1. Technical Field
The present invention relates generally to data processing and, more particularly, to techniques in a data processor for implementing effective date constraints in a role hierarchy.
2. Background Art
Computers are used to store and manage many types of data. Sensitive data is a common form of data that computer systems store and manage. Sensitive data refers broadly to any data that represents non-public information that might adversely affect the privacy or security of a person or organization if revealed to persons who should not be trusted with the information.
Increasingly, businesses and organizations are using role-based access control to control access to sensitive data managed by computer systems. In role-based access control, privileges to perform operations are assigned to roles, and users acquire privileges through the roles to which they are assigned. Because users are not assigned privileges directly, but instead acquire privileges through the roles to which they are assigned, management of individual user privileges is simplified. For example, management of individual user rights is a matter of assigning appropriate roles to the user.
When used to enforce role-based access control, computers are typically deployed in either a two-tier client/server environment or in a three-tier client/server architecture. In a two-tier client/server environment, a client process receives a data access command (e.g., a database query) from a user and connects directly to a server process. In such two-tier architectures, the server process is capable of executing the user's data access command directly against stored sensitive data. In a three-tier client/server architecture, the client process is indirectly connected to the server process through one or more application processes. In such three-tier architectures, an application process submits data access commands to the server process on the user's behalf.
In either case, whether a user's client process is connected directly to a server process or connected indirectly through an application process, a multi-user computer system executing the server process typically establishes a user session for the user. A user session typically includes data that identifies a user using a multi-user computer system. For example, the data may include information such as the user's user name, a network address of the network device executing the user's client process, and other details. In addition, in multi-user systems that implement role-based access control, the session data may indicate what roles are currently active for the user. The multi-user system may use this data to enforce role-based access control policies when processing data access requests from the user.
Typically, a multi-user system establishes a user session for a user after the user successfully authenticates with the system. For example, the system might establish a user session after successfully verifying a username and password provided by the user. As part of establishing a user session, the system may read data from a database and store the data (or data derived based on data read from the database) in a memory cache where it is more quickly accessed by the system than if accessed from the actual database itself (which is typically stored on a relatively slow data storage medium such as a hard disk). For example, in a multi-user system that implements role-based access control, the system may read and process data from a database to determine a set of one or more roles that have been assigned to the authenticated user. The determined set of roles may then be stored as user session data in the memory cache. Thereafter, during the user's session, when the user requests the system to perform a data access operation that requires a privilege, the system can quickly access role information for the user that is necessary to determine whether the user has acquired the necessary privilege.
There is, however, significant computational cost to establish a user session. This cost may result from having to read data from a database. In addition, some session data, such as the set of roles assigned to a user, may have to be derived by executing an algorithm on data read from a database. Consequently, for purposes of computational efficiency, a multi-user system typically establishes a single user session that spans many user initiated data access operations. For example, the system might establish a single user session that spans the life of the connection between the user's client process and the system. The user may submit many data access commands over such a connection. As a connection may span many hours or even many days, a user's session may also span many hours or many days. The system does this in lieu of establishing a new user session each time a user submits a data access command to the system.
A multi-user system may also allow the specification of a time period during which a user's account is active. For example, a business may want to ensure that a contractor has access to sensitive data only during the contractor's contract time period. Accordingly, the contractor's user account may have an associated contract start time and a contract end time. As a user session for a user can span a significant length of time, it is possible that an effective time period associated with the user's account may expire during the user's session. However, as the calculation of user privileges is typically performed only once when the user's session is established, typical multi-user systems do not account for the effect of the passage of time on user privileges during a user's session. This is undesirable from the standpoint that a user can exercise privileges even after the time period in which the user was authorized to exercise the privileges has expired.
One solution to this is to re-establish a user's session each time the user submits a data access operation. However, as indicated previously, this solution is impractical for almost all multi-user systems because of the cost associated with establishing a user session.