The present invention relates to databases and, more particularly, to controlling access to a database.
Databases are used to store data in a manner that facilitates subsequent use of the data. Typically, a database includes several tables containing one or more records. A record in a table stored in the database can hold information about a subject or item in its various fields.
To allow a user to more easily access and manage data stored in databases, database programs have been developed. Database programs, among other things, often provide a user interface, which allows the user to conveniently interact with the database program in order to perform various operations on the data stored in the database. The interface provided by the database program is typically a graphical user interface which allows the user to conveniently interact with the database program and, in turn, with the database. The user may interact with the graphical user interface to, for example, view the data in various ways. The visual representations provided to the user can include, for example, a browse mode. The browse mode allows records to be viewed, changed, sorted, deleted, or added.
As noted above, a database program allows users to conveniently access data stored in a local database. It should be noted that a database program (or product) could also be provided as database server (or host), which allows a client (or a guest) to access data in a database, which is stored in a remote location with respect to the client. Generally, a first database program can, for example, be connected to a second database program over a computer network. In any case, one database program can act as a “client” (or guest) and establish a connection to the other database program which acts as “server” (or host) to a database. The client database program can, in turn, provide the end-user (e.g., a human, or application program) with access to data, which is stored remotely.
Conventional database server programs (or products), however, can be configured only to grant access to a database based on a set of database accounts, which are typically defined by a database administrator, or alternatively grant access based on a set of operating system accounts which are typically defined by a system administrator. These operating system accounts are typically a set of general purpose accounts associated with different category of access privilege (e.g., “admin,” “manager,” “data-entry-only”).
These different categories of access privileges are typically assigned to several different users. For example, several different individuals may be assigned the access level “manager.” This approach, however, does not allow a particular user to be identified when an external account is used, and thus may not adequately support a secure environment and/or allow monitoring (or logging) activities initiated using external accounts. In addition, access privileges cannot be easily modified (or updated) when general categories of access privileges are used (because access privilege is not defined per individual users). For example, if a particular manager leaves, the “manager” access level should be changed to security reasons. As a result, several other managers may have to be assigned a new access-level.
Moreover, conventional techniques do not allow configuring a server database product (or program) such that both database and operating system accounts can be used together to control access to a database. In other words, conventional database server products control access to a database either entirely based on non-database accounts (e.g. operating system accounts), or entirely based on a set of identifiers (e.g., access keys), which are typically maintained and administered separately from the non-database accounts.
As database products are more commonly used to access databases in corporate environments, the need for integration of databases with corporate computing systems becomes more prevalent. Accordingly, improved techniques for controlling access to databases are needed.