In a typical replication system, information is stored at each replication site of a group of replication sites, information changes may be made at any site of the group, and information changes made at one site are propagated to the rest of the group. A replication system typically either employs a “synchronous” replication scheme or an “asynchronous” replication scheme for propagating an information change made at one site to the rest of the sites in the group.
With typical synchronous replication schemes, each information change is applied at all sites in the group immediately or at none of the sites if one or more of the sites in the group cannot accept the information change. For example, one of the sites may be offline or unavailable. Many synchronous replication schemes are implemented using a two-phase commit protocol.
In contrast, with typical asynchronous replication schemes, an information change made at a site is immediately accepted at that site but propagation of the information change to other sites in the group may be deferred. Because propagation of information changes may be deferred, if one or more of the sites in the group are temporarily unavailable, the available sites in the group can continue to accept information changes until they can be propagated to the rest of the group. For this reason, a replication system employing an asynchronous replication scheme is typically considered to be more highly available than one employing a synchronous replication scheme. However, asynchronous replication brings with it the possibility of information change conflicts that occur as a result of concurrent conflicting information changes at different replication sites.
Computer databases are a common mechanism for storing information on computer systems at replication sites while providing access to the stored information to users. A typical database is an organized collection of information stored as “objects” or “records” having “properties” or “fields”. As an example, a database of criminal suspects may have an object for each suspect where each object contains properties designating specifics about the suspect, such as eye color, hair color, height, sex, etc.
Operating on the actual database itself (i.e., the organized information actually stored on a storage device) there is typically a software-based database management system or DBMS that, among other operations, processes requests from users for access to information in the database. Users may interact indirectly with the DBMS through a database application that in turn interacts directly with the DBMS to provide high level database operations to users, such as analyzing, integrating, and visualizing database information. However, the distinction between DBMS and database application is not clear cut and functionality provided by one may be provided by the other. Consequently, in this description, the term “nexus” will be used to refer broadly to any software that operates directly or indirectly on the actual database itself. A nexus may include a DBMS, a database application or applications, or components thereof.
Each day more and more organizations and businesses base their operations on mission-critical nexuses that retrieve information in databases. As a result, carrying out the operations of the organization or business often requires many users at different levels within the organization or business to access information in the database. Because information in the database may be sensitive (e.g., social security numbers, troop locations, medical histories, etc.), organizations and business need to protect themselves against unauthorized access to the sensitive database information.
One possible approach for protecting against unauthorized access to sensitive information in a database is to label sensitive database information with a classification comprising one or more classification markings. A classification marking is data associated with sensitive information in a database that indicates a necessary classification marking a user must be authorized for in order to access the sensitive information. The possible classification markings are typically specific to a particular classification scheme and may be hierarchical according to authorization level. For example, one classification scheme may have as the highest classification marking, Top Secret (TS), followed by Secret (S), followed by Confidential (C), followed by Restricted (R), and finally Unclassified (U). A user authorized for classification marking Secret (S) can access sensitive information with a classification marking of Secret (S), Confidential (C), Restricted (R), or Unclassified (U) but not Top Secret (TS). The foregoing classification markings are NOTIONAL ONLY and provided solely for example purposes.
Today, businesses and organizations need to share sensitive database information not only with users within their business or organization but also with other businesses and organizations. Unfortunately, different businesses and organizations may use different classification schemes for information access control. Further, some businesses and organizations may not use a classification scheme at all. With regard to database replication, this poses a special set of problems. In particular, a classification marking under one classification scheme may have no inherent equivalent in another information access control scheme. Nevertheless, it is desirable to provide support for replication of sensitive information between databases the use different classification schemes. It is also desirable to provide support for replication of sensitive information between a database that uses a classification scheme for information access control and one that does not. Given these expectations, that is great interest in providing a replication solution for sharing sensitive information between nexuses that use different classification schemes for information access control.
The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.