Who is the assignee on this patent?

Byun Ji Won, Chui Chi Ching, Wong Daniel Manhung, and 2 more

What technology area does this patent fall under?

Primary CPC classification G06F21/6209. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jan 21 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Method and apparatus for securing a database configuration

US10540508B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10540508-B2
Application number	US-56146109-A
Country	US
Kind code	B2
Filing date	Sep 17, 2009
Priority date	Sep 17, 2009
Publication date	Jan 21, 2020
Grant date	Jan 21, 2020

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

One embodiment of the present invention provides a system that secures a database configuration from undesired modifications. This system allows a security officer to issue a configuration-locking command, which activates a lock for the configuration of a database object. When a configuration lock is activated for a database object, the system prevents a user (e.g., a database administrator) from modifying the configuration of the database object, without restricting the user from accessing the database object itself. The security officer is a trusted user that is responsible for maintaining the stability of the database configuration, such that a configuration lock activated by the security officer preserves the database configuration by overriding the privileges assigned to a database administrator.

First claim

Opening claim text (preview).

What is claimed is: 1. A computer-implemented method, comprising: receiving a user command executable by a database management system (DBMS); determining that the user command invokes a first lock, which is facilitated by the DBMS, for a first role defined in a database, wherein the first lock is a configuration lock that prevents any database user from granting or revoking the first role in the database; in response to the determination, applying, by the DBMS, the first lock in the database to the first role; and in response to receiving any command that requests a grant or revocation of the first role or a grant or revocation of a second role that is an ancestor role of the first role, preventing the command from being executed on the DBMS. 2. The computer-implemented method of claim 1 , wherein the first lock is activated by a security officer associated with the first role, wherein the security officer is a trusted user that is responsible for maintaining the stability of the database configuration, and wherein the security officer is different from a database administrator. 3. The computer-implemented method of claim 1 , wherein the first lock locks the configuration of the first role. 4. The computer-implemented method of claim 1 , wherein applying the first lock comprises applying the first lock to the second role, thereby preventing a grant or revocation of the second role. 5. The computer-implemented method of claim 1 , wherein the first lock is applied upward to a respective role in a role-hierarchy of the first role, wherein the role-hierarchy of the first role includes the second role and any ancestor role thereof. 6. The computer-implemented method of claim 1 , wherein the command is from a user with a privilege to grant any role or a user who has been granted the role with an admin option. 7. The computer-implemented method of claim 1 , further comprising: activating, by the DBMS, a second lock in the database for a database object, wherein a third role has a privilege to modify a configuration of the database object in the database, wherein the second lock prevents modifications to the configuration of the database object by any user of the third role without changing the privileges assigned to the third role, and wherein activating the second lock does not restrict any user of the third role from modifying the contents of the database object; in response to determining that a command, which is from a user of the third role, modifies the configuration of the database object, preventing the command from modifying the configuration of the database object; and in response to determining that the command does not modify the configuration of the database object, allowing the command to modify the contents of the database object. 8. The computer-implemented method of claim 7 , wherein the database object is one of: a user account, a table object, a table view, a database trigger, and a procedure, and wherein activating the second lock prevents any user of the third role from performing one or more operations selected from the group consisting of: deleting the database object; modifying the current state of the database object; modifying or replacing a definition for the database object; and modifying an audit policy associated with the database object. 9. The computer-implemented method of claim 1 , further comprising: activating a system-wide lock for the database to prevent modifications to the configuration of the database by a user associated with a fourth role, without changing the privileges assigned to the fourth role. 10. The computer-implemented method of claim 9 , further comprising: receiving a configuration-modifying command from the user associated with the fourth role; determining whether the user has followed a workflow authorization procedure that allows the user to execute the command; and in response to determining that the user has followed the workflow authorization procedure, executing the configuration-modifying command on the DBMS. 11. A computer-implemented method, comprising: receiving a user command executable by a database management system (DBMS); determining that the user command invokes a first lock, which is facilitated by the DBMS, for a first role defined in a database, wherein the first lock is a configuration lock that prevents any privilege and any role from being granted to or revoked from the first role in the database; in response to the determination, applying, by the DBMS, the first lock to the first role; and in response to receiving any command that requests a grant or revocation of a role or a privilege for the first role or a second role that is a descendant role of the first role, preventing the command from being executed on the DBMS. 12. The computer-implemented method of claim 11 , wherein the first lock is activated by a security officer associated with the first role, wherein security officer is a trusted user that is responsible for maintaining the stability of the database configuration, and wherein the security officer is different from a database administrator. 13. The computer-implemented method of claim 11 , wherein the first lock locks the configuration of the first role. 14. The computer-implemented method claim 11 , wherein applying the first lock comprises activating the first lock for the second role, thereby preventing a privilege or role from being granted or revoked from the second role. 15. The computer-implemented method of claim 11 , wherein the first lock is applied downward to a respective role in a role-hierarchy of the first role, wherein the role-hierarchy of the first role includes the second role and any descendant role thereof. 16. The computer-implemented method of claim 11 , wherein the command is from a user with a privilege to grant any role. 17. The computer-implemented method of claim 11 , further comprising: activating, by the DBMS, a second lock in the database for a database object, wherein a third role has a privilege to modify a configuration of the database object in the database, wherein the second lock prevents modifications to the configuration of the database object by any user of the third role without changing the privileges assigned to the third role, and wherein activating the second lock does not restrict any user of the third role from modifying the contents of the database object; in response to determining that a command, which is from a user of the third role, modifies the configuration of the database object, preventing the command from modifying the configuration of the database object; and in response to determining that the command does not modify the configuration of the database object, allowing the command to modify the contents of the database object. 18. The computer-implemented method of claim 17 , wherein the database object is one of: a user account, a table object, a table view, a database trigger, and a procedure, and wherein activating the second lock prevents any user of the third role from performing one or more operations selected from the group consisting of: deleting the database object; modifying the current state of the database object; modifying or replacing a definition for the database object; and modifying an audit policy associated with the database object. 19. The computer-implemented method of claim 11 , further comprising: activating a system-wide lock for the database to prevent modifications to the configuration of the database by a user associated with a fourth rol

Assignees

Inventors

Classifications

G06F16/217
Database tuning (G06F16/2282 takes precedence; database performance monitoring G06F11/3409) · CPC title
G06F21/6209Primary
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
G06F16/2343
Locking methods, e.g. distributed locking or locking implementation details · CPC title

Patent family

Related publications grouped by family.

View patent family 43731759

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10540508B2 cover?: One embodiment of the present invention provides a system that secures a database configuration from undesired modifications. This system allows a security officer to issue a configuration-locking command, which activates a lock for the configuration of a database object. When a configuration lock is activated for a database object, the system prevents a user (e.g., a database administrator) fr…
Who is the assignee on this patent?: Byun Ji Won, Chui Chi Ching, Wong Daniel Manhung, and 2 more
What technology area does this patent fall under?: Primary CPC classification G06F21/6209. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jan 21 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).