WO2011097670A1 - Database access licence management - Google Patents

Database access licence management Download PDF

Info

Publication number
WO2011097670A1
WO2011097670A1 PCT/AU2011/000127 AU2011000127W WO2011097670A1 WO 2011097670 A1 WO2011097670 A1 WO 2011097670A1 AU 2011000127 W AU2011000127 W AU 2011000127W WO 2011097670 A1 WO2011097670 A1 WO 2011097670A1
Authority
WO
Grant status
Application
Patent type
Prior art keywords
database
licence
user
procedure
connection
Prior art date
Application number
PCT/AU2011/000127
Other languages
French (fr)
Inventor
Todd Meynink
Mark Joseph Ledwich
Original Assignee
Zap Holdings Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/30Information retrieval; Database structures therefor ; File system structures therefor
    • G06F17/30286Information retrieval; Database structures therefor ; File system structures therefor in structured data stores
    • G06F17/30289Database design, administration or maintenance
    • G06F17/30306Database tuning
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/30Information retrieval; Database structures therefor ; File system structures therefor
    • G06F17/30286Information retrieval; Database structures therefor ; File system structures therefor in structured data stores
    • G06F17/30587Details of specialised database models
    • G06F17/30592Multi-dimensional databases and data warehouses, e.g. MOLAP, ROLAP
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries

Abstract

A computer executable method of managing access to an OLAP cube in which the database management system is modified by one or more of: Incorporating a licence check procedure as a stored procedure in the database; Using a connection event to trigger a licence verification of the user; Using connection strings to bind access to the database to a particular application; Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user.

Description

DATABASE ACCESS LICENCE MANAGEMENT

This invention relates to Database Management Systems (DBMS) to provide the necessary scaffolding to license access to the database itself.

Background to the invention

Often significant IP is invested in the creation of databases that facilitates report writing that is relevant to a business. This is particularly acute in the case of OLAP databases where knowledge of the business and the reporting requirements is essential to an effective reporting system.

Most database vendors do not provide a way for 3rd parties to capture the value they create with the design and knowledge that goes into producing these databases and the reports they build on top of them.

USA patent 6506786 discloses a method of controlling access where a service monitors the Analysis services for connections and if a licence limit is reached the data base is taken off line.

USA patent application 6904523 discloses the use of a licensing attribute certificate in enforcing access to a computer resource.

USA patent application 20090287704 discloses a security system for a data cube that operates on a per user basis at the cell level and includes in addition to dimension level tables cell security tables that include a cell permission and a cell qualifier table.

It is an object of this invention to provide a means of controlling access to databases and verifying a user's licence status.

Brief description of the invention

The present invention presents a range of mechanisms for providing the ability for database creators to license access to these valuable databases they have created on a per user basis (typically referred to as a client access licensing or CAL licensing) even though there is no explicit mechanism for doing so in database management system (DBMS). A database management system (DBMS), sometimes just called a database manager, is a program that lets one or more computer users create and access data in a database. The DBMS manages user requests (and requests from other programs) so that users and other programs are free from having to understand where the data is physically located on storage media and, in a multi-user system, who else may also be accessing the data. In handling user requests, the DBMS ensures the integrity of the data (that is, making sure it continues to be accessible and is consistently organized as intended) and security (making sure only those with access privileges can access the data).

To this end the present invention provides a method of managing access to a database in which the database management system is modified by one or more of a) Incorporating a licence check procedure as a stored procedure in the

database

b) Using a connection event to trigger a licence verification of the user c) Using connection strings to bind access to the database to a particular

application

d) Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user. This invention utilizes one or more of the following aspects of a data base management system, the preferred system being the Microsoft SQL Server DBMS and an OLAP cube database, to effect licensing.

Stored Procedures ' Most database systems allow you to create custom queries that can be

parameterized and saved for later use called stored procedures. These procedures can then be called from other queries. Rather than performing standard query operations, the invention uses a custom stored procedure to perform license checks.

Connection Events

SQL Server 2008 allows you to trigger custom behaviours in response to new connections being established. The invention can respond to these events by performing a license check and refusing the connection by throwing an exception if the license check does not pass. Connection Strings

In some instances it might be desirable to bind access to the database to a particular application. Tokens can be inserted into the connection string by the application which can then be checked by another method inside the DBMS.

Cell Calculations

Normally used to modify numerical results from a database query, the invention creates a "root" cell calculation that applies to all cells (data) in a cube. Rather than performing an arithmetical operation, the cell calculation calls out to a custom stored procedure to perform a license check. If the check succeeds, it returns the cell values unchanged. If it fails, it returns an error message, rather than the data itself.

Detailed description of the invention

In this invention the method performs a license check by hooking into connection request events and calling a custom stored procedure. If the check fails, the connection is refused.

This procedure is illustrated in Figure 1

The license itself is stored in an encrypted annotation in the database.

Detailed Example

The preferred embodiment is described with reference to the Microsoft SQL Server 2008 DBMS.

The Cube Wizard tool which creates the OLAP databases inserts special codes and structures necessary to perform the licensing checks. These include:

Component Where Deployed Purpose

Figure imgf000004_0001

restriction in the cube license restrictions to enforce

information

AS Asserhbly An assembly on the Performs license checks and creates

Analysis'i-Services Server calculations for the MDX script to use

A .NET assembly which contains special stored procedures is registered with Analysis Services server that uses the Personalization Extensions feature of SQL2008 to handle log in and log out events. A stored procedure in the assembly reads the encrypted license information from the cube and verifies all the specified restrictions are complied with. These restriction types typically include:

Figure imgf000005_0001

Number of concurrent sessions per user A count is kept against each user, which (used to stop a single user being used on is incremented when they log in and behalf of many users) decremented when they log out. This is

Figure imgf000005_0002

Restricting Cube Access and Communicating With Users and through

Generated Results

One of the key innovations of the present invention is the manner in which it utilizes existing mechanisms of the underlying databases themselves or their host DBMS in order to restrict access or communicate with the end user, regardless of the reporting application they are using.

Calculated Members

If there are any license errors, a calculated member with the error message is created just for this user. This results in their view of the data in whatever application they are using to display the message, without affecting other users. So rather than seeing the data they were expecting, each table cell entry will contain the desired message from the licensing system.

On the other hand, if the license check was successful, then a special success calculated member is created for that user. Cell Calculations

The SQL Server OLAP cube is created with a special script that applies to all cells (elements of data returned). Through this hook, we can perform the license checks and modify the results returned to the user. It references the calculated members just created by our stored procedure above in the following logic:

IF success calculation exists THEN

display data

ELSE IF error calculation exists THEN

display error calculation

ELSE

display licensing installation error

END IF

Counter-Hack

For a licensing system to be effective, it is important that it not be trivial to circumvent. The special scripts and modifications made by the OLAP database generation tool could be manually removed at a later date provided the person trying to circumvent the system knew what to look for.

The cube has a hidden MDX script which will generate an error if the required stored procedures are not installed on the server.

If these mechanisms are removed, the data will quickly become stale again, and it will be necessary to run the Cube creation Wizard again. This process ensures all licensing components exist on every run. Therefore the circumvention process would need to be repeated every time this occurs, which is usually at least daily. The labour involved here acts as an obvious deterrent to unauthorised access.

Another method is illustrated in figure 2

Not all DBMS provide a hook for connection events. In these cases (e.g. Microsoft SQL Server 2005), another approach is required.

A third approach restricts access to the database indirectly by restricting access to the database to a specific application, and the licensing of that application in turn decides which users can access the database. It uses both the connection strings used to connect to the cubes, and cell calculations used inside the cube.

From the above those skilled in the art will realise that this invention provides a unique way of allowing a third party created cube or database to be licensed without having to alter the application that runs the query. Those skilled in the art will also realise that this invention niay be implemented in embodiments other than those described.

Claims

1. A computer executable method of managing access to a database in which the database management system is modified by one or more of
a) Incorporating a licence check procedure as a stored procedure in the
database
b) Using a connection event to trigger a licence verification of the user c) Using connection strings to bind access to the database to a particular
application
d) Using a cell calculation procedure modified to actuate a stored procedure to run a licence verification of the user.
2. A computer executable method as claimed in claim 1 in which the database is a multidimensioned database and the program which creates the database deploys licence verification routines as stored procedures into the database and a connection event triggers the database to run the stored procedure to verify the user.
3. A computer executable method as claimed in claim 1 in which the database is a multidimensioned database and the program which creates the database deploys licence verification routines as stored procedures into the database and modifies a cell calculation to trigger a stored procedure and the application that is used to request data includes a routine that verifies that the user is licensed and generates a token which is incorporated into the connection string and when the request is made the cell calculation verifies the token in the connection string.
PCT/AU2011/000127 2010-02-09 2011-02-08 Database access licence management WO2011097670A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU2010900507 2010-02-09
AU2010900507 2010-02-09

Publications (1)

Publication Number Publication Date
WO2011097670A1 true true WO2011097670A1 (en) 2011-08-18

Family

ID=44367051

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2011/000127 WO2011097670A1 (en) 2010-02-09 2011-02-08 Database access licence management

Country Status (1)

Country Link
WO (1) WO2011097670A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010011253A1 (en) * 1998-08-04 2001-08-02 Christopher D. Coley Automated system for management of licensed software
US20050086213A1 (en) * 2003-10-16 2005-04-21 Fuji Xerox Co., Ltd. Server apparatus, information providing method and program product therefor
US6898707B1 (en) * 1999-11-30 2005-05-24 Accela, Inc. Integrating a digital signature service into a database
US20060064387A1 (en) * 2004-09-22 2006-03-23 Siemens Information And Communication Networks, Inc. Systems and methods for software licensing
US20060224522A1 (en) * 2005-04-01 2006-10-05 Schlumberger Technology Corporation Method and system for database licensing
CA2674332A1 (en) * 2008-08-01 2010-02-01 Simba Technologies Inc. Method and system for using queries for multidimensional databases with databases of other types

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010011253A1 (en) * 1998-08-04 2001-08-02 Christopher D. Coley Automated system for management of licensed software
US6898707B1 (en) * 1999-11-30 2005-05-24 Accela, Inc. Integrating a digital signature service into a database
US20050086213A1 (en) * 2003-10-16 2005-04-21 Fuji Xerox Co., Ltd. Server apparatus, information providing method and program product therefor
US20060064387A1 (en) * 2004-09-22 2006-03-23 Siemens Information And Communication Networks, Inc. Systems and methods for software licensing
US20060224522A1 (en) * 2005-04-01 2006-10-05 Schlumberger Technology Corporation Method and system for database licensing
CA2674332A1 (en) * 2008-08-01 2010-02-01 Simba Technologies Inc. Method and system for using queries for multidimensional databases with databases of other types

Similar Documents

Publication Publication Date Title
Livshits et al. Finding Security Vulnerabilities in Java Applications with Static Analysis.
Fernandez et al. A pattern language for security models
US7730478B2 (en) Method and system for allowing access to developed applications via a multi-tenant on-demand database service
US7051366B1 (en) Evidence-based security policy manager
US6507909B1 (en) Method for executing trusted-path commands
US7757269B1 (en) Enforcing alignment of approved changes and deployed changes in the software change life-cycle
US6678682B1 (en) Method, system, and software for enterprise access management control
US20040205342A1 (en) Method and system for dynamically implementing an enterprise resource policy
US20060277220A1 (en) Security data redaction
US20080104665A1 (en) Analyzing access control configurations
US7131143B1 (en) Evaluating initially untrusted evidence in an evidence-based security policy manager
US20070056018A1 (en) Defining consistent access control policies
US20040148514A1 (en) Evidence-based application security
US20060265598A1 (en) Access to a computing environment by computing devices
US20130332984A1 (en) Authorization system for heterogeneous enterprise environments
US20090094193A1 (en) Secure normal forms
US20080235231A1 (en) Computer-Implemented Systems And Methods For Database Access
Vandebogart et al. Labels and event processes in the Asbestos operating system
Wang et al. A study and performance evaluation of the multi-tenant data tier design patterns for service oriented computing
US20060200679A1 (en) System and method for access to a password protected information handling system
US20080098465A1 (en) Method and system for managing execution of an application module
US20050204131A1 (en) Enforcing computer security utilizing an adaptive lattice mechanism
US20060136479A1 (en) Secured views for a CRM database
US20030236994A1 (en) System and method of verifying security best practices
Kyte et al. Expert Oracle Database Architecture

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11741745

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct app. not ent. europ. phase

Ref document number: 11741745

Country of ref document: EP

Kind code of ref document: A1