This invention relates generally to an improved method for object oriented programming and more particularly, to a system and method for adding property level security to an Object Oriented Database (OODB).
In recent years, the use of object oriented programming (OOP) languages to build software applications has increased. An object is a distinct unit in a program that is made up of a plurality of properties having attributes, relationships or methods. Based on these properties, objects can have certain characteristics and can perform certain actions. An object oriented programming language encapsulates an object""s characteristics and behaviors within a single block of source code. Thus, programmers can simply create a new object that inherits many of its features from existing objects. This approach makes OOP more efficient than conventional programming techniques for developing software applications.
As the use of OOP languages has increased, so has the use of Object Oriented Databases (OODBs). OODBs allow objects created in these applications to be stored, managed, and retrieved more efficiently than standard relational databases. Due to the popularity of OOP, demand has risen for larger sized OODBs with the capacity to handle multiple users. As OODBs grow in size and more users are added, the need for regulating access to the databases arises. To regulate how the information in the database is modified or deleted, developers have implemented different types of database security (also referred to as xe2x80x9cuser access controlxe2x80x9d). Currently, OODBs use two types of user access controls: database level access and conventional object level access. Database level access control gives the user either complete access or no access to any of the information in the database. Current object level access controls regulate user access to each object individually, however requiring additional overhead.
Database users often access related pieces of information. An access domain is a group of properties containing data that is related in such a way that a user would want to access the group all at once. For example, in a database containing requirements for the construction of a naval vessel, all information regarding electrical requirements would be located in one access domain. An electrical engineer would be interested in only those requirements having to do with electrical systems. To this end, database and object level security provides a flexible means to control access to information as long as the access domains are organized so that a domain covers a single object or groups of objects. As described below, solutions restricting a user to specific properties of an object are inefficient.
In general, each object contains information that covers multiple domains, such as cost, physical, electrical, performance, power, and human related attributes as well as interconnections (relationships) with other objects in the system. FIGS. 1A-1C show conventional methods for providing object level user access control to OODBs. FIG. 1A shows an object 100 having properties P1-P8. Object 100 further has domains A, B, and C, where domain A contains properties P1-P4, domain B contains properties P5-P8 and domain C contains properties P3-P6.
To provide object level security, using conventional techniques, object 100 is partitioned into sub-objects 101-104 as shown in FIG. 1B. As further shown in FIG. 1b sub-object 101 contains properties P1-P2, sub-object 102 contains properties P3-P4, sub-object 103 contains properties P5-P6 and sub-object 104 contains properties P7-P8. Accordingly, access is controlled by object level security through limiting each user""s access to, for example, sub-object 101, then 102. To the user, access to specific properties is intended to appear as domain A. Using this technique precludes the control of a fourth domain, for example, domain D, after object 100 has been partitioned. Since a fixed number of domains must be determined up front, modification of the partitioned object 100 becomes extremely difficult.
To overcome the above-described problem, one product COR, has attempted to provide security access at the property level. Using a second conventional object level security approach, each property P1 to P8 is partitioned into sub-objects 100-1 to 100-8, as shown in FIG. 1C. Although this approach is more flexible, the division of objects into a plurality of sub-objects further increases the complexity of object management using conventional methods. Instead of managing just one object, the database must manage multiple sub-objects as well. Here, the database must determine which objects have the information it needs while maintaining track of all objects. As the number of objects increase, the system becomes bogged down with the increased overhead. Thus, conventional object level security approaches are disadvantageous.
As specialization continues to increase with system complexity, individual professionals will access only selected domains of information, some of which will span subsets of multiple objects. For example, a network engineer may require access to electrical and performance domains as well as relationships specifying interconnections, but not necessarily to cost information. Therefore, there is a need to control access at the domain level. Since domains consist of a group of one or more properties and domains can overlap, there is a need to efficiently control access at the property level. There is also a need for improved object level access control for cases where an object contains properties that cover multiple domains. OODB vendors, for example, Versant Corp., Object Design, Computer Associates, GemStone Systems, Inc. and Ardent Software, Inc. have not provided this level of access control or security. Accordingly, there is a need for property level access control that can be implemented in a flexible and efficient manner.
Embodiments of the present invention solve the problems encountered in the prior art by providing flexible property level security for controlling user access to information within a single object. Property level access control specifies who can access each piece of information (property) within an object of an OODB. Embodiments of the present invention include a database comprising at least one object, the object containing at least one property and a property access control list comprising at least one property level permissions set. The property access control list may be used to control user access at the property level of an OODB. The present invention may further include a group access list including the identity of groups that have access to the property.
Other embodiments of the present invention may comprise a database comprising at least one object, and at least one object level permissions control number. The object level permissions control number may be used to control user access at the object level of an OODB. The present invention may further include a group access list including the identity of groups that have access to the object. Further, the present invention may be embodied in an ontology management system (OMS) supporting an OODB.
Accordingly, the present invention overcomes the deficiencies of the prior art by providing a system and method for applying property level controls to properties of OODB objects. Further, the present invention provides enhanced and efficient user access control at the object level.