This invention relates generally to databases, and more particularly to methods for efficiently managing permissions of database users with respect to database objects.
Enterprises and other large organizations frequently employ large and complex database systems for storing critical information to which a large number of users may require access. For security, data integrity and other reasons, it is necessary to manage and control the permissions (“privileges”) that users have to access, change or create data in the database. This is typically handled with two different types of privilege models, a system privilege and an object privilege. System privileges are database user-centric. They are system wide and apply to database users according to role. They may include, for example, the ability to access an external table, to create a database table, or to create and assign users to roles, where a role is a classification comprising a logical grouping of privileges applicable to a particular user. Object privileges, in contrast, are database object-centric. They apply to a particular database user, but the privileges are with respect only to a given database object. Object privileges are typically defined separately for the various operations or functions possible on a database object, such as a table, and include, for example, the rights to read or write the table.
It is frequently necessary to add or drop database users, or to change or update system privileges of users and their privileges with respect to objects. Additionally, it is also necessary at times to add new objects and to extend privileges to these. System privileges are typically stored in a system privilege table that lists each user on a separate row, and that user's privileges in separate columns. Updating a system privilege table to accommodate changes such as the foregoing can be a resource intensive and time-consuming effort.
Accordingly, it is desirable to afford more flexible and efficient approaches for managing database permissions and privileges, and it is to these ends that the present invention is directed