embodiment of the present invention will be described in conjunction with a web-based reporting system architecture 700. FIG. The architecture consists of three server components. That is, the database server 722 is a database management system (DBMS).
702. The DBMS may be any conventional database. In one particular illustrative form, D
BMS is a relational database system. The report server 706 is connected to the database server on the conventional communication facility, and the detailed characteristics of the conventional communication facility depend on a specific embodiment of the present invention. The report server is
Facilitating the ability to provide a report generation server with multiple report templates 734. Web server 704 connects to the report server and provides client-side access to the DBMS. The web server connects to the report server on the conventional communication facility, and the detailed characteristics of the conventional communication facility depend on the special form of the present invention.

FIG. 7 shows a general software and hardware configuration of the server components.
The database server 722 has its own computer system and has a large capacity storage subsystem. The illustrated report server 706 and web server 704 belong to a separate computer system 734 and are separate from the database server. In practice, a web server and a report server may consist of multiple instantiations of web server processing and report server processing to achieve a desired throughput. Note that many alternative configurations are possible. For example, a single computer system can host all three server components during small scale operations. In a large device,
Each server may occupy its own computer system. In order to provide even more throughput, each server actually consists of a number of server systems in a very large system.

The access of the user to the DBMS 702 is as follows.
The processing is performed via the client browser 712 and further executed on the third computer system 726. The browser uses Hypertext Transport Protocol (HTTP) or HTTP over SSL protocol.
It is connected to the web server 704 using (HTTPS).

The user interacts with web server 704 via browser 712 to obtain a report. At first,
Select report template 734. Next, a set of parameters for the template is provided. The web server passes the user identifier corresponding to the user selected report template to the report server 706 along with the user provided parameters. The report server issues one or more queries related to the selected report template to the database server 722. After an appropriate interaction between the report server and the database server, the query results are returned to the report server. The report server receives the results and formats the results into a well-formed format that is then sent to the user via the web server.

FIG. 8 is an example of a simple data access means shown for illustrative purposes only. In this example, assume that three levels of access are desired: an execution level, a medical doctor level, and a financial analyst level. Execution level users are allowed to access all data. Generally, this is codified for all officials and all database administrators.

The doctor is given access to a medical doctor level user. The physician should have access to patient data regarding the treatment of the patient visit and to data generated by the physician. However, the physician is not authorized to access some of the patient's private information, for example, credit card information. In addition, a physician is not authorized to access another physician's data. According to the explanatory access described in FIG. 8, the physician cannot see the patient's name due to a patient visit being treated by another physician. Even if the doctor treats another visit of the same patient, the patient's name cannot be seen. For example, doctor 2222 cannot see the patient name in the first row in FIG. This is because another doctor 3333 is treating the first visit of AREN. Therefore, according to the illustrative access means given in FIG.
Even after treating EN's second visit, the physician would
N cannot see the name because of N's first visit.
It will be appreciated that in such cases, there are other access means that allow access to the data. It is further understood that the present invention can provide such access means.

Finally, access control is provided to all financial staff. This class of users is granted financial analyst level user access. Financial analysts have access to financial information such as stays, costs, and payments that include some of the patient's financial information. However, financial analysts do not have access to the types of data needed by doctors.

Referring to FIG. 9, an illustrative example of a data scheme 900 for a relational DBMS 702 (FIG. 7) is shown. User information table 902 (USER INFO) includes a user record (eg, user record 912) for each user. Each record contains user related information 926
In addition, a user id field 922 and a role field 924 are included. The role field identifies the access right of the access level for each user for each access means in FIG.

An inpatient information table 904 (INPT FAC
T) holds an in-patient record (for example, in-patient record 914) for each home visit performed based on the patient. As a result, the patient is very likely to have a large number of entries in this table, one for each visit. The patient id field 931 identifies the patient. The Patient Visit Field 932 (VST) represents each visit / hospitalization occurrence for one patient. Another field is the medical doctor ID field 934, which contains the identifier of the treating physician.

The patient information table 906 (PT FACT)
Contains patient records for each patient. Each record is a patient id
Field 942 (PT ID), patient name field 9
44 (P NM) and patient gender field 946 (S
EX). Similar doctor information table 908 (MD
FACT) contains information for each doctor. This is, for example, the medical doctor ID field 952 (MD I
D), name field 954 (D NM), and Medical Doctor Department Field 956 (DEPT).

Referring to FIGS. 8 and 9, the effect of the access means as it relates to the data scheme 900 will be described. For example, consider a user in role II. Role II
It is recalled that this user is a doctor. The physician can only view certain information for the patient who has treated himself. Thus, it can be appreciated that the treating physician has a patient age field 933, a DRG field 9
35, length of stay field 936, cost field 93
7, payment field 938, patient gender field 94
6. The medical doctor section field 956 can be viewed. However, if the patient visit is not treated by the physician, or if the information is the physician's own data (eg,
If the physician can see his / her own name), the patient id fields 931 and 942, the patient visit field 932, the patient name field 944, the medical doctor ID fields 934 and 952, and the medical doctor name field 954 Should not be available to doctors.
Therefore, the query results for scheme 900 should include all data for patient visits treated by the consulting physician and partially masked data for patient visits not treated by the consulting physician.

For a user in role II as shown in FIG.
Access to patients is dependent on the patient's visit
No) PT ID, VST NBR and P NM's
Restrict access to such patient private information.
Therefore, whether to mask patient private information
The key set to determine whether ID, VST
NBR}. Because these columns are
This is because it is a major key for the subject to be examined. (Ak
Access is restricted by the patient
Is the key set is $ PT It becomes ID @. ) Medical doctor
-With respect to information, users in role II
It just accesses the event information. Therefore,
If this is not your own private information, MD
ID and D NM will be hidden. Therefore, the doctor's
Private information MD ID, D NM should be masked
The key set for deciding whether or not is With ID｝
is there.

If the user of role II has SELECT ^* FRO
M PT When you issue an inquiry like FACT,
All PT ID and P Hide (mask) NM columns
Should. This is because the role II user should not receive the patient list in the hospital. Role II
Users can only create their own patient lists. To create your own patient list, you should issue the following query: SELECT DISTINC
Ta. PT ID, a. P NM, a. SEX FR
OM PT FACT a. INPT FACT bW
HERE a. PT ID = b. PT ID, and
b. MD ID = doctor's id. In this case, ｛PT
ID, VST Column PT by using the value of NBR
ID and P It can be determined whether the NM should be masked or not. Because the inquiry is PT F
ACT and INPT This is because it should be combined with FACT. In short, if the key column for which the mask is determined is not covered by the table in the query, it will not allow private data to be viewed.

In order to implement the above access control means, the present invention provides a mask function for each column. Thus, if the access means denies access to a column under certain conditions, the column should be masked (hidden). Therefore, according to the present invention, a mask function is provided for that column. Note that if a column is not hidden by the current access method but is hidden by a future access method,
The column can also be provided with a mask function.

FIG. 10 shows a patient name sequence, ie, P An example of the explanation of the mask function 1000 for NM is shown. According to an embodiment of the present invention, the mask function is defined by a conventional SQL type syntax for user-defined function calls, sometimes referred to as "stored procedures", "procedure calls", and the like. It is understood that the concept of a mask function may be implemented in other ways. For example, the SQL language can be redefined to include masking capabilities. However, there is an advantage that using a user-defined function eliminates the need to prepare for a custom SQL language.

The mask function 1000 includes an associated set of one or more key parameters 1002. The mask function also has an associated original value parameter 1004. As described, one or more key parameters form the basis for determining whether to display a masked column, or whether to mask a column. In the example shown in FIG. In the mask function for NM1000, there are two key parameters: KEY PT ID
And KEY VST (1002). This is because access means for Role II users is needed to protect patient private information by patient visit. And PT The ID and VST are key columns for a patient visit.

The mask function is an IF THEN ELSE close 1006. The IF condition constitutes accessor condition logic 1008, which is defined in terms of effect according to the accessor. The logic of the access means condition is a function of the key parameter 1002. If the access means condition evaluates to TRUE, the mask function returns the original value parameter 1004 as the column value. If the access condition evaluates to FALSE, the default value is returned as the column value.

In the embodiment of the invention shown in FIG. 10, default values are created by function call 1010. In this particular illustrative example, the default value is some function in the original value parameter 1004. In other embodiments, the default value may be based on information that is not limited to the original value parameter.
In yet another embodiment of the present invention, the default value is
Certain inputs may be, for example, NULL or textual means such as "Unauthorized access".
Operating conditions, security considerations, etc., determine how the default values are determined.

In general form, a mask function according to one embodiment of the present invention has the following syntax:

[0040]

(Equation 1) Here, rv is the column value of the return of the mask _{function, kp 1, kp 2, ···} , kp n is a key parameter utilized to determine whether the mask occurs, op is , The original value in the masked column.

The specific syntax in a function call and its definition has changed from one SQL execution to another. Such details are known and understood by those of ordinary skill in the database arts.

Table I below is an example of a general mask function according to the present invention. Also, a filter function according to the present invention is shown.

[0043]

[Table 1] The mask function shown is provided only to illustrate a general embodiment of the present invention. Additional mask functions may be required depending on the complexity of the database. The specific implementation will depend on the programming language in use. The particular algorithm will vary in effectiveness depending on the specific requirements of the access means.
Those of ordinary skill in the database art will readily understand how to implement the invention in the context of implementing a particular database system.

Table 1 shows the filter functions defined in the FILTER package. Two functions,
That is, PT0 and MD0 are given. The PT0 function uses the parameter KEY PT ID and KEY VST. If the data is to be masked, it returns 0. If data is to be displayed based on the key parameter and the user role, it returns 1. In this implementation, each Role II user will receive $ PT for all patient visits that he has treated. ID Table PT that maintains the list of VST
Has VST.

The MD0 filter function has a parameter KEY
MD ID. In the same way as the PT function,
Returns 0 or 1. The MASK function is a MASK
Is defined in the package. Only in this example is P NM
And D It has a mask function for NM. First, P
The mask function of the NM is a function function FILTER. PT
Call. Then, if the result is 1, it
Is the original value ORG P Return NM. And ending
If the result is 0, MASKED. P By NM function
Is returned. D NM is P
It occurs in a manner similar to NM. Note that any parameters
Can be defined to create a mask value. In this example
Is NASKED. P NM is ORG P Only NM
Used, while MASKED. D NM is KEY
MD ID and ORG D Using both NM
You.

Referring to FIGS. 11 and 12, illustrative embodiments of a cell level access control architecture according to the present invention are shown. FIG. 11 shows a query 1102 commonly found in one of the report templates 734 (FIG. 7). The query is written using a conventional SQL construct. A typical SQL query includes a SELECT statement, which embodies one or more column criteria (sometimes called attributes or fields, etc.), and the SELECT statement constitutes the result of the query.

According to the present invention, the translation procedure 1210 comprises:
A modified report template 734 'is created to be applied to the query comprising the report template. The query 1202 consisting of the change report template is a translation of the original query 1102, wherein certain column criteria are replaced with a mask function.

The translation procedure 1210 is based on access means in terms of effectiveness (eg, FIG. 8). As will be appreciated, the original query 1102 is very similar to the translated query 1202. Access means
If a column reference to be masked is required, that column reference is replaced with the appropriate function call to the mask function.

For example, consider the original query 1102. Here, the column that the access means needs to mask is PT ID, VST, P NM, MD I
D and D NM (FIG. 9). Table II below shows an alternative scheme.

[0050]

[Table 2] Note that the table or view ID should be changed to an appropriate name according to the FROM close of each inquiry.
For example, “c.”, “I.”, “P.”, And “m.”
Should be changed. As will be appreciated, the translation process 1210 is simply a text substitute in the original query on the masked column basis by the corresponding function call. The information contained in Table II can be used with a text editor to create the translation query 1202 shown in FIG. The translation process may be a standard editor. That is, Unix streaming text editor is particularly available. The translation process may be in one piece of custom software or even some combination of hardware and software. According to the invention, the required translation tasks are:
May be provided using some of the many conventional techniques.

Continuing with FIG. 12, the translation process 1210
The original inquiry 1102 is converted into a translation inquiry 1202. Then the translated query is DBM
It is sent to S702, in which the inquiry is executed. The DBMS includes a set of user-defined functions 1212. The mask function definition 1222 is included in this user-defined function.

FIG. 12 also shows a set of filter functions 1224 within a user-defined function. The filter function works in the same way as the mask function. If the mask function can be used to mask a column according to the access means, the filter function can be used to mask a row (record) for each row deletion means. The filter function requires one or more key parameters that determine whether rows should be kept or deleted. In an embodiment of the present invention, the filter function returns a binary value such as TRUE / FALSE. It is used in the WHERE close of the SQL query to limit the rows returned according to the row deletion means. An example of the filter function 1204 is shown in FIG.

The disclosed embodiment is based on a relational database and an SQL type query language. However, it can be appreciated by those having ordinary skill in the database art that mask and filter function processing can be provided in other database systems. In a relational database system, the present invention
Provides access control for cell-level data without affecting the underlying database engine.

The translation process 1210 removes the tedious and error-prone task of modifying an existing report template. As each query is sent to the database, the translation process may be performed quickly. In another embodiment of the present invention, the translation process is performed once on all templates (e.g., performed manually by a database administrator) to create a new set of templates that use mask and filter functions. it can. This embodiment is attractive from a throughput point of view, since the translation only needs to be performed when the report template changes. In still another embodiment of the present invention,
Since the translation process is located in the DBMS 702, all incoming queries can be intercepted and translated immediately. The translation process may be a manually executed task. Specific processing is determined based on performance criteria, problem solving ability, characteristics of database use, number of reports, and the like.

Since the mask function is stored in the DBMS, a change in the access means results in a simple rewrite in the mask and filter functions. No need to affect existing application logic. If the access means changes which columns should be masked,
The translation process 1210 is updated accordingly. For example,
If an AGE column is to be added as a mask column, the original SQL in FIG. 12 may be changed as shown in FIG. 13 by replacing the AGE column with the mask function 1302.

Although specific embodiments of the present invention have been described, various changes, modifications, alternative constructions, and equivalents are also included within the scope of the present invention. The described invention is
It is not limited to operate within a particular data processing environment, but can operate freely within a plurality of data processing environments. Although the invention has been described with reference to specific embodiments, it will be apparent to one skilled in the art that the scope of the invention is not limited to the specific embodiments described above.

Accordingly, the specification and drawings are to be considered in an illustrative rather than a restrictive sense. However, additions, deletions, substitutions, and other changes can be made without departing from the broad spirit and scope of the invention as defined by the appended claims.

[0058]

The present invention provides cell-level access control using a mask function for each access-controlled column. Each mask function is associated with one or more key parameters that determine access permissions. Depending on the access means embodied in the mask function, the mask function returns the value of the masked column or the value of the original column.

Further, cell level access control is provided by using a filter function for each row deletion means. Each filter function is associated with one or more key parameters. The filter function returns two category (eg, binary) values. The condition for checking the return value of the filter function is added to the condition close of the inquiry, and the row is deleted according to the row deleting means.

Further, the above-described cell-level access control mechanism is provided.

[Brief description of the drawings]

FIG. 1 is a diagram showing an example of a data configuration for hospital-related data.

FIG. 2 shows a view of the data shown in FIG. 1 and generally required by a physician.

FIG. 3 is a view showing a view definition for creating the view shown in FIG. 2;

FIG. 4 is a diagram showing an aggregated SQL sentence.

FIG. 5 is a diagram showing an aggregation query result of views defined by a conventional view definition.

FIG. 6 is a diagram showing an aggregated conventional view definition.

FIG. 7 illustrates a web-based reporting system architecture that can be employed with the present invention.

FIG. 8 is a diagram showing a general example of a data access unit.

FIG. 9 is a diagram showing an example of a table scheme in a database system.

FIG. 10 is a diagram showing an example template of a mask function according to the present invention.

FIG. 11 is a diagram showing SQL before deformation.

FIG. 12 is a diagram illustrating an appearance of an architecture of cell-level access control in one embodiment of the present invention.

FIG. 13 illustrates how changes to the access means can be easily adapted within the present invention.

[Explanation of symbols]

700 Web Reporting System Architecture 702 Data Management System 704 Web Server 706 Report Template 712 Browser 722 Database Server 726 Third Computer System 734 Report Template 734 'Change Template 1102 Original Query 1204 Filter Function 1212 User Defined Function 1222 Mask Function

 ──────────────────────────────────────────────────続 き Continued on the front page (72) Inventor Michel El Keller 4503 F Victorian Drive, Plainfield, Victoria Drive, Illinois, United States 60544 FB Term (Reference) 5B075 KK62 QT06 5B082 GA11

Claims (20)

[Claims] 1. A method for accessing information in an information storage device according to an access means, comprising: receiving an access request consisting of a request for first type information, and retrieving the access request and first information contained in the information storage device. A request for the first type information is associated with the request for the first type information, and the request for the first type information is replaced with a change request for the first type information based on the access unit. In response to produce a result, wherein the change request is
Based on the access means, a masked value, or
An access method, wherein the first information is created. 2. The access method according to claim 1, wherein the change request has a mask function. 3. The access method according to claim 2, wherein the step of accessing the information storage device executes the mask function to create either the masked value or the first information. An access method comprising: 4. The access method according to claim 1, further comprising an effective filter function for changing said access request and deleting a part of said result according to said access means. Access method to be used 5. The access method according to claim 1, wherein the information storage device is a relational database, the request for the first type information includes a SELECT statement, and the SELECT statement includes one or more columns. An access method wherein the change request comprises replacing at least one of the one or more column criteria with a mask function. 6. The access method according to claim 1, wherein the information storage device is a relational database, the access request includes a WHERE close, and the result includes one or more lines of information. Further comprising, based on said access means, incorporating a filter function in said WHERE close to remove some rows contained in said result. 7. A method of accessing information in a relational database according to access means, comprising: providing at least one query having a SELECT statement comprising one or more column criteria; Creating a change query by replacing at least one of the mask functions with a mask function, creating a query result in response to the change query comprising one or more lines of information, wherein the query result is based on the access means. hand,
An access method, comprising: for at least one of the one or more column criteria, any of a mask value or information from the relational database. 8. The access method of claim 7, wherein the at least one query further comprises a WHERE close, wherein the access method modifies the WHERE close to create a modified WHERE close including a filter function. Wherein the filter function creates one of two logical values, and wherein the changing WHERE close is effective for deleting a row from the query result based on the value created by the filter function. An access method characterized by that: 9. The access method according to claim 7, wherein the relational database is provided in a database server, wherein the step of providing at least one query includes receiving the at least one query at a client system, An access method, wherein creating a query result comprises sending the change query to the database server. 10. The access method according to claim 9, wherein the step of replacing said at least one is executed by said client system. 11. The access method according to claim 9, wherein the step of replacing at least one is performed by the database server. 12. An information retrieval system by a computer having a computer memory having a computer readable program code contained therein for accessing an information storage device according to an access means, comprising: an access request for first type information; And a first code associated with the first information by the access request for the first type information, and a request for the first type information for the first type information based on the access means. A second code configured to replace the change request; and a third code configured to access the information storage device and generate a result in response to the access request. The request is based on the access means,
An information search system by a computer, wherein either one of a masked value or the first information is created. 13. The computer-based information retrieval system according to claim 12, further comprising a filter function effective to change said access request and delete a part of said result according to said access means. An information retrieval system by a computer, further comprising a fourth code. 14. The computer-based information retrieval system according to claim 12, further comprising a relational database, wherein the request for the first type information has a SELECT statement including one or more column criteria. The computer-based information retrieval system wherein the request includes replacing at least one of the one or more column criteria with a mask function. 15. The computer-based information retrieval system according to claim 12, further comprising a relational database, wherein said access request includes a WHERE close, said result comprising one or more lines of information, Computer-readable information retrieval, characterized in that the code is further configured to, based on the access means, incorporate a filtering function in the WHERE clause to delete some lines contained in the result. system. 16. The computer-based information retrieval system according to claim 12, further comprising: a client computer system and a server computer system, wherein the client computer system is configured to execute a search from a part of the computer memory including the first and second codes. Wherein the server computer system comprises another portion of the computer memory containing the third code. 17. The computer-based information retrieval system according to claim 12, wherein the database server is a relational database server, and the request for the first type information has a SELECT statement including one or more column criteria. And a change request including replacing at least one of the one or more column criteria with a mask function. 18. The computer-based information search system according to claim 17, wherein the third code has a mask function. 19. The computer-based information retrieval system according to claim 16, wherein the database server is a relational database server, the access request includes a WHERE close, and the result comprises one or more lines of information. Computer-readable information characterized in that the second code is further configured to, based on the access means, incorporate a filtering function in the WHERE close to delete some lines included in the result. Search system. 20. A computer-based information search system according to claim 19, wherein said third code has a mask function.